Re: libgpod HAL callout and SELinux denials

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Todd Zullinger wrote:
> Hi,
> 
> I help maintain libgpod upstream and in Fedora.  We install a hal
> callout¹ to handle newer iPods, which make some very useful and
> required information accessible only via a SCSI query of the iPod.
> The callout is meant to make the needed query and store the
> information retrieved (which is is an XML file) on the iPod where it
> can subsequently be read by a normal user.
> 
> To do this, the callout mounts the iPod to a temporary location,
> queries the device, saves the XML, and unmounts.  This causes a number
> of denials which I will attach.  I'd like to get some help in
> determining what things need fixed in the callout code and what things
> need policy changes.  If I need to, I can package a policy module in
> libgpod, though having it in the main selinux policy would be
> preferable I think.
> 
> The libgpod callout code is in:
> 
> https://gtkpod.svn.sourceforge.net/svnroot/gtkpod/libgpod/trunk/tools/
> 
> Most of the interesting code is in hal-callout.c, but the other files
> are probably worth a look as well.
> 
> FWIW, the callout currently uses /tmp/ipodXXXXXX (via mkdtemp) as the
> temporary mount point.  I did try moving that to /media to see if that
> worked any better, but AFAICT, it caused the same denials.  Moving the
> temp mount out of /tmp is not a problem (and is probably a good idea
> anyway).
> 
> Any help will be much appreciated.
> 
> ¹ http://people.freedesktop.org/~david/hal-spec/hal-spec.html#device-properties-info-callouts
> 
> 
> 
> ------------------------------------------------------------------------
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Use /var/run/hald instead of /tmp.

And I will add rules to allow this in F10 and F11.  Are you planning on
putting this in F9?  RHEL5.4?

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAklg67YACgkQrlYvE4MpobNpJwCfedv/ax6GWv8zZ3yBgX9eNU3W
YcQAnA4z86L4qhfHRAC7m6rKv0EGX8In
=ztxE
-----END PGP SIGNATURE-----

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux