acpid
Daniel J Walsh
dwalsh at redhat.com
Mon Sep 26 19:51:59 UTC 2005
Stephen Smalley wrote:
>On Fri, 2005-09-23 at 16:09 -0400, Matthew Saltzman wrote:
>
>
>>Can nobody here help with this (and if not, where could I go for
>>assistance)? selinux-policy-targeted-1.27.1-2.1 does not solve the
>>problem.
>>
>>
>
>>From the audit messages you posted, I would have expected that:
>- a new type would have been assigned to /usr/share/hwdata, and apmd_t
>would have been allowed to read it.
>
>
I am making this change.
>- tmp_domain(apmd_t) would have been added to enable it to create its
>own temporary files under /tmp without disturbing anyone else's
>temporary files.
>
>Looking at the latest rawhide targeted policy (1.27.1-5), it looks like
>the tmp_domain() has been added, it has been directly allowed to read
>usr_t (which I would have preferred not doing) and it has been made
>unconfined in targeted policy (which seems overkill). So I would expect
>your scripts to work just fine with that policy, even though I'd still
>favor adding a new type for /usr/share/hwdata and not making apmd_t
>completely unconfined.
>
>
>
The problem is there is no standard scripts for this yet. Trying to
lock down acpid is a moving target at this time, until the distros
settle on a standard way of doing this. So until then it is better to
run unconfined. If in FC5 timeframe a standard
develops in Fedora, I will make the policy work and remove the
unconfined_domain.
--
More information about the fedora-selinux-list
mailing list