Re: hald/hal-hotplug-map: msg#00223

Tom London wrote:

hald seems to need to execute /usr/libexec/hal-hotplug-map:
Aug 29 12:45:46 fedora kernel: audit(1093808744.270:0): avc: denied{ execute} for pid=3436 exe=/usr/sbin/hald name=hal-hotplug-map dev=hda2ino=4123436 scontext=system_u:system_r:hald_ttcontext=system_u:object_r:bin_t tclass=fileAug 29 12:45:46 fedora kernel: audit(1093808744.284:0): avc: denied{ execute} for pid=3436 exe=/usr/sbin/hald name=hal-hotplug-map dev=hda2ino=4123436 scontext=system_u:system_r:hald_ttcontext=system_u:object_r:bin_t tclass=file
Does it make sense to label /usr/libexec/hal* as hald_exec_t and add
'canexec(hald_t, hald_exec_t)' to hald.te ?

Or just add
can_exec(hald_t, bin_t)

Also, seems that hald and updfstab need to do their dbus thing,
and hald wants to access printer_device_t.

Suggested patches to hald.te and hald.fc

--- hald.te     2004-08-27 14:37:17.000000000 -0700

+++ /etc/selinux/strict/src.old/policy/domains/program/hald.te2004-08-28 13:40:57.000000000 -0700

@@ -37,7 +37,12 @@
ifdef(`udev.te', `
domain_auto_trans(hald_t, udev_exec_t, udev_t)
allow udev_t hald_t:unix_dgram_socket sendto;
+allow hald_t updfstab_t:dbus { send_msg };
+allow updfstab_t hald_t:dbus { send_msg };
')

allow hald_t usbdevfs_t:dir search;
allow hald_t usbdevfs_t:file { getattr read };
+
+allow hald_t printer_device_t:chr_file { read write };
+can_exec(hald_t, hald_exec_t)

---/etc/selinux/strict/src.old/policy/domains/program/../../file_contexts/program/hald.fc2004-08-27 14:37:17.000000000 -0700

+++ hald.fc     2004-08-29 13:36:44.147534409 -0700
@@ -1,2 +1,3 @@
# hald - hardware informationd daemon
/usr/sbin/hald         --      system_u:object_r:hald_exec_t
+/usr/libexec/hal-.*    --      system_u:object_r:hald_exec_t


Please correct/improve,
  tom
tom
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
http://www.redhat.com/mailman/listinfo/fedora-selinux-list

<Prev in Thread]	Current Thread	[Next in Thread>

<Prev in Thread]

Current Thread

[Next in Thread>

Previous by Date:	Re: Progress! .532 boots! -- but dbus/hotplug/udev problems remain?, Daniel J Walsh
Next by Date:	Re: Cleaned up udev-selinux patch, Luke Kenneth Casson Leighton
Previous by Thread:	Re: hald/hal-hotplug-map, Tom London
Next by Thread:	more on udev.te, Tom London
Indexes:	[Date] [Thread] [Top] [All Lists]

Previous by Date:

Re: Progress! .532 boots! -- but dbus/hotplug/udev problems remain?, Daniel J Walsh

Next by Date:

Re: Cleaned up udev-selinux patch, Luke Kenneth Casson Leighton

Previous by Thread:

Re: hald/hal-hotplug-map, Tom London

Next by Thread:

more on udev.te, Tom London

Indexes:

[Date] [Thread] [Top] [All Lists]

Free Magazines

Systems Management News, the newspaper for IT systems administration and data center managers! Each issue of Systems Management News is chock-full of news and analysis to help you understand what's happening in your field.
subscribe

The Enterprise Newsweekly eWeek is the essential technology information source for builders of e-business.
subscribe

Oracle Magazine Oracle Magazine contains technology strategy articles, sample code, tips, Oracle and partner news, how to articles for developers and DBAs, and more. Oracle (NASDAQ: ORCL) is the world's largest enterprise software company.
subscribe

Total Telecom Total Telecom is "The Economist of the communications industry".
subscribe