Re: Progress! .532 boots! -- but dbus/hotplug/udev problems remain?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, 30 Aug 2004 05:32, Tom London <selinux@xxxxxxxxxxx> wrote:
> --- /root/src.package/policy/domains/program/dbusd.te   2004-08-29
> 11:38:27.000000000 -0700
> +++ dbusd.te    2004-08-29 12:19:25.000000000 -0700
> @@ -32,3 +32,7 @@
>
>  # SE-DBus specific permissions
>  allow { dbus_client_domain userdomain } { dbusd_t self }:dbus { send_msg
> }; +
> +allow user_t etc_dbusd_t:dir { search };
> +allow user_t etc_dbusd_t:file { getattr read };
> +allow user_t user_t:netlink_selinux_socket { bind create };

One thing to remember is that any time you see user_t in policy it's a local 
customisation or a bug.

In this case it seems to me that one correct way of writing policy for this is 
the following:
allow { dbus_client_domain userdomain } etc_dbusd_t:dir { search };
allow { dbus_client_domain userdomain } etc_dbusd_t:file { getattr read };
allow { dbus_client_domain userdomain } user_t:netlink_selinux_socket { bind 
create };

But then we are granting almost every domain that has any significance in the 
security of the system read access.  So why not just label the files as etc_t 
and remove the etc_dbusd_t type entirely?

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux