I posted the following a few days ago. Some more information:
It seems that all hald wants to do is view the root directory of the
mounted filesystem. After downloading, installing, and viewing the
policy source files, it seems rather excessive to grant hald
permission to search all directories on the mounted volume.
Is the fix to change the policy to simply not to audit the attempts
of the hald domain to get attributes of all filesystems?
Or add a rule to always relabel the root directory of any r/w filesystem
to some standard context the hald domain is granted access to?
Finally, there doesn't appear to be a way to convince semanage to accept
the '<<none>>' (don't recurse when relabeling) keyword when adding a
context. Is this a bug?
Guidance as to what the right thing to do would be appreciated (I don't
mind submitting a bug, just as long as I have the right information to
place in it).
TIA.
> Re: FC5: what context should I use for extra ext3 filesystems?
> Daniel J Walsh wrote:
>
>
> > Ok lets fix hal then. What is it complaining about?
>
> 45# audit2why < /tmp/y
> type=AVC msg=audit(1145036599.405:1110): avc: denied { search } for
> pid=2452 comm="hald" name="export" dev=sdb2 ino=8161
> scontext=system_u:system_r:hald_t:s0
> tcontext=system_u:object_r:default_t:s0 tclass=dir
> Was caused by:
> Missing or disabled TE allow rule.
> Allow rules may exist but be disabled by boolean settings;
> check boolean settings.
> You can see the necessary allow rules by running
audit2allow
> with this audit message as input.
>
> <and so on...>
>
> Looks like we need:
>
> 47# audit2allow < /tmp/y
> allow hald_t default_t:dir search;
> 48#
>
> BTW, how does one use semanage to specify that a context not recurse
> to subdirectories? (e.g. <<none>>).
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
