Progress! .532 boots! -- but dbus/hotplug/udev problems remain?
James Carter
jwcart2 at epoch.ncsc.mil
Mon Aug 30 20:42:13 UTC 2004
Thanks Russell and Tom. Merged into sourceforge policy using
r_dir_file() for selinux_config_t, file_context_t, and
default_context_t.
Showing only the part changed from Russell's patch:
--- domains/program/unused/udev.te 27 Aug 2004 13:14:05 -0000 1.17
+++ domains/program/unused/udev.te 30 Aug 2004 19:36:44 -0000
@@ -32,19 +31,19 @@
allow udev_t device_t:blk_file create_file_perms;
allow udev_t device_t:chr_file create_file_perms;
allow udev_t device_t:sock_file create_file_perms;
-allow udev_t etc_t:file { getattr read execute };
+allow udev_t device_t:lnk_file create_lnk_perms;
+allow udev_t etc_t:file { getattr read };
allow udev_t { bin_t sbin_t }:dir r_dir_perms;
allow udev_t { sbin_t bin_t }:lnk_file read;
-can_exec(udev_t, { shell_exec_t bin_t sbin_t } )
+allow udev_t bin_t:lnk_file read;
+can_exec(udev_t, { shell_exec_t bin_t sbin_t etc_t } )
can_exec(udev_t, udev_exec_t)
-can_exec(udev_t, hostname_exec_t)
-can_exec(udev_t, iptables_exec_t)
r_dir_file(udev_t, sysfs_t)
allow udev_t sysadm_tty_device_t:chr_file { read write };
allow udev_t { device_t device_type }:{chr_file blk_file} { relabelfrom relabelto create_file_perms };
-# to read the file_contexts file?
-r_dir_file(udev_t, policy_config_t)
+# to read the file_contexts file
+r_dir_file(udev_t, { selinux_config_t file_context_t default_context_t } )
allow udev_t policy_config_t:dir { search };
allow udev_t proc_t:file { read };
On Sun, 2004-08-29 at 15:53, Tom London wrote:
> Russell,
>
> The following changes to udev.te seem needed....
> (If udev shouldn't be reading file_contexts, then dontaudit?)
>
> Please correct/improve,
> tom
>
> --- /tmp/patches/udev.te 2004-08-29 11:35:48.000000000 -0700
> +++ udev.te 2004-08-29 12:40:58.000000000 -0700
> @@ -44,7 +44,9 @@
>
> # to read the file_contexts file
> allow udev_t { selinux_config_t default_context_t }:dir search;
> -allow udev_t default_context_t:file { getattr read };
> +allow udev_t { selinux_config_t default_context_t }:file { getattr read };
> +allow udev_t file_context_t:dir { search };
> +allow udev_t file_context_t:file { getattr read };
>
> allow udev_t policy_config_t:dir { search };
> allow udev_t proc_t:file { read };
>
>
> Russell Coker wrote:
>
> >On Sun, 29 Aug 2004 04:29, Tom London <selinux at comcast.net> wrote:
> >
> >
> >>Newest Rawhide updates (including udev-030-10, mkinitrd-4.1.8-1,
> >>kernel-2.6.8-1.532, and selinux-policy-strict-1.17.5-2)
> >>now boots in strict/enforcing.
> >>
> >>
> >
> >I've attached a diff against the CVS policy as well as the .te and .fc files
> >for udev changes which fix this and address some other issues as well.
> >
> >Please try it out and let me know how it goes.
> >
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo at tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
--
James Carter <jwcart2 at epoch.ncsc.mil>
National Security Agency
More information about the fedora-selinux-list
mailing list