On Wed, 22 Dec 2004 12:58:23 -0500, Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote:
> Tom London wrote:
>
> Does this solve the problem?
>
> diff -u global_macros.te~ global_macros.te
> --- global_macros.te~ 2004-12-22 11:18:14.000000000 -0500
> +++ global_macros.te 2004-12-22 12:56:43.883461279 -0500
> @@ -242,7 +242,7 @@
> allow $1_t { self proc_t }:dir r_dir_perms;
> allow $1_t { self proc_t }:lnk_file read;
>
> -allow $1_t device_t:dir { getattr search };
> +r_dir_file($1_t, device_t)
> allow $1_t null_device_t:chr_file rw_file_perms;
> dontaudit $1_t console_device_t:chr_file rw_file_perms;
> dontaudit $1_t unpriv_userdomain:fd use;
>
>
Dan,
I'm at work, so I'll test this later.
Since the AVCs had read/getattr denials
for udev_tdb_t (not device_t), I would think
that we would need a fix like this:
> +r_dir_file($1_t, { device_t udev_tdb_t })
Am I missing something obvious?
tom
--
Tom London
