domains/misc/kernel.te
Daniel J Walsh
dwalsh at redhat.com
Tue May 24 15:50:42 UTC 2005
Tom London wrote:
>domains/misc/kernel.te has the following lines:
>
># Use capabilities.
>allow kernel_t self:capability *;
>
>allow kernel_t sysfs_t:dir search;
>allow kernel_t { usbfs_t usbdevfs_t sysfs_t }:dir search;
>
># Run init in the init_t domain.
>
>Search for sysfs_t is in twice.
>
>Also, I'm getting avc's for kernel_t for getattr/read for sysfs_t:
>May 22 10:04:32 fedora kernel: SELinux: initialized (dev usbfs, type
>usbfs), uses genfs_contexts
>May 22 10:04:32 fedora kernel: audit(1116756222.766:0): avc: denied
>{ getattr } for path="/sys/class/input/mouse1" dev=sysfs ino=1850
>scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:sysfs_t
>tclass=dir
>May 22 10:04:32 fedora kernel: audit(1116756222.766:0): avc: denied
>{ getattr } for path="/sys/class/input/mouse1/dev" dev=sysfs ino=2090
>scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:sysfs_t
>tclass=file
>May 22 10:04:32 fedora kernel: audit(1116756222.766:0): avc: denied
>{ read } for name=dev dev=sysfs ino=2090
>scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:sysfs_t
>tclass=file
>
>Would it be right to replace
>allow kernel_t sysfs_t:dir search;
>allow kernel_t { usbfs_t usbdevfs_t sysfs_t }:dir search;
>
>with
>r_dir_file(kernel_t, sysfs_t)
>allow kernel_t { usbfs_t usbdevfs_t }:dir search;
>
>tom
>
>
in selinux-policy-*-1.23.16-7
--
More information about the fedora-selinux-list
mailing list