<div>On 7/23/07, Stephen Smalley <<a href="mailto:sds@tycho.nsa.gov">sds@tycho.nsa.gov</a>> wrote:<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"> On Mon, 2007-07-23 at 09:23 -0500, Justin Conover wrote: > > > On 7/23/07, Stephen Smalley <<a href="mailto:sds@tycho.nsa.gov">sds@tycho.nsa.gov</a>> wrote: > On Mon, 2007-07-23 at 09:09 -0500, Justin Conover wrote: > > I'm not sure if there is a regular selinux mailing list or > not, I > > mainly use Fedora but thought someone here might be able to > help. > > <a href="http://www.nsa.gov/selinux/info/list.cfm">http://www.nsa.gov/selinux/info/list.cfm</a> > > > Thank you, I saw that list but it said "SELinux Developers mailing > list" and I'm not a developer so I thought that excluded me :) Nope. > So if I remove the rule entirely, does that mean take it out of > local.te? The parts talking about hald. Only one that is relevant to this assertion is the one between hald_t and memory_device_t. -- Stephen Smalley National Security Agency </blockquote></div>Ok, I have removed the hald_t memory_device part: comatose:~# grep hald local.te type hald_t; #============= hald_t ============== #allow hald_t memory_device_t:chr_file read; allow hald_t var_t:file { read getattr }; comatose:~# checkmodule -M -m -o local.mod local.te checkmodule: loading policy configuration from local.te checkmodule: policy configuration loaded checkmodule: writing binary representation (version 6) to local.mod comatose:~# semodule_package -o local.pp -m local.mod comatose:~# semodule -i local.pp comatose:~# Another question, does doing this audit2allow method sort of mean "I have no idea what I'm doing, so allow it all", or is that why it caught the hald_t memory portion and said NO, don't do this!