adds for latest policy...cups.te, udev.te?

Tom London <selinux@xxxxxxxxx> · Fri, 24 Dec 2004 12:00:12 -0800

Running strict/enforcing, latest rawhide.

Rebooting after updating to latest policy 
(selinux-policy-strict-1.19.15-7), noticed the
following AVCs:

Dec 24 11:48:23 fedora kernel: audit(1103917703.356:0): avc:  denied 
{ connect } for  pid=2679 exe=/usr/sbin/hal_lpadmin
scontext=system_u:system_r:cupsd_config_t
tcontext=system_u:system_r:cupsd_config_t tclass=tcp_socket
and
Dec 24 11:50:52 fedora kernel: audit(1103917852.996:0): avc:  denied 
{ connect } for  pid=3070 exe=/usr/bin/lpoptions
scontext=system_u:system_r:cupsd_config_t
tcontext=system_u:system_r:cupsd_config_t tclass=tcp_socket

Adding the following seems to fix it:
allow cupsd_config_t self:tcp_socket connect;

Also:
Dec 24 11:47:51 fedora kernel: IPv6 over IPv4 tunneling driver
Dec 24 11:47:51 fedora kernel: audit(1103888840.733:0): avc:  denied 
{ read } for  pid=1112 exe=/sbin/pam_console_apply name=mnt dev=hda2
ino=1114113 scontext=system_u:system_r:udev_t
tcontext=system_u:object_r:mnt_t tclass=dir
Dec 24 11:47:51 fedora kernel: audit(1103888840.736:0): avc:  denied 
{ read } for  pid=1112 exe=/sbin/pam_console_apply name=mnt dev=hda2
ino=1114113 scontext=system_u:system_r:udev_t
tcontext=system_u:object_r:mnt_t tclass=dir
Dec 24 11:47:51 fedora kernel: audit(1103888840.737:0): avc:  denied 
{ read } for  pid=1112 exe=/sbin/pam_console_apply name=mnt dev=hda2
ino=1114113 scontext=system_u:system_r:udev_t
tcontext=system_u:object_r:mnt_t tclass=dir
Dec 24 11:47:51 fedora last message repeated 3 times
Dec 24 11:47:51 fedora kernel: audit(1103888840.738:0): avc:  denied 
{ read } for  pid=1112 exe=/sbin/pam_console_apply name=mnt dev=hda2
ino=1114113 scontext=system_u:system_r:udev_t
tcontext=system_u:object_r:mnt_t tclass=dir
Dec 24 11:47:51 fedora last message repeated 4 times
Dec 24 11:47:51 fedora kernel: ACPI: Power Button (FF) [PWRF]

The following change seems to fix:
allow udev_t mnt_t:dir search;
to
allow udev_t mnt_t:dir r_dir_perms;
But I'm not sure why pam_console_apply wants
to read /mnt.  Should this be a dontaudit?

tom

-- 
Tom London