libgpod HAL callout and SELinux denials
Daniel J Walsh
dwalsh at redhat.com
Sun Jan 4 17:02:47 UTC 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Todd Zullinger wrote:
> Hi,
>
> I help maintain libgpod upstream and in Fedora. We install a hal
> callout¹ to handle newer iPods, which make some very useful and
> required information accessible only via a SCSI query of the iPod.
> The callout is meant to make the needed query and store the
> information retrieved (which is is an XML file) on the iPod where it
> can subsequently be read by a normal user.
>
> To do this, the callout mounts the iPod to a temporary location,
> queries the device, saves the XML, and unmounts. This causes a number
> of denials which I will attach. I'd like to get some help in
> determining what things need fixed in the callout code and what things
> need policy changes. If I need to, I can package a policy module in
> libgpod, though having it in the main selinux policy would be
> preferable I think.
>
> The libgpod callout code is in:
>
> https://gtkpod.svn.sourceforge.net/svnroot/gtkpod/libgpod/trunk/tools/
>
> Most of the interesting code is in hal-callout.c, but the other files
> are probably worth a look as well.
>
> FWIW, the callout currently uses /tmp/ipodXXXXXX (via mkdtemp) as the
> temporary mount point. I did try moving that to /media to see if that
> worked any better, but AFAICT, it caused the same denials. Moving the
> temp mount out of /tmp is not a problem (and is probably a good idea
> anyway).
>
> Any help will be much appreciated.
>
> ¹ http://people.freedesktop.org/~david/hal-spec/hal-spec.html#device-properties-info-callouts
>
>
>
> ------------------------------------------------------------------------
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Use /var/run/hald instead of /tmp.
And I will add rules to allow this in F10 and F11. Are you planning on
putting this in F9? RHEL5.4?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAklg67YACgkQrlYvE4MpobNpJwCfedv/ax6GWv8zZ3yBgX9eNU3W
YcQAnA4z86L4qhfHRAC7m6rKv0EGX8In
=ztxE
-----END PGP SIGNATURE-----
More information about the fedora-selinux-list
mailing list