On Fri, 23 Sep 2005, Stephen Smalley wrote:
On Fri, 2005-09-23 at 16:09 -0400, Matthew Saltzman wrote:
Can nobody here help with this (and if not, where could I go for
assistance)? selinux-policy-targeted-1.27.1-2.1 does not solve the
problem.
It also appears that there is a regression in acpid's ability to write log
files. My suspend script writes battery usage stats to
/var/log/battery.log. Since the most recent update, access to that file
is denied.
Several records like this appear in audit.log:
type=AVC msg=audit(1127578352.719:7582708): avc: denied { append } for
pid=3860 comm="thinkpad-T4x-su" name="battery.log" dev=dm-0 ino=910036
scontext=system_u:system_r:apmd_t tcontext=system_u:object_r:var_log_t
tclass=file
From the audit messages you posted, I would have expected that:
- a new type would have been assigned to /usr/share/hwdata, and apmd_t
would have been allowed to read it.
- tmp_domain(apmd_t) would have been added to enable it to create its
own temporary files under /tmp without disturbing anyone else's
temporary files.
Looking at the latest rawhide targeted policy (1.27.1-5), it looks like
the tmp_domain() has been added, it has been directly allowed to read
usr_t (which I would have preferred not doing) and it has been made
unconfined in targeted policy (which seems overkill). So I would expect
your scripts to work just fine with that policy, even though I'd still
favor adding a new type for /usr/share/hwdata and not making apmd_t
completely unconfined.
--
Matthew Saltzman
Clemson University Math Sciences
mjs AT clemson DOT edu
http://www.math.clemson.edu/~mjs
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
