reconnecting USB p rinter
Tom London
selinux at gmail.com
Sun Sep 26 18:28:44 UTC 2004
Applied, and fixes above mentioned issues.
However, there is another problem here. The second time I
disconnect the printer, I get a horde of AVCs, all from hald_t
apparently attempting to access 'everything', from apmd_t
through xfs_t (with the kitchen sink in between)....
'ps agxZ' yields:
root:sysadm_r:sysadm_t 4686 pts/2 S 0:00 -bash
system_u:system_r:hald_t 5443 ? Ss 0:00 cupsd
root:sysadm_r:sysadm_t 5571 pts/2 R+ 0:00 ps agxZ
That's not right, is it? Shouldn't cupsd be running in cupsd_t?
It looks like when hald restarts cupsd after the 'first reconnection',
its not transitioning it to cupsd_t.
The following patch adds a
domain_auto_trans(hald_t, cupsd_exec_t, cupsd_t)
to cups.te
This makes the 'new' cupsd run in cupsd_t.
This doesn't fix everything, as there are still about 170 AVCs.
Do we need to add a bunch of 'domain_auto_trans' rules for
hald_t (for apmd_t, crond_t, ......)? dontaudits?
I attach the AVCs from a 'disconnect/reconnect' cycle running
a policy with the hald_t->cupsd_t auto_trans rule.
Help appreciated!
tom
On Sun, 26 Sep 2004 23:14:37 +1000, Russell Coker <russell at coker.com.au> wrote:
> On Sun, 26 Sep 2004 12:01, Tom London <selinux at gmail.com> wrote:
> > Running strict/enforcing, w/USB printer.
> >
> > Reconnecting printer (after pulling the plug) yields the following:
>
> allow hald_t urandom_device_t:chr_file { read };
>
> The above line should go unconditionally in hald.te not in cups.te. The
> reason is that hald might access urandom_device_t for many things other than
> printer configuration, and we don't want the other things to suddenly stop
> working if we remove the cups policy.
>
> Also for neat policy I think it's best not to put {} around a single item.
>
> I've attached a diff between the policy in my tree for hal and cups and that
> of the CVS. Please note that removing the dontaudit from cups.te is
> deliberate, there is a matching allow rule later in the same file.
>
> --
> http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
> http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
> http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
> http://www.coker.com.au/~russell/ My home page
>
>
>
>
--
Tom London
-------------- next part --------------
A non-text attachment was scrubbed...
Name: diff
Type: application/octet-stream
Size: 303 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20040926/64e96a83/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: usb-avcs
Type: application/octet-stream
Size: 41297 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20040926/64e96a83/attachment-0001.obj>
More information about the fedora-selinux-list
mailing list