[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: 'allow XXXX udev_tdb_t:dir r_dir_perms' needed...

Tom London wrote:

On Wed, 22 Dec 2004 12:58:23 -0500, Daniel J Walsh <dwalsh redhat com> wrote:

Tom London wrote:

Does this solve the problem?

diff -u global_macros.te~ global_macros.te
--- global_macros.te~   2004-12-22 11:18:14.000000000 -0500
+++ global_macros.te    2004-12-22 12:56:43.883461279 -0500
@@ -242,7 +242,7 @@
allow $1_t { self proc_t }:dir r_dir_perms;
allow $1_t { self proc_t }:lnk_file read;

-allow $1_t device_t:dir { getattr search };
+r_dir_file($1_t, device_t)
allow $1_t null_device_t:chr_file rw_file_perms;
dontaudit $1_t console_device_t:chr_file rw_file_perms;
dontaudit $1_t unpriv_userdomain:fd use;


I'm at work, so I'll test this later.

Since the AVCs had read/getattr denials
for udev_tdb_t (not device_t), I would think
that we would need a fix like this:

+r_dir_file($1_t, { device_t udev_tdb_t })

Am I missing something obvious?


No but I am :^) r_dir_file($1_t, udev_tdb_t) is probably sufficient

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]