On Sun, 26 Sep 2004 05:54, Tom London <selinux@xxxxxxxxx> wrote:
> Understand and agree about read access, but the AVC
> shows it wanting write access as well.
>
> Your patch allows read/getattr/ioctl. but not write. I can certainly
> imagine a dialog protocol that would require both read and write,
> but I'm not certain if this is in fact used here.
>
> What do you think?
I think we should allow write as well, I've attached a new patch.
If it wanted write access to fixed_disk_device_t or something then we would
have to look into it seriously. But write to a printer doesn't seem so
important and it's something that is needed for some status queries.
If hald ever goes as far as querying the paper size then it'll definitely need
such access.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
--- /usr/src/se/policy/domains/program/unused/hald.te 2004-09-24 06:31:21.000000000 +1000
+++ domains/program/unused/hald.te 2004-09-26 05:32:06.000000000 +1000
@@ -38,6 +38,7 @@
allow hald_t device_t:lnk_file read;
allow hald_t { fixed_disk_device_t removable_device_t }:blk_file { getattr read ioctl };
allow hald_t event_device_t:chr_file { getattr read ioctl };
+allow hald_t printer_device_t:chr_file rw_file_perms;
ifdef(`updfstab.te', `
domain_auto_trans(hald_t, updfstab_exec_t, updfstab_t)
