Runing latest Rawhide w/Dan's latest stuff:
rhgb fails with:
Sep 23 19:41:43 fedora kernel: audit(1095968474.168:0): avc: denied
{ search } for pid=1593 exe=/usr/bin/rhgb name=rhgb dev=hda2
ino=280446 scontext=system_u:system_r:rhgb_t
tcontext=system_u:object_r:mnt_t tclass=dir
Sep 23 19:41:43 fedora kernel: audit(1095968474.168:0): avc: denied
{ search } for pid=1593 exe=/usr/bin/rhgb name=rhgb dev=hda2
ino=280446 scontext=system_u:system_r:rhgb_t
tcontext=system_u:object_r:mnt_t tclass=dir
tom
On Wed, 22 Sep 2004 14:46:42 -0400, Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote:
> Russell Coker wrote:
>
> >On Sat, 18 Sep 2004 04:35, Tom London <selinux@xxxxxxxxx> wrote:
> >
> >
> >>Need this in rhgb.te:
> >>
> >>--- /etc/selinux/strict/src-1.17.18-1/policy/domains/program/rhgb.te
> >> 2004-09-17 11:32:00.886510890 -0700
> >>+++ ./rhgb.te 2004-09-17 11:33:42.601099238 -0700
> >>@@ -34,7 +34,7 @@
> >> allow insmod_t rhgb_t:fd use;
> >>
> >> allow rhgb_t ramfs_t:filesystem { mount unmount };
> >>-allow rhgb_t root_t:dir { mounton };
> >>+allow rhgb_t { root_t mnt_t }:dir { mounton };
> >> allow rhgb_t rhgb_t:capability { sys_admin };
> >> dontaudit rhgb_t var_run_t:dir { search };
> >>
> >>Otherwise can't mount....
> >>
> >>
> >
> >Does it still need access to mount on type root_t?
> >
> >RHGB doesn't work for me at the moment due to other errors so I can't test.
> >
> >
> >
> No I removed root_t.
>
>
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@xxxxxxxxxx
> http://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
--
Tom London
