hald startup ?
Russell Coker
russell at coker.com.au
Tue Aug 24 11:28:26 UTC 2004
On Tue, 24 Aug 2004 01:49, Tom London <selinux at comcast.net> wrote:
> When hald starts (strict/enforcing) I get the following avc:
>
> Aug 23 08:20:29 fedora messagebus: messagebus startup succeeded
> Aug 23 08:20:29 fedora kernel: audit(1093274429.575:0): avc: denied {
> create } for pid=2796 exe=/usr/sbin/hald
> scontext=system_u:system_r:hald_t tcontext=system_u:system_r:hald_t
> tclass=unix_dgram_socket
>
> hald appears to die quietly.
You need it. The new version of hald which just appeared in rawhide needs
much more access. I've already sent a policy patch to the main SE Linux
list, but I've attached the hald.te I'm using to this message to save you
hunting it down.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
-------------- next part --------------
#DESC hald - server for device info
#
# Author: Russell Coker <rcoker at redhat.com>
# X-Debian-Packages:
#
#################################
#
# Rules for the hald_t domain.
#
# hald_exec_t is the type of the hald executable.
#
daemon_domain(hald, `, dbus_client_domain, fs_domain')
allow hald_t { etc_t etc_runtime_t }:file { getattr read };
allow hald_t self:unix_stream_socket create_stream_socket_perms;
allow hald_t self:unix_dgram_socket create_socket_perms;
allow hald_t dbusd_t:dbus { acquire_svc };
allow hald_t { self proc_t }:file { getattr read };
allow hald_t { bin_t sbin_t }:dir search;
allow hald_t hald_t:fifo_file rw_file_perms;
allow hald_t usr_t:file { getattr read };
allow hald_t bin_t:file { getattr };
allow hald_t self:netlink_route_socket r_netlink_socket_perms;
allow hald_t self:capability { net_admin sys_admin };
can_network(hald_t)
allow hald_t fixed_disk_device_t:blk_file { getattr read };
allow hald_t event_device_t:chr_file { getattr read };
ifdef(`updfstab.te', `domain_auto_trans(hald_t, updfstab_exec_t, updfstab_t)')
ifdef(`udev.te', `
domain_auto_trans(hald_t, udev_exec_t, udev_t)
allow udev_t hald_t:unix_dgram_socket sendto;
')
allow hald_t usbdevfs_t:dir search;
allow hald_t usbdevfs_t:file { getattr read };
More information about the fedora-selinux-list
mailing list