hald/hal-hotplug-map
Tom London
selinux at comcast.net
Sun Aug 29 20:41:15 UTC 2004
hald seems to need to execute /usr/libexec/hal-hotplug-map:
Aug 29 12:45:46 fedora kernel: audit(1093808744.270:0): avc: denied {
execute
} for pid=3436 exe=/usr/sbin/hald name=hal-hotplug-map dev=hda2
ino=4123436 scontext=system_u:system_r:hald_t
tcontext=system_u:object_r:bin_t tclass=file
Aug 29 12:45:46 fedora kernel: audit(1093808744.284:0): avc: denied {
execute
} for pid=3436 exe=/usr/sbin/hald name=hal-hotplug-map dev=hda2
ino=4123436 scontext=system_u:system_r:hald_t
tcontext=system_u:object_r:bin_t tclass=file
Does it make sense to label /usr/libexec/hal* as hald_exec_t and add
'canexec(hald_t, hald_exec_t)' to hald.te ?
Also, seems that hald and updfstab need to do their dbus thing,
and hald wants to access printer_device_t.
Suggested patches to hald.te and hald.fc
--- hald.te 2004-08-27 14:37:17.000000000 -0700
+++ /etc/selinux/strict/src.old/policy/domains/program/hald.te
2004-08-28 13:40:57.000000000 -0700
@@ -37,7 +37,12 @@
ifdef(`udev.te', `
domain_auto_trans(hald_t, udev_exec_t, udev_t)
allow udev_t hald_t:unix_dgram_socket sendto;
+allow hald_t updfstab_t:dbus { send_msg };
+allow updfstab_t hald_t:dbus { send_msg };
')
allow hald_t usbdevfs_t:dir search;
allow hald_t usbdevfs_t:file { getattr read };
+
+allow hald_t printer_device_t:chr_file { read write };
+can_exec(hald_t, hald_exec_t)
---
/etc/selinux/strict/src.old/policy/domains/program/../../file_contexts/program/hald.fc
2004-08-27 14:37:17.000000000 -0700
+++ hald.fc 2004-08-29 13:36:44.147534409 -0700
@@ -1,2 +1,3 @@
# hald - hardware informationd daemon
/usr/sbin/hald -- system_u:object_r:hald_exec_t
+/usr/libexec/hal-.* -- system_u:object_r:hald_exec_t
Please correct/improve,
tom
tom
More information about the fedora-selinux-list
mailing list