Re: hald/hal-hotplug-map

[Russell Coker <russell coker com au>]

On Mon, 30 Aug 2004 07:10, Tom London <selinux comcast net> wrote:
> Oops.... hald.fc should be
> # hald - hardware informationd daemon
> /usr/sbin/hald          --      system_u:object_r:hald_exec_t
> /usr/libexec/hal-hotplug-map    --      system_u:object_r:hald_exec_t
>
> Otherwise hal.dev and hal.hotplug get erroneously relabeled.

It's a difficult decision about whether to allow hald_t to execute bin_t or to 
label the file as hald_exec_t.  At this time I think that labelling it as 
hald_exec_t is better as it prevents hald from executing many different 
program files.

I've attached a little patch which implements this.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

--- /usr/src/se/policy/file_contexts/program/hald.fc	2004-08-18 22:42:50.000000000 +1000
+++ file_contexts/program/hald.fc	2004-09-01 12:48:28.000000000 +1000
@@ -1,2 +1,3 @@
 # hald - hardware informationd daemon
 /usr/sbin/hald		--	system_u:object_r:hald_exec_t
+/usr/libexec/hal-hotplug-map -- system_u:object_r:hald_exec_t
--- /usr/src/se/policy/domains/program/unused/hald.te	2004-08-28 12:05:02.000000000 +1000
+++ domains/program/unused/hald.te	2004-09-01 16:14:10.000000000 +1000
@@ -12,6 +12,8 @@
 #
 daemon_domain(hald, `, dbus_client_domain, fs_domain')
 
+can_exec(hald_t, hald_exec_t)
+
 allow hald_t { etc_t etc_runtime_t }:file { getattr read };
 allow hald_t self:unix_stream_socket create_stream_socket_perms;
 allow hald_t self:unix_dgram_socket create_socket_perms;
@@ -30,6 +32,7 @@
 can_network(hald_t)
 can_ypbind(hald_t)
 
+allow hald_t device_t:lnk_file read;
 allow hald_t { fixed_disk_device_t removable_device_t }:blk_file { getattr read ioctl };
 allow hald_t event_device_t:chr_file { getattr read };