dmesg avcs
Daniel J Walsh
dwalsh at redhat.com
Mon Mar 8 14:07:46 UTC 2004
Josh Boyer wrote:
>This is my first stab at working with selinux, so be gentle ;).
>
>I am getting these avc messages when I run dmesg:
>
>avc: denied { use } for pid=2674 exe=/bin/dmesg path=/dev/pts/2 dev= ino=4
>scontext=root:system_r:dmesg_t tcontext=jwboyer:user_r:user_t tclass=fd
>
>avc: denied { read write } for pid=2674 exe=/bin/dmesg path=/dev/pts/2 dev=
>ino=4 scontext=root:system_r:dmesg_t tcontext=root:object_r:user_devpts_t
>tclass=chr_file
>
>So in the dmesg.te file, i defined the following rules:
>
>allow dmesg_t user_devpts_t:chr_file { read write getattr };
>allow dmesg_t user_t:fd { use };
>
>does that look correct? from my understanding, the 2 rules i added allow the
>dmesg_t domain read, write, and getattr access to pts char files...
>
>
>
Yes, but this might not be necessary. If the dmesg code was working
correctly and you saw these messages you might want to dontaudit them.
dontaudit dmesg_t userdomain:fd { use };
Would eliminate the terminal error for all userdomains (user, staff and
sysadm).
>josh
>
>--
>fedora-selinux-list mailing list
>fedora-selinux-list at redhat.com
>http://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
>
More information about the fedora-selinux-list
mailing list