reconnecting USB p rinter

Tom London selinux at gmail.com
Sun Sep 26 18:28:44 UTC 2004 

Applied, and fixes above mentioned issues.

However, there is another problem here. The second time I 
disconnect the printer, I get a horde of AVCs, all from hald_t
apparently attempting to access 'everything', from apmd_t
through xfs_t (with the kitchen sink in between)....

'ps agxZ' yields:
root:sysadm_r:sysadm_t           4686 pts/2    S      0:00 -bash
system_u:system_r:hald_t         5443 ?        Ss     0:00 cupsd
root:sysadm_r:sysadm_t           5571 pts/2    R+     0:00 ps agxZ

That's not right, is it? Shouldn't cupsd be running in cupsd_t?

It looks like when hald restarts cupsd after the 'first reconnection',
its not transitioning it to cupsd_t.

The following patch adds a 
domain_auto_trans(hald_t, cupsd_exec_t, cupsd_t)
to cups.te

This makes the 'new' cupsd run in cupsd_t. 
This doesn't fix everything, as there are still about 170 AVCs.

Do we need to add a bunch of 'domain_auto_trans' rules for
hald_t (for apmd_t, crond_t, ......)?  dontaudits?

I attach the AVCs from a 'disconnect/reconnect' cycle running
a policy with the hald_t->cupsd_t auto_trans rule.

Help appreciated!
   tom


On Sun, 26 Sep 2004 23:14:37 +1000, Russell Coker <russell at coker.com.au> wrote:
> On Sun, 26 Sep 2004 12:01, Tom London <selinux at gmail.com> wrote:
> > Running strict/enforcing, w/USB printer.
> >
> > Reconnecting printer (after pulling the plug) yields the following:
> 
> allow hald_t urandom_device_t:chr_file { read };
> 
> The above line should go unconditionally in hald.te not in cups.te.  The
> reason is that hald might access urandom_device_t for many things other than
> printer configuration, and we don't want the other things to suddenly stop
> working if we remove the cups policy.
> 
> Also for neat policy I think it's best not to put {} around a single item.
> 
> I've attached a diff between the policy in my tree for hal and cups and that
> of the CVS.  Please note that removing the dontaudit from cups.te is
> deliberate, there is a matching allow rule later in the same file.
> 
> --
> http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
> http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
> http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
> http://www.coker.com.au/~russell/  My home page
> 
> 
> 
> 



-- 
Tom London
-------------- next part --------------
A non-text attachment was scrubbed...
Name: diff
Type: application/octet-stream
Size: 303 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20040926/64e96a83/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: usb-avcs
Type: application/octet-stream
Size: 41297 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20040926/64e96a83/attachment-0001.obj>

More information about the fedora-selinux-list mailing list