Re: hald / <<none>> / semanage

[Stephen Smalley <sds tycho nsa gov>]

On Tue, 2006-04-18 at 13:39 -0700, Mike Carney wrote:
> I posted the following a few days ago. Some more information:
> 
> It seems that all hald wants to do is view the root directory of the
> mounted filesystem. After downloading, installing, and viewing the
> policy source files, it seems rather excessive to grant hald
> permission to search all directories on the mounted volume.
> 
> Is the fix to change the policy to simply not to audit the attempts
> of the hald domain to get attributes of all filesystems?

No, it should be allowed to get attributes of all filesystems;
otherwise, parts of the desktop will break.  Didn't this already come
up?

> Or add a rule to always relabel the root directory of any r/w filesystem
> to some standard context the hald domain is granted access to?
> 
> Finally, there doesn't appear to be a way to convince semanage to accept
> the '<<none>>' (don't recurse when relabeling) keyword when adding a
> context. Is this a bug?

There is no recursion inherent in file contexts - it is only if you
specify a regex that has (/.*)? tail that it is applied to all files
under the directory too.  <<none>> is if you don't want setfiles to
touch the file label at all (ever).

> Guidance as to what the right thing to do would be appreciated (I don't
> mind submitting a bug, just as long as I have the right information to
> place in it).


-- 
Stephen Smalley
National Security Agency