On Sun, 22 Aug 2004 10:29, Tom London <selinux@xxxxxxxxxxx> wrote:
> Aug 21 13:31:15 fedora kernel: audit(1093120250.606:0): avc: denied {
> read } for pid=1558 exe=/sbin/microcode_ctl name=microcode dev=hda2
> ino=2689367 scontext=system_u:system_r:cpucontrol_t
> tcontext=system_u:object_r:device_t tclass=lnk_file
> Aug 21 13:31:15 fedora kernel: microcode: No new microdata for cpu 0
>
> 'ls -lZ /dev/cpu/0/microcode' yields:
> lrwxrwxrwx root root system_u:object_r:device_t
> /dev/cpu/0/microcode -> ../../microcode
>
> Does this link need to be labeled cpu_device_t, or
> does 'allow cpucontrol_t device_t:lnk_file { read };' need
> to be added to cpucontrol.te, or .... ?
Symbolic links under /dev should have type device_t. So an allow line such as
the one you suggest should be added to the policy.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
