Aurelien Bompard wrote:
Hi,
I comaintain synce (a framework to connect to PocketPC devices) in Fedora,
and since Fedora 7 it does not autoconnect the device when plugged in.
Autoconnection is done by an Udev rule :
# cat /etc/udev/rules.d/60-synce.rules
ACTION=="add", SUBSYSTEM=="usb_device", SYSFS{idVendor}=="0bb4",
SYSFS{idProduct}=="0a06", SYMLINK+="ipaq",
RUN+="/usr/bin/synce-serial-start"
synce-serial-start is a shell script that sources a
file: /usr/share/synce/synce-serial-common
On F7, I get AVC messages for getattr and read permissions from
synce-serial-start to this file:
type=AVC msg=audit(1180872169.345:3815): avc: denied { getattr } for
pid=31270 comm="synce-serial-st" name="synce-serial-common" dev=sda2
ino=438256 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023
tcontext=system_u:object_r:usr_t:s0 tclass=file
type=AVC_PATH msg=audit(1180872169.345:3815):
path="/usr/share/synce/synce-serial-common"
type=AVC msg=audit(1180872169.345:3816): avc: denied { read } for
pid=31270 comm="synce-serial-st" name="synce-serial-common" dev=sda2
ino=438256 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023
tcontext=system_u:object_r:usr_t:s0 tclass=file
How should I label /usr/share/synce/synce-serial-common to allow access from
udev_t ?
And in general, how can I view which labels are allowed (and in which way)
for a given type ?
Thanks !
Aurélien
I will update policy to allow this priv ( 2.6.4-13). I don't think you
should relabel the file. Discoving what a domain can do is somewhat
difficult. There are tools in setools that allow you to make queries.
Like can this domain access this type? And you can probably generate a
report of all the types a domain can access.
Also reading the policy is not that difficult.
files_read_usr_files(udev_t)
Adds the privs.
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
