hald / <<none>> / semanage
Stephen Smalley
sds at tycho.nsa.gov
Wed Apr 19 12:31:52 UTC 2006
On Tue, 2006-04-18 at 13:39 -0700, Mike Carney wrote:
> I posted the following a few days ago. Some more information:
>
> It seems that all hald wants to do is view the root directory of the
> mounted filesystem. After downloading, installing, and viewing the
> policy source files, it seems rather excessive to grant hald
> permission to search all directories on the mounted volume.
>
> Is the fix to change the policy to simply not to audit the attempts
> of the hald domain to get attributes of all filesystems?
No, it should be allowed to get attributes of all filesystems;
otherwise, parts of the desktop will break. Didn't this already come
up?
> Or add a rule to always relabel the root directory of any r/w filesystem
> to some standard context the hald domain is granted access to?
>
> Finally, there doesn't appear to be a way to convince semanage to accept
> the '<<none>>' (don't recurse when relabeling) keyword when adding a
> context. Is this a bug?
There is no recursion inherent in file contexts - it is only if you
specify a regex that has (/.*)? tail that it is applied to all files
under the directory too. <<none>> is if you don't want setfiles to
touch the file label at all (ever).
> Guidance as to what the right thing to do would be appreciated (I don't
> mind submitting a bug, just as long as I have the right information to
> place in it).
--
Stephen Smalley
National Security Agency
More information about the fedora-selinux-list
mailing list