On 09/17/2015 04:43 AM, Alec Leamas wrote:
Dear list,
I maintain the lirc package. This is basically a daemon handling IR
remotes, adding some flexibility and functionality to the kernel.
Recently we have moved from a model where the daemon runs as root to
running as a regular user. The test environment has been run with
selinux disabled, so we missed the selinux denials this created. Now,
I need to correct this - but I'm new to selinux and somewhat lost..
Reading the docs I have created a simple-minded patch[1]. Has anyone
time to give it a look and provide some feedback, direct or perhaps
some better links than I have found [2]? The patch does mute the AVC
denials messages, but I guess there are other things to think about (?)
Cheers!
--alec
[1]
http://ur1.ca/nt44a
[2]
https://fedoraproject.org/wiki/SELinux_Policy_Modules_Packaging_Draft
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
You should just ask the upstream to adopt your policy and not ship it
yourself.
The way you did this, will actually break the system. Since used the
same name for
your policy as the one that is installed. Your lircd.pp will replace
the existing lircd.pp
causing the update to fail.
It is best to send this snippet to refpolicy(a)oss.tresys.com
1.
+allow lircd_t passwd_file_t:file { read getattr open };
2.
+allow lircd_t self:capability { setuid setgid dac_override };