Tom London wrote:
domains/misc/kernel.te has the following lines:
# Use capabilities. allow kernel_t self:capability *;
allow kernel_t sysfs_t:dir search; allow kernel_t { usbfs_t usbdevfs_t sysfs_t }:dir search;
# Run init in the init_t domain.
Search for sysfs_t is in twice.
Also, I'm getting avc's for kernel_t for getattr/read for sysfs_t:
May 22 10:04:32 fedora kernel: SELinux: initialized (dev usbfs, type
usbfs), uses genfs_contexts
May 22 10:04:32 fedora kernel: audit(1116756222.766:0): avc: denied { getattr } for path="/sys/class/input/mouse1" dev=sysfs ino=1850
scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:sysfs_t
tclass=dir
May 22 10:04:32 fedora kernel: audit(1116756222.766:0): avc: denied { getattr } for path="/sys/class/input/mouse1/dev" dev=sysfs ino=2090
scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:sysfs_t
tclass=file
May 22 10:04:32 fedora kernel: audit(1116756222.766:0): avc: denied { read } for name=dev dev=sysfs ino=2090
scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:sysfs_t
tclass=file
Would it be right to replace allow kernel_t sysfs_t:dir search; allow kernel_t { usbfs_t usbdevfs_t sysfs_t }:dir search;
with r_dir_file(kernel_t, sysfs_t) allow kernel_t { usbfs_t usbdevfs_t }:dir search;
tom
in selinux-policy-*-1.23.16-7
--
-- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx http://www.redhat.com/mailman/listinfo/fedora-selinux-list
