On Tue, 23 Nov 2004 15:11:25 +1100, Russell Coker <russell(a)coker.com.au> wrote:
"head -269956 policy.conf |tail -1" gives the following:
neverallow { domain -privmem } memory_device_t:{ chr_file blk_file } { read
write append };
The solution is to add the privmem attribute to the declaration of kudzu_t:
daemon_base_domain(kudzu, `, etc_writer, privmodule, sysctl_kernel_writer,
fs_domain, privmem')
Thanks, but this seems not to quite get it all:
Nov 23 06:05:21 fedora kernel: audit(1101189873.496:0): avc: denied
{ execute } for pid=824 path=/dev/zero dev=tmpfs ino=3517
scontext=system_u:system_r:kudzu_t
tcontext=system_u:object_r:zero_device_t tclass=chr_file
Nov 23 06:05:21 fedora kernel: audit(1101189873.497:0): avc: denied
{ execute } for pid=824 path=/dev/zero dev=tmpfs ino=3517
scontext=system_u:system_r:kudzu_t
tcontext=system_u:object_r:zero_device_t tclass=chr_file
Is this mmap() again?
tom
--
Tom London