adds for latest policy...cups.te, udev.te?

Russell Coker russell at coker.com.au
Sat Dec 25 01:31:40 UTC 2004 

On Saturday 25 December 2004 07:00, Tom London <selinux at gmail.com> wrote:
> Dec 24 11:48:23 fedora kernel: audit(1103917703.356:0): avc:  denied
> { connect } for  pid=2679 exe=/usr/sbin/hal_lpadmin
> scontext=system_u:system_r:cupsd_config_t
> tcontext=system_u:system_r:cupsd_config_t tclass=tcp_socket

can_network_server_tcp(cupsd_config_t)
It looks like we need to change the above to the below:
can_network_tcp(cupsd_config_t)

Also I suggest the change in the attached file net.diff to remove redundancy 
in the policy.conf file.

> Dec 24 11:47:51 fedora kernel: audit(1103888840.733:0): avc:  denied
> { read } for  pid=1112 exe=/sbin/pam_console_apply name=mnt dev=hda2
> ino=1114113 scontext=system_u:system_r:udev_t
> tcontext=system_u:object_r:mnt_t tclass=dir

The attached patch udev.diff (which I sent to the SE Linux mailing list at 
about the same time as your message was posted) should fix this.

> The following change seems to fix:
> allow udev_t mnt_t:dir search;
> to
> allow udev_t mnt_t:dir r_dir_perms;
> But I'm not sure why pam_console_apply wants
> to read /mnt.  Should this be a dontaudit?

We could have done that.  But I think that pam_console_apply should run in 
domain pam_console_t when launched by udev.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page
-------------- next part --------------
A non-text attachment was scrubbed...
Name: net.diff
Type: text/x-diff
Size: 542 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20041225/28af703f/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: udev.diff
Type: text/x-diff
Size: 450 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20041225/28af703f/attachment-0001.bin>

More information about the fedora-selinux-list mailing list