Hmm.
Then should /dev/fd (the link) be unlabeled, defaulting
to the general DAC? Or labeled, say, self_fd_t,
with a general rule allowing accesses to it?
Could do the same for /dev/stdin, /dev/stdout, and
/dev/stderr.
tom
On Fri, 17 Sep 2004 09:19:04 -0400, Stephen Smalley <sds@xxxxxxxxxxxxxx> wrote:
> On Thu, 2004-09-16 at 21:22, Tom London wrote:
> > Running strict/enforcing, latest from Dan's tree.
> >
> > Printing (say, from openoffice) yields:
> >
> > Sep 16 18:01:39 fedora kernel: audit(1095382899.718:0): avc: denied {
> > read } for pid=10941 exe=/usr/bin/perl name=fd dev=tmpfs ino=2794
> > scontext=system_u:system_r:cupsd_t tcontext=system_u:object_r:device_t
> > tclass=lnk_file
> > Sep 16 18:01:39 fedora kernel: audit(1095382899.718:0): avc: denied {
> > read } for pid=10941 exe=/usr/bin/perl name=fd dev=tmpfs ino=2794
> > scontext=system_u:system_r:cupsd_t tcontext=system_u:object_r:device_t
> > tclass=lnk_file
> >
> > inode 2794 is /dev/fd.
> >
> > Make sense to add?
> > dontaudit cupsd_t device_t:lnk_file { read };
>
> I'd allow it. /dev/fd is just a symlink to /proc/self/fd, and that
> should be permitted.
>
> --
> Stephen Smalley <sds@xxxxxxxxxxxxxx>
> National Security Agency
>
>
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@xxxxxxxxxx
> http://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
--
Tom London
