'allow XXXX udev_tdb_t:dir r_dir_perms' needed...
Tom London
selinux at gmail.com
Thu Dec 23 15:11:42 UTC 2004
On Thu, 23 Dec 2004 21:36:42 +1100, Russell Coker <russell at coker.com.au> wrote:
> On Thursday 23 December 2004 15:12, Tom London <selinux at gmail.com> wrote:
> > Here's what seems to get rhgb and X running again:
> >
> > global_macros.te:
> > allow $1_t { self proc_t }:dir r_dir_perms;
> > allow $1_t { self proc_t }:lnk_file read;
> >
> > +allow $1_t { device_t udev_tdb_t }:dir { getattr search };
>
> The problem is that the directory should have type device_t not udev_tdb_t.
> The recent trend has been to label all directories under /dev as device_t.
>
> -file_type_auto_trans(udev_t, device_t, udev_tdb_t, { file dir })
> +file_type_auto_trans(udev_t, device_t, udev_tdb_t, file)
>
> If the above change is made to udev.te and the below change is made to udev.fc
> then everything will work well. This is the easiest and simplest change that
> preserves expected functionality.
>
> -/dev/\.udev\.tdb(/.*)? system_u:object_r:udev_tdb_t
> +/dev/\.udev\.tdb/.* -- system_u:object_r:udev_tdb_t
>
> I assume that the file names in directory /dev/.udev.tdb don't give anything
> away - otherwise the directory surely wouldn't have mode 0755...
>
> --
>
Russell, Dan,
Yes, this fixes it, even the user_t accesses.
Thanks!
tom
--
Tom London
More information about the fedora-selinux-list
mailing list