'allow XXXX udev_tdb_t:dir r_dir_perms' needed...

Daniel J Walsh dwalsh at redhat.com
Wed Dec 22 18:52:36 UTC 2004


Tom London wrote:

>On Wed, 22 Dec 2004 12:58:23 -0500, Daniel J Walsh <dwalsh at redhat.com> wrote:
>  
>
>>Tom London wrote:
>>
>>Does this solve the problem?
>>
>>diff -u global_macros.te~ global_macros.te
>>--- global_macros.te~   2004-12-22 11:18:14.000000000 -0500
>>+++ global_macros.te    2004-12-22 12:56:43.883461279 -0500
>>@@ -242,7 +242,7 @@
>> allow $1_t { self proc_t }:dir r_dir_perms;
>> allow $1_t { self proc_t }:lnk_file read;
>>
>>-allow $1_t device_t:dir { getattr search };
>>+r_dir_file($1_t, device_t)
>> allow $1_t null_device_t:chr_file rw_file_perms;
>> dontaudit $1_t console_device_t:chr_file rw_file_perms;
>> dontaudit $1_t unpriv_userdomain:fd use;
>>
>>
>>    
>>
>
>Dan,
>
>I'm at work, so I'll test this later.
>
>Since the AVCs had read/getattr denials
>for udev_tdb_t (not device_t), I would think
>that we would need a fix like this:
>
>  
>
>>+r_dir_file($1_t, { device_t udev_tdb_t })
>>    
>>
>
>Am I missing something obvious?
>
>tom
>
>
>  
>
No but I am :^)  r_dir_file($1_t, udev_tdb_t) is probably sufficient




More information about the fedora-selinux-list mailing list