pipefs AVC
Dominick Grift
domg472 at gmail.com
Sun Aug 29 12:17:15 UTC 2010
On 08/29/2010 01:45 PM, Mr Dash Four wrote:
>
>> its a fifo_file on device pipefs with name/path: pipe:[11951]
>>
>> This type of internal communication is very common. We use the following
>> policy for this:
>>
>> allow voip_sandbox_t self:fifo_file rw_fifo_file_perms;
>>
> Is 'rw_fifo_file_perms' custom-defined somewhere?
>
> All I can see on the fifo_file is { append create execute getattr ioctl
> link lock mounton quotaon read relabelfrom relabelto rename setattr
> swapon unlink write }, of which, 'read' and 'write' are the relevant
> ones. If I do 'allow voip_sandbox_t self:fifo_file { read write }' would
> that be the same thing or am I missing something?
>
http://oss.tresys.com/projects/refpolicy/browser/policy/support/obj_perm_sets.spt
line 241:
define(`rw_fifo_file_perms',`{ getattr open read write append ioctl lock }')
Basically a set of common permissions to read and write fifo files. Not
quite the same as just { read write } but not too excessive either.
I always use "macros" where ever possible that will make policy
maintenance much easier.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20100829/d01c6502/attachment.bin
More information about the selinux
mailing list