hald seems to need to execute /usr/libexec/hal-hotplug-map:
Aug 29 12:45:46 fedora kernel: audit(1093808744.270:0): avc: denied { execute } for pid=3436 exe=/usr/sbin/hald name=hal-hotplug-map dev=hda2 ino=4123436 scontext=system_u:system_r:hald_t tcontext=system_u:object_r:bin_t tclass=file Aug 29 12:45:46 fedora kernel: audit(1093808744.284:0): avc: denied { execute } for pid=3436 exe=/usr/sbin/hald name=hal-hotplug-map dev=hda2 ino=4123436 scontext=system_u:system_r:hald_t tcontext=system_u:object_r:bin_t tclass=file
Does it make sense to label /usr/libexec/hal* as hald_exec_t and add 'canexec(hald_t, hald_exec_t)' to hald.te ?
Also, seems that hald and updfstab need to do their dbus thing, and hald wants to access printer_device_t.
Suggested patches to hald.te and hald.fc
--- hald.te 2004-08-27 14:37:17.000000000 -0700 +++ /etc/selinux/strict/src.old/policy/domains/program/hald.te 2004-08-28 13:40:57.000000000 -0700 @@ -37,7 +37,12 @@ ifdef(`udev.te', ` domain_auto_trans(hald_t, udev_exec_t, udev_t) allow udev_t hald_t:unix_dgram_socket sendto; +allow hald_t updfstab_t:dbus { send_msg }; +allow updfstab_t hald_t:dbus { send_msg }; ')
allow hald_t usbdevfs_t:dir search; allow hald_t usbdevfs_t:file { getattr read }; + +allow hald_t printer_device_t:chr_file { read write }; +can_exec(hald_t, hald_exec_t) --- /etc/selinux/strict/src.old/policy/domains/program/../../file_contexts/program/hald.fc 2004-08-27 14:37:17.000000000 -0700 +++ hald.fc 2004-08-29 13:36:44.147534409 -0700 @@ -1,2 +1,3 @@ # hald - hardware informationd daemon /usr/sbin/hald -- system_u:object_r:hald_exec_t +/usr/libexec/hal-.* -- system_u:object_r:hald_exec_t
Please correct/improve, tom tom
Oops.... hald.fc should be # hald - hardware informationd daemon /usr/sbin/hald -- system_u:object_r:hald_exec_t /usr/libexec/hal-hotplug-map -- system_u:object_r:hald_exec_t
Otherwise hal.dev and hal.hotplug get erroneously relabeled.
Sorry, tom
Tom London wrote:
/etc/selinux/strict/src.old/policy/domains/program/../../file_contexts/program/hald.fc 2004-08-27 14:37:17.000000000 -0700 +++ hald.fc 2004-08-29 13:36:44.147534409 -0700 @@ -1,2 +1,3 @@ # hald - hardware informationd daemon /usr/sbin/hald -- system_u:object_r:hald_exec_t +/usr/libexec/hal-.* -- system_u:object_r:hald_exec_t
Please correct/improve, tom tom
On Mon, 30 Aug 2004 07:10, Tom London selinux@comcast.net wrote:
Oops.... hald.fc should be # hald - hardware informationd daemon /usr/sbin/hald -- system_u:object_r:hald_exec_t /usr/libexec/hal-hotplug-map -- system_u:object_r:hald_exec_t
Otherwise hal.dev and hal.hotplug get erroneously relabeled.
It's a difficult decision about whether to allow hald_t to execute bin_t or to label the file as hald_exec_t. At this time I think that labelling it as hald_exec_t is better as it prevents hald from executing many different program files.
I've attached a little patch which implements this.
Tom London wrote:
hald seems to need to execute /usr/libexec/hal-hotplug-map:
Aug 29 12:45:46 fedora kernel: audit(1093808744.270:0): avc: denied { execute } for pid=3436 exe=/usr/sbin/hald name=hal-hotplug-map dev=hda2 ino=4123436 scontext=system_u:system_r:hald_t tcontext=system_u:object_r:bin_t tclass=file Aug 29 12:45:46 fedora kernel: audit(1093808744.284:0): avc: denied { execute } for pid=3436 exe=/usr/sbin/hald name=hal-hotplug-map dev=hda2 ino=4123436 scontext=system_u:system_r:hald_t tcontext=system_u:object_r:bin_t tclass=file
Does it make sense to label /usr/libexec/hal* as hald_exec_t and add 'canexec(hald_t, hald_exec_t)' to hald.te ?
Or just add can_exec(hald_t, bin_t)
Also, seems that hald and updfstab need to do their dbus thing, and hald wants to access printer_device_t.
Suggested patches to hald.te and hald.fc
--- hald.te 2004-08-27 14:37:17.000000000 -0700 +++ /etc/selinux/strict/src.old/policy/domains/program/hald.te 2004-08-28 13:40:57.000000000 -0700 @@ -37,7 +37,12 @@ ifdef(`udev.te', ` domain_auto_trans(hald_t, udev_exec_t, udev_t) allow udev_t hald_t:unix_dgram_socket sendto; +allow hald_t updfstab_t:dbus { send_msg }; +allow updfstab_t hald_t:dbus { send_msg }; ')
allow hald_t usbdevfs_t:dir search; allow hald_t usbdevfs_t:file { getattr read };
+allow hald_t printer_device_t:chr_file { read write };
+can_exec(hald_t, hald_exec_t)
/etc/selinux/strict/src.old/policy/domains/program/../../file_contexts/program/hald.fc 2004-08-27 14:37:17.000000000 -0700 +++ hald.fc 2004-08-29 13:36:44.147534409 -0700 @@ -1,2 +1,3 @@ # hald - hardware informationd daemon /usr/sbin/hald -- system_u:object_r:hald_exec_t +/usr/libexec/hal-.* -- system_u:object_r:hald_exec_t
Please correct/improve, tom tom -- fedora-selinux-list mailing list fedora-selinux-list@redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list
selinux@lists.fedoraproject.org