On Sun, 26 Sep 2004 04:27, Tom London <selinux@xxxxxxxxx> wrote:
> When haldaemon starts, and typically just after the text 'login:'
> appears but before the graphical stuff takes over, I get:
>
> Sep 25 10:28:57 fedora kernel: audit(1096133337.944:0): avc: denied
> { read write } for pid=3187 exe=/usr/sbin/hald name=lp0 dev=tmpfs
> ino=5073 scontext=system_u:system_r:hald_t
> tcontext=system_u:object_r:printer_device_t tclass=chr_file
>
> referring to /dev/usb/lp0.
>
> Does hald need read/write access to the printer_device?
Does hald need it right now? Probably, but I'm not sure.
Will it need such access in the future to perform the tasks that it is
designed for? Definitely! There is a lot of variation among printer
hardware and hald is the correct program to inform you of what type of
printer you have just connected. I've attached a patch to add the access.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
--- /usr/src/se/policy/domains/program/unused/hald.te 2004-09-24 06:31:21.000000000 +1000
+++ domains/program/unused/hald.te 2004-09-26 05:32:06.000000000 +1000
@@ -38,6 +38,7 @@
allow hald_t device_t:lnk_file read;
allow hald_t { fixed_disk_device_t removable_device_t }:blk_file { getattr read ioctl };
allow hald_t event_device_t:chr_file { getattr read ioctl };
+allow hald_t printer_device_t:chr_file { getattr read ioctl };
ifdef(`updfstab.te', `
domain_auto_trans(hald_t, updfstab_exec_t, updfstab_t)
