hpoj?

Russell Coker russell at coker.com.au
Tue Jul 20 04:53:09 UTC 2004


On Tue, 20 Jul 2004 03:15, Tom London <selinux at comcast.net> wrote:
> Audit2allow on permissive avc's yield:
> allow ptal_t etc_runtime_t:file { getattr };
> allow ptal_t etc_t:file { read };

For file access whenever read access is requested you should allow getattr.  
For a file type such etc_runtime_t which contains nothing secret if you allow 
getattr you should allow read.  So I added the following to my tree:

allow ptal_t { etc_t etc_runtime_t }:file { getattr read };

> allow ptal_t staff_home_dir_t:dir { search };

What does ptal do?  Why does it need such access?

> allow ptal_t usbdevfs_t:dir { getattr read };

Again, what is it trying to do here?  I've never used ptal so I don't know 
what we should be permitting it to do.

> allow ptal_t var_run_t:fifo_file { create read setattr };
> allow ptal_t var_run_t:sock_file { create setattr };

For the sock_file and the fifo_file in question you didn't provide enough 
information to determine which directory they are in.  Please repeat the 
tests and use "find /var/run -inum ..." to find the full path.

If they are under /var/run/ptal-printd or /var/run/ptal-mlcd then they should 
have the correct type and there should not be any problem (in which case 
there is some strange mis-labelling issue).  If they are not under those 
directories then I will need to know the directories that they are in to 
write the correct policy.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page



More information about the selinux mailing list