On Saturday 25 December 2004 07:00, Tom London <selinux(a)gmail.com> wrote:
Dec 24 11:48:23 fedora kernel: audit(1103917703.356:0): avc: denied
{ connect } for pid=2679 exe=/usr/sbin/hal_lpadmin
scontext=system_u:system_r:cupsd_config_t
tcontext=system_u:system_r:cupsd_config_t tclass=tcp_socket
can_network_server_tcp(cupsd_config_t)
It looks like we need to change the above to the below:
can_network_tcp(cupsd_config_t)
Also I suggest the change in the attached file net.diff to remove redundancy
in the policy.conf file.
Dec 24 11:47:51 fedora kernel: audit(1103888840.733:0): avc: denied
{ read } for pid=1112 exe=/sbin/pam_console_apply name=mnt dev=hda2
ino=1114113 scontext=system_u:system_r:udev_t
tcontext=system_u:object_r:mnt_t tclass=dir
The attached patch udev.diff (which I sent to the SE Linux mailing list at
about the same time as your message was posted) should fix this.
The following change seems to fix:
allow udev_t mnt_t:dir search;
to
allow udev_t mnt_t:dir r_dir_perms;
But I'm not sure why pam_console_apply wants
to read /mnt. Should this be a dontaudit?
We could have done that. But I think that pam_console_apply should run in
domain pam_console_t when launched by udev.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page