Re: Debian testing +selinux

["Justin Conover" <justin conover gmail com>]

On 7/23/07, Stephen Smalley <sds tycho nsa gov> wrote:

On Mon, 2007-07-23 at 09:23 -0500, Justin Conover wrote:
>
>
> On 7/23/07, Stephen Smalley <sds tycho nsa gov> wrote:
>         On Mon, 2007-07-23 at 09:09 -0500, Justin Conover wrote:
>         > I'm not sure if there is a regular selinux mailing list or
>         not, I
>         > mainly use Fedora but thought someone here might be able to
>         help.
>
>         http://www.nsa.gov/selinux/info/list.cfm
>
>
> Thank you, I saw that list but it said "SELinux Developers mailing
> list" and I'm not a developer so I thought that excluded me :)

Nope.

> So if I remove the rule entirely, does that mean take it out of
> local.te?  The parts talking about hald.

Only one that is relevant to this assertion is the one between hald_t
and memory_device_t.

--
Stephen Smalley
National Security Agency

Ok, I have removed the hald_t memory_device part:

comatose:~# grep hald local.te
        type hald_t;
#============= hald_t ==============
#allow hald_t memory_device_t:chr_file read;
allow hald_t var_t:file { read getattr };


comatose:~# checkmodule -M -m -o local.mod local.te
checkmodule:  loading policy configuration from local.te
checkmodule:  policy configuration loaded
checkmodule:  writing binary representation (version 6) to local.mod
comatose:~# semodule_package -o local.pp -m local.mod
comatose:~# semodule -i local.pp
comatose:~#



Another question, does doing this audit2allow method sort of mean "I have no idea what I'm doing, so allow it all", or is that why  it caught the hald_t memory portion and said NO, don't do this!