On Tue, 2006-04-18 at 13:39 -0700, Mike Carney wrote:
I posted the following a few days ago. Some more information:
It seems that all hald wants to do is view the root directory of the
mounted filesystem. After downloading, installing, and viewing the
policy source files, it seems rather excessive to grant hald
permission to search all directories on the mounted volume.
Is the fix to change the policy to simply not to audit the attempts
of the hald domain to get attributes of all filesystems?
No, it should be allowed to get attributes of all filesystems;
otherwise, parts of the desktop will break. Didn't this already come
up?
Or add a rule to always relabel the root directory of any r/w
filesystem
to some standard context the hald domain is granted access to?
Finally, there doesn't appear to be a way to convince semanage to accept
the '<<none>>' (don't recurse when relabeling) keyword when
adding a
context. Is this a bug?
There is no recursion inherent in file contexts - it is only if you
specify a regex that has (/.*)? tail that it is applied to all files
under the directory too. <<none>> is if you don't want setfiles to
touch the file label at all (ever).
Guidance as to what the right thing to do would be appreciated (I
don't
mind submitting a bug, just as long as I have the right information to
place in it).
--
Stephen Smalley
National Security Agency