On Wed, 2007-02-07 at 19:26 +0100, David Nielsen wrote:
> Upon investigation this appears to be a SELinux policy issue actually,
> I see the following in dmesg after attempting to start HAL:
>
> audit(1170872559.797:8): avc: denied { write } for pid=4679
> comm="hald-generate-f" name="hald" dev=dm-3 ino=4653249
> scontext=user_u:system_r:hald_t:s0 tcontext=system_u:object_r:var_t:s0
> tclass=dir
>
> However the policy relabeling is a tad problematic as seen in #227702
I'm slightly annoyed that everytime I do the smallest change in HAL then
SELinux breaks something insofar that it prevents HAL from doing what it
needs to do. In a way it's good, it's what SELinux is _supposed_ to do
but it's just bloody annoying nonetheless. Maybe the policy is too
strict, maybe HAL is moving too fast. I don't know.
So I really really wish I could ship the SELinux policy for HAL _along_
with the HAL tarball then I could fix this up before releases etc. etc.
Having it decoupled as it is now is just a really bad idea I think.
Also, it might educate other vendors that SELinux is a pretty good idea
given that it prevents so many things from happening.
Dan, is that going to possible to do anytime soon?
David
--
fedora-devel-list mailing list
fedora-devel-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-devel-list
