Thanks Russell and Tom. Merged into sourceforge policy using
r_dir_file() for selinux_config_t, file_context_t, and
default_context_t.
Showing only the part changed from Russell's patch:
--- domains/program/unused/udev.te 27 Aug 2004 13:14:05 -0000 1.17
+++ domains/program/unused/udev.te 30 Aug 2004 19:36:44 -0000
@@ -32,19 +31,19 @@
allow udev_t device_t:blk_file create_file_perms;
allow udev_t device_t:chr_file create_file_perms;
allow udev_t device_t:sock_file create_file_perms;
-allow udev_t etc_t:file { getattr read execute };
+allow udev_t device_t:lnk_file create_lnk_perms;
+allow udev_t etc_t:file { getattr read };
allow udev_t { bin_t sbin_t }:dir r_dir_perms;
allow udev_t { sbin_t bin_t }:lnk_file read;
-can_exec(udev_t, { shell_exec_t bin_t sbin_t } )
+allow udev_t bin_t:lnk_file read;
+can_exec(udev_t, { shell_exec_t bin_t sbin_t etc_t } )
can_exec(udev_t, udev_exec_t)
-can_exec(udev_t, hostname_exec_t)
-can_exec(udev_t, iptables_exec_t)
r_dir_file(udev_t, sysfs_t)
allow udev_t sysadm_tty_device_t:chr_file { read write };
allow udev_t { device_t device_type }:{chr_file blk_file} { relabelfrom relabelto
create_file_perms };
-# to read the file_contexts file?
-r_dir_file(udev_t, policy_config_t)
+# to read the file_contexts file
+r_dir_file(udev_t, { selinux_config_t file_context_t default_context_t } )
allow udev_t policy_config_t:dir { search };
allow udev_t proc_t:file { read };
On Sun, 2004-08-29 at 15:53, Tom London wrote:
Russell,
The following changes to udev.te seem needed....
(If udev shouldn't be reading file_contexts, then dontaudit?)
Please correct/improve,
tom
--- /tmp/patches/udev.te 2004-08-29 11:35:48.000000000 -0700
+++ udev.te 2004-08-29 12:40:58.000000000 -0700
@@ -44,7 +44,9 @@
# to read the file_contexts file
allow udev_t { selinux_config_t default_context_t }:dir search;
-allow udev_t default_context_t:file { getattr read };
+allow udev_t { selinux_config_t default_context_t }:file { getattr read };
+allow udev_t file_context_t:dir { search };
+allow udev_t file_context_t:file { getattr read };
allow udev_t policy_config_t:dir { search };
allow udev_t proc_t:file { read };
Russell Coker wrote:
>On Sun, 29 Aug 2004 04:29, Tom London <selinux(a)comcast.net> wrote:
>
>
>>Newest Rawhide updates (including udev-030-10, mkinitrd-4.1.8-1,
>>kernel-2.6.8-1.532, and selinux-policy-strict-1.17.5-2)
>>now boots in strict/enforcing.
>>
>>
>
>I've attached a diff against the CVS policy as well as the .te and .fc files
>for udev changes which fix this and address some other issues as well.
>
>Please try it out and let me know how it goes.
>
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo(a)tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
--
James Carter <jwcart2(a)epoch.ncsc.mil>
National Security Agency