adds for latest policy...cups.te, udev.te?
Tom London
selinux at gmail.com
Fri Dec 24 20:00:12 UTC 2004
Running strict/enforcing, latest rawhide.
Rebooting after updating to latest policy
(selinux-policy-strict-1.19.15-7), noticed the
following AVCs:
Dec 24 11:48:23 fedora kernel: audit(1103917703.356:0): avc: denied
{ connect } for pid=2679 exe=/usr/sbin/hal_lpadmin
scontext=system_u:system_r:cupsd_config_t
tcontext=system_u:system_r:cupsd_config_t tclass=tcp_socket
and
Dec 24 11:50:52 fedora kernel: audit(1103917852.996:0): avc: denied
{ connect } for pid=3070 exe=/usr/bin/lpoptions
scontext=system_u:system_r:cupsd_config_t
tcontext=system_u:system_r:cupsd_config_t tclass=tcp_socket
Adding the following seems to fix it:
allow cupsd_config_t self:tcp_socket connect;
Also:
Dec 24 11:47:51 fedora kernel: IPv6 over IPv4 tunneling driver
Dec 24 11:47:51 fedora kernel: audit(1103888840.733:0): avc: denied
{ read } for pid=1112 exe=/sbin/pam_console_apply name=mnt dev=hda2
ino=1114113 scontext=system_u:system_r:udev_t
tcontext=system_u:object_r:mnt_t tclass=dir
Dec 24 11:47:51 fedora kernel: audit(1103888840.736:0): avc: denied
{ read } for pid=1112 exe=/sbin/pam_console_apply name=mnt dev=hda2
ino=1114113 scontext=system_u:system_r:udev_t
tcontext=system_u:object_r:mnt_t tclass=dir
Dec 24 11:47:51 fedora kernel: audit(1103888840.737:0): avc: denied
{ read } for pid=1112 exe=/sbin/pam_console_apply name=mnt dev=hda2
ino=1114113 scontext=system_u:system_r:udev_t
tcontext=system_u:object_r:mnt_t tclass=dir
Dec 24 11:47:51 fedora last message repeated 3 times
Dec 24 11:47:51 fedora kernel: audit(1103888840.738:0): avc: denied
{ read } for pid=1112 exe=/sbin/pam_console_apply name=mnt dev=hda2
ino=1114113 scontext=system_u:system_r:udev_t
tcontext=system_u:object_r:mnt_t tclass=dir
Dec 24 11:47:51 fedora last message repeated 4 times
Dec 24 11:47:51 fedora kernel: ACPI: Power Button (FF) [PWRF]
The following change seems to fix:
allow udev_t mnt_t:dir search;
to
allow udev_t mnt_t:dir r_dir_perms;
But I'm not sure why pam_console_apply wants
to read /mnt. Should this be a dontaudit?
tom
--
Tom London
More information about the fedora-selinux-list
mailing list