domains/misc/kernel.te has the following lines:
# Use capabilities.
allow kernel_t self:capability *;
allow kernel_t sysfs_t:dir search;
allow kernel_t { usbfs_t usbdevfs_t sysfs_t }:dir search;
# Run init in the init_t domain.
Search for sysfs_t is in twice.
Also, I'm getting avc's for kernel_t for getattr/read for sysfs_t:
May 22 10:04:32 fedora kernel: SELinux: initialized (dev usbfs, type
usbfs), uses genfs_contexts
May 22 10:04:32 fedora kernel: audit(1116756222.766:0): avc: denied
{ getattr } for path="/sys/class/input/mouse1" dev=sysfs ino=1850
scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:sysfs_t
tclass=dir
May 22 10:04:32 fedora kernel: audit(1116756222.766:0): avc: denied
{ getattr } for path="/sys/class/input/mouse1/dev" dev=sysfs ino=2090
scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:sysfs_t
tclass=file
May 22 10:04:32 fedora kernel: audit(1116756222.766:0): avc: denied
{ read } for name=dev dev=sysfs ino=2090
scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:sysfs_t
tclass=file
Would it be right to replace
allow kernel_t sysfs_t:dir search;
allow kernel_t { usbfs_t usbdevfs_t sysfs_t }:dir search;
with
r_dir_file(kernel_t, sysfs_t)
allow kernel_t { usbfs_t usbdevfs_t }:dir search;
tom
--
Tom London
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
http://www.redhat.com/mailman/listinfo/fedora-selinux-list
