hald/hal-hotplug-map

Daniel J Walsh dwalsh at redhat.com
Mon Aug 30 18:22:07 UTC 2004 

Tom London wrote:

> hald seems to need to execute /usr/libexec/hal-hotplug-map:
>
> Aug 29 12:45:46 fedora kernel: audit(1093808744.270:0): avc:  denied  
> { execute
> } for  pid=3436 exe=/usr/sbin/hald name=hal-hotplug-map dev=hda2 
> ino=4123436 scontext=system_u:system_r:hald_t 
> tcontext=system_u:object_r:bin_t tclass=file
> Aug 29 12:45:46 fedora kernel: audit(1093808744.284:0): avc:  denied  
> { execute
> } for  pid=3436 exe=/usr/sbin/hald name=hal-hotplug-map dev=hda2 
> ino=4123436 scontext=system_u:system_r:hald_t 
> tcontext=system_u:object_r:bin_t tclass=file
>
> Does it make sense to label /usr/libexec/hal* as hald_exec_t and add
> 'canexec(hald_t, hald_exec_t)' to hald.te ?
>
Or just add
can_exec(hald_t, bin_t)

> Also, seems that hald and updfstab need to do their dbus thing,
> and hald wants to access printer_device_t.
>
> Suggested patches to hald.te and hald.fc
>
> --- hald.te     2004-08-27 14:37:17.000000000 -0700
> +++ /etc/selinux/strict/src.old/policy/domains/program/hald.te  
> 2004-08-28 13:40:57.000000000 -0700
> @@ -37,7 +37,12 @@
> ifdef(`udev.te', `
> domain_auto_trans(hald_t, udev_exec_t, udev_t)
> allow udev_t hald_t:unix_dgram_socket sendto;
> +allow hald_t updfstab_t:dbus { send_msg };
> +allow updfstab_t hald_t:dbus { send_msg };
> ')
>
> allow hald_t usbdevfs_t:dir search;
> allow hald_t usbdevfs_t:file { getattr read };
> +
> +allow hald_t printer_device_t:chr_file { read write };
> +can_exec(hald_t, hald_exec_t)
> --- 
> /etc/selinux/strict/src.old/policy/domains/program/../../file_contexts/program/hald.fc      
> 2004-08-27 14:37:17.000000000 -0700
> +++ hald.fc     2004-08-29 13:36:44.147534409 -0700
> @@ -1,2 +1,3 @@
> # hald - hardware informationd daemon
> /usr/sbin/hald         --      system_u:object_r:hald_exec_t
> +/usr/libexec/hal-.*    --      system_u:object_r:hald_exec_t
>
>
> Please correct/improve,
>   tom
> tom
> -- 
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> http://www.redhat.com/mailman/listinfo/fedora-selinux-list

More information about the selinux mailing list