On Tue, 20 Jul 2004 03:15, Tom London <selinux@xxxxxxxxxxx> wrote:
> Audit2allow on permissive avc's yield:
> allow ptal_t etc_runtime_t:file { getattr };
> allow ptal_t etc_t:file { read };
For file access whenever read access is requested you should allow getattr.
For a file type such etc_runtime_t which contains nothing secret if you allow
getattr you should allow read. So I added the following to my tree:
allow ptal_t { etc_t etc_runtime_t }:file { getattr read };
> allow ptal_t staff_home_dir_t:dir { search };
What does ptal do? Why does it need such access?
> allow ptal_t usbdevfs_t:dir { getattr read };
Again, what is it trying to do here? I've never used ptal so I don't know
what we should be permitting it to do.
> allow ptal_t var_run_t:fifo_file { create read setattr };
> allow ptal_t var_run_t:sock_file { create setattr };
For the sock_file and the fifo_file in question you didn't provide enough
information to determine which directory they are in. Please repeat the
tests and use "find /var/run -inum ..." to find the full path.
If they are under /var/run/ptal-printd or /var/run/ptal-mlcd then they should
have the correct type and there should not be any problem (in which case
there is some strange mis-labelling issue). If they are not under those
directories then I will need to know the directories that they are in to
write the correct policy.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
