On Wed, 22 Dec 2004 13:52:36 -0500, Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote:
> >
> >
> No but I am :^) r_dir_file($1_t, udev_tdb_t) is probably sufficient
>
Dan,
Sorry, but that didn't quite work.
Here's what seems to get rhgb and X running again:
global_macros.te:
allow $1_t { self proc_t }:dir r_dir_perms;
allow $1_t { self proc_t }:lnk_file read;
+allow $1_t { device_t udev_tdb_t }:dir { getattr search };
allow $1_t null_device_t:chr_file rw_file_perms;
dontaudit $1_t console_device_t:chr_file rw_file_perms;
dontaudit $1_t unpriv_userdomain:fd use;
udev.te:
allow udev_t etc_t:file ioctl;
ifdef(`xdm.te', `
allow udev_t xdm_var_run_t:file { getattr read };
+allow xdm_xserver_t udev_tdb_t:dir r_dir_perms;
')
However, still get lots of AVCs for udev_tdb_t for
lvm_t, pam_console_t, ptal_t, xdm_t, and user_t
Does it make sense to add it base_user_domain()?
full_user_role()? (they already has access to device_t).
daemon_base_domain()?
[I'm sure I'm making this too complicated, but
I'm trying to avoide adding an 'allow ... udev_tdb_t:dir'
to each seperate .te file .....]
tom
--
Tom London
