Josh Boyer wrote:
Yes, but this might not be necessary. If the dmesg code was working correctly and you saw these messages you might want to dontaudit them.This is my first stab at working with selinux, so be gentle ;).
I am getting these avc messages when I run dmesg:
avc: denied { use } for pid=2674 exe=/bin/dmesg path=/dev/pts/2 dev= ino=4 scontext=root:system_r:dmesg_t tcontext=jwboyer:user_r:user_t tclass=fd
avc: denied { read write } for pid=2674 exe=/bin/dmesg path=/dev/pts/2 dev= ino=4 scontext=root:system_r:dmesg_t tcontext=root:object_r:user_devpts_t tclass=chr_file
So in the dmesg.te file, i defined the following rules:
allow dmesg_t user_devpts_t:chr_file { read write getattr }; allow dmesg_t user_t:fd { use };
does that look correct? from my understanding, the 2 rules i added allow the dmesg_t domain read, write, and getattr access to pts char files...
dontaudit dmesg_t userdomain:fd { use }; Would eliminate the terminal error for all userdomains (user, staff and sysadm).
josh
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
http://www.redhat.com/mailman/listinfo/fedora-selinux-list
