Tom London wrote:
hald seems to need to execute /usr/libexec/hal-hotplug-map:
Aug 29 12:45:46 fedora kernel: audit(1093808744.270:0): avc: denied { execute
} for pid=3436 exe=/usr/sbin/hald name=hal-hotplug-map dev=hda2 ino=4123436 scontext=system_u:system_r:hald_t tcontext=system_u:object_r:bin_t tclass=file
Aug 29 12:45:46 fedora kernel: audit(1093808744.284:0): avc: denied { execute
} for pid=3436 exe=/usr/sbin/hald name=hal-hotplug-map dev=hda2 ino=4123436 scontext=system_u:system_r:hald_t tcontext=system_u:object_r:bin_t tclass=file
Does it make sense to label /usr/libexec/hal* as hald_exec_t and add 'canexec(hald_t, hald_exec_t)' to hald.te ?
Or just add can_exec(hald_t, bin_t)
Also, seems that hald and updfstab need to do their dbus thing, and hald wants to access printer_device_t.
Suggested patches to hald.te and hald.fc
--- hald.te 2004-08-27 14:37:17.000000000 -0700
+++ /etc/selinux/strict/src.old/policy/domains/program/hald.te 2004-08-28 13:40:57.000000000 -0700
@@ -37,7 +37,12 @@
ifdef(`udev.te', `
domain_auto_trans(hald_t, udev_exec_t, udev_t)
allow udev_t hald_t:unix_dgram_socket sendto;
+allow hald_t updfstab_t:dbus { send_msg };
+allow updfstab_t hald_t:dbus { send_msg };
')
allow hald_t usbdevfs_t:dir search;
allow hald_t usbdevfs_t:file { getattr read };
+
+allow hald_t printer_device_t:chr_file { read write };
+can_exec(hald_t, hald_exec_t)
--- /etc/selinux/strict/src.old/policy/domains/program/../../file_contexts/program/hald.fc 2004-08-27 14:37:17.000000000 -0700
+++ hald.fc 2004-08-29 13:36:44.147534409 -0700
@@ -1,2 +1,3 @@
# hald - hardware informationd daemon
/usr/sbin/hald -- system_u:object_r:hald_exec_t
+/usr/libexec/hal-.* -- system_u:object_r:hald_exec_t
Please correct/improve, tom tom -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx http://www.redhat.com/mailman/listinfo/fedora-selinux-list
