Russell,
The following changes to udev.te seem needed.... (If udev shouldn't be reading file_contexts, then dontaudit?)
Please correct/improve, tom
--- /tmp/patches/udev.te 2004-08-29 11:35:48.000000000 -0700 +++ udev.te 2004-08-29 12:40:58.000000000 -0700 @@ -44,7 +44,9 @@
# to read the file_contexts file
allow udev_t { selinux_config_t default_context_t }:dir search;
-allow udev_t default_context_t:file { getattr read };
+allow udev_t { selinux_config_t default_context_t }:file { getattr read };
+allow udev_t file_context_t:dir { search };
+allow udev_t file_context_t:file { getattr read };allow udev_t policy_config_t:dir { search };
allow udev_t proc_t:file { read };
Russell Coker wrote:
On Sun, 29 Aug 2004 04:29, Tom London <selinux@xxxxxxxxxxx> wrote:
Newest Rawhide updates (including udev-030-10, mkinitrd-4.1.8-1,
kernel-2.6.8-1.532, and selinux-policy-strict-1.17.5-2)
now boots in strict/enforcing.
I've attached a diff against the CVS policy as well as the .te and .fc files for udev changes which fix this and address some other issues as well.
Please try it out and let me know how it goes.
