Re: hald startup ?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Tue, 24 Aug 2004 01:49, Tom London <selinux@xxxxxxxxxxx> wrote:
> When hald starts (strict/enforcing) I get the following avc:
>
> Aug 23 08:20:29 fedora messagebus: messagebus startup succeeded
> Aug 23 08:20:29 fedora kernel: audit(1093274429.575:0): avc:  denied  {
> create } for  pid=2796 exe=/usr/sbin/hald
> scontext=system_u:system_r:hald_t tcontext=system_u:system_r:hald_t
> tclass=unix_dgram_socket
>
> hald appears to die quietly.

You need it.  The new version of hald which just appeared in rawhide needs 
much more access.  I've already sent a policy patch to the main SE Linux 
list, but I've attached the hald.te I'm using to this message to save you 
hunting it down.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

#DESC hald - server for device info
#
# Author:  Russell Coker <rcoker@xxxxxxxxxx>
# X-Debian-Packages: 
#

#################################
#
# Rules for the hald_t domain.
#
# hald_exec_t is the type of the hald executable.
#
daemon_domain(hald, `, dbus_client_domain, fs_domain')

allow hald_t { etc_t etc_runtime_t }:file { getattr read };
allow hald_t self:unix_stream_socket create_stream_socket_perms;
allow hald_t self:unix_dgram_socket create_socket_perms;

allow hald_t dbusd_t:dbus { acquire_svc };

allow hald_t { self proc_t }:file { getattr read };

allow hald_t { bin_t sbin_t }:dir search;
allow hald_t hald_t:fifo_file rw_file_perms;
allow hald_t usr_t:file { getattr read };

allow hald_t bin_t:file { getattr };
allow hald_t self:netlink_route_socket r_netlink_socket_perms;
allow hald_t self:capability { net_admin sys_admin };
can_network(hald_t)

allow hald_t fixed_disk_device_t:blk_file { getattr read };
allow hald_t event_device_t:chr_file { getattr read };

ifdef(`updfstab.te', `domain_auto_trans(hald_t, updfstab_exec_t, updfstab_t)')
ifdef(`udev.te', `
domain_auto_trans(hald_t, udev_exec_t, udev_t)
allow udev_t hald_t:unix_dgram_socket sendto;
')

allow hald_t usbdevfs_t:dir search;
allow hald_t usbdevfs_t:file { getattr read };
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux