adds for latest policy...cups.te, udev.te?
Russell Coker
russell at coker.com.au
Sat Dec 25 01:31:40 UTC 2004
On Saturday 25 December 2004 07:00, Tom London <selinux at gmail.com> wrote:
> Dec 24 11:48:23 fedora kernel: audit(1103917703.356:0): avc: denied
> { connect } for pid=2679 exe=/usr/sbin/hal_lpadmin
> scontext=system_u:system_r:cupsd_config_t
> tcontext=system_u:system_r:cupsd_config_t tclass=tcp_socket
can_network_server_tcp(cupsd_config_t)
It looks like we need to change the above to the below:
can_network_tcp(cupsd_config_t)
Also I suggest the change in the attached file net.diff to remove redundancy
in the policy.conf file.
> Dec 24 11:47:51 fedora kernel: audit(1103888840.733:0): avc: denied
> { read } for pid=1112 exe=/sbin/pam_console_apply name=mnt dev=hda2
> ino=1114113 scontext=system_u:system_r:udev_t
> tcontext=system_u:object_r:mnt_t tclass=dir
The attached patch udev.diff (which I sent to the SE Linux mailing list at
about the same time as your message was posted) should fix this.
> The following change seems to fix:
> allow udev_t mnt_t:dir search;
> to
> allow udev_t mnt_t:dir r_dir_perms;
> But I'm not sure why pam_console_apply wants
> to read /mnt. Should this be a dontaudit?
We could have done that. But I think that pam_console_apply should run in
domain pam_console_t when launched by udev.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
-------------- next part --------------
A non-text attachment was scrubbed...
Name: net.diff
Type: text/x-diff
Size: 542 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20041225/28af703f/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: udev.diff
Type: text/x-diff
Size: 450 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20041225/28af703f/attachment-0001.bin>
More information about the fedora-selinux-list
mailing list