Debian testing +selinux
Justin Conover
justin.conover at gmail.com
Mon Jul 23 14:41:36 UTC 2007
On 7/23/07, Stephen Smalley <sds at tycho.nsa.gov> wrote:
>
> On Mon, 2007-07-23 at 09:23 -0500, Justin Conover wrote:
> >
> >
> > On 7/23/07, Stephen Smalley <sds at tycho.nsa.gov> wrote:
> > On Mon, 2007-07-23 at 09:09 -0500, Justin Conover wrote:
> > > I'm not sure if there is a regular selinux mailing list or
> > not, I
> > > mainly use Fedora but thought someone here might be able to
> > help.
> >
> > http://www.nsa.gov/selinux/info/list.cfm
> >
> >
> > Thank you, I saw that list but it said "SELinux Developers mailing
> > list" and I'm not a developer so I thought that excluded me :)
>
> Nope.
>
> > So if I remove the rule entirely, does that mean take it out of
> > local.te? The parts talking about hald.
>
> Only one that is relevant to this assertion is the one between hald_t
> and memory_device_t.
>
> --
> Stephen Smalley
> National Security Agency
>
> Ok, I have removed the hald_t memory_device part:
comatose:~# grep hald local.te
type hald_t;
#============= hald_t ==============
#allow hald_t memory_device_t:chr_file read;
allow hald_t var_t:file { read getattr };
comatose:~# checkmodule -M -m -o local.mod local.te
checkmodule: loading policy configuration from local.te
checkmodule: policy configuration loaded
checkmodule: writing binary representation (version 6) to local.mod
comatose:~# semodule_package -o local.pp -m local.mod
comatose:~# semodule -i local.pp
comatose:~#
Another question, does doing this audit2allow method sort of mean "I have no
idea what I'm doing, so allow it all", or is that why it caught the hald_t
memory portion and said NO, don't do this!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20070723/b276bd29/attachment.htm>
More information about the fedora-selinux-list
mailing list