adds for latest policy...cups.te, udev.te?

Russell Coker russell at
Sat Dec 25 01:31:40 UTC 2004

On Saturday 25 December 2004 07:00, Tom London <selinux at> wrote:
> Dec 24 11:48:23 fedora kernel: audit(1103917703.356:0): avc:  denied
> { connect } for  pid=2679 exe=/usr/sbin/hal_lpadmin
> scontext=system_u:system_r:cupsd_config_t
> tcontext=system_u:system_r:cupsd_config_t tclass=tcp_socket

It looks like we need to change the above to the below:

Also I suggest the change in the attached file net.diff to remove redundancy 
in the policy.conf file.

> Dec 24 11:47:51 fedora kernel: audit(1103888840.733:0): avc:  denied
> { read } for  pid=1112 exe=/sbin/pam_console_apply name=mnt dev=hda2
> ino=1114113 scontext=system_u:system_r:udev_t
> tcontext=system_u:object_r:mnt_t tclass=dir

The attached patch udev.diff (which I sent to the SE Linux mailing list at 
about the same time as your message was posted) should fix this.

> The following change seems to fix:
> allow udev_t mnt_t:dir search;
> to
> allow udev_t mnt_t:dir r_dir_perms;
> But I'm not sure why pam_console_apply wants
> to read /mnt.  Should this be a dontaudit?

We could have done that.  But I think that pam_console_apply should run in 
domain pam_console_t when launched by udev.

--   My NSA Security Enhanced Linux packages  Bonnie++ hard drive benchmark    Postal SMTP/POP benchmark  My home page
-------------- next part --------------
A non-text attachment was scrubbed...
Name: net.diff
Type: text/x-diff
Size: 542 bytes
Desc: not available
URL: <>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: udev.diff
Type: text/x-diff
Size: 450 bytes
Desc: not available
URL: <>

More information about the fedora-selinux-list mailing list