On Mon, 30 Aug 2004 07:10, Tom London <selinux(a)comcast.net> wrote:
Oops.... hald.fc should be
# hald - hardware informationd daemon
/usr/sbin/hald -- system_u:object_r:hald_exec_t
/usr/libexec/hal-hotplug-map -- system_u:object_r:hald_exec_t
Otherwise hal.dev and hal.hotplug get erroneously relabeled.
It's a difficult decision about whether to allow hald_t to execute bin_t or to
label the file as hald_exec_t. At this time I think that labelling it as
hald_exec_t is better as it prevents hald from executing many different
program files.
I've attached a little patch which implements this.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page