From mboxrd@z Thu Jan 1 00:00:00 1970 Subject: Re: [Fwd: Latest Diff] From: Ivan Gyurdiev Reply-To: ivg2@cornell.edu To: Daniel J Walsh Cc: SELinux In-Reply-To: <427A757F.9040009@redhat.com> References: <427A757F.9040009@redhat.com> Content-Type: text/plain Date: Thu, 05 May 2005 17:44:25 -0400 Message-Id: <1115329465.13097.23.camel@localhost.localdomain> Mime-Version: 1.0 Sender: owner-selinux@tycho.nsa.gov List-Id: selinux@tycho.nsa.gov > > diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/restorecon.te policy-1.23.14/domains/program/restorecon.te > > --- nsapolicy/domains/program/restorecon.te 2005-04-27 10:28:49.000000000 -0400 > > +++ policy-1.23.14/domains/program/restorecon.te 2005-05-05 15:11:06.000000000 -0400 > > @@ -20,7 +20,7 @@ > > role secadm_r types restorecon_t; > > > > allow restorecon_t initrc_devpts_t:chr_file { read write ioctl }; > > -allow restorecon_t { tty_device_t admin_tty_type }:chr_file { read write ioctl }; > > +allow restorecon_t { tty_device_t admin_tty_type devtty_t }:chr_file { read write ioctl }; Perhaps (?): allow restorecon_t tty_device_t:chr_file { read write ioctl}; access_terminal(restorecon_t, $2) access_terminal(restorecon_t, initrc) > > diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/auditd.te policy-1.23.14/domains/program/unused/auditd.te > > --- nsapolicy/domains/program/unused/auditd.te 2005-05-02 14:06:54.000000000 -0400 > > +++ policy-1.23.14/domains/program/unused/auditd.te 2005-05-02 14:57:26.000000000 -0400 > > @@ -56,3 +56,4 @@ > > allow auditctl_t sysctl_kernel_t:file read; > > allow auditd_t self:process setsched; > > dontaudit auditctl_t init_t:fd use; > > +allow auditctl_t initrc_devpts_t:chr_file { read write }; Perhaps (?): access_terminal(auditctl_t, initrc) > > allow consoletype_t crond_t:fifo_file { read getattr ioctl }; > > diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cups.te policy-1.23.14/domains/program/unused/cups.te > > --- nsapolicy/domains/program/unused/cups.te 2005-05-02 14:06:54.000000000 -0400 > > +++ policy-1.23.14/domains/program/unused/cups.te 2005-05-02 14:57:26.000000000 -0400 > > @@ -22,6 +22,7 @@ > > logdir_domain(cupsd) > > > > tmp_domain(cupsd) > > +file_type_auto_trans(cupsd_t, tmp_t, cupsd_tmp_t, fifo_file) tmp_domain(cupsd, `', { file dir fifo_file }) > > @@ -47,6 +47,7 @@ > > allow hald_t printer_device_t:chr_file rw_file_perms; > > allow hald_t urandom_device_t:chr_file read; > > allow hald_t mouse_device_t:chr_file r_file_perms; > > +allow hald_t memory_device_t:chr_file r_file_perms; ?? That no longer triggers an assertion violation? I specifically had to allow it in the assertion list when it was necessary for dmidecode. Why is it still necessary? > > diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/games_domain.te policy-1.23.14/macros/program/games_domain.te > > --- nsapolicy/macros/program/games_domain.te 2005-04-27 10:28:54.000000000 -0400 > > +++ policy-1.23.14/macros/program/games_domain.te 2005-05-05 15:10:05.000000000 -0400 > > @@ -17,11 +17,14 @@ > > if (! disable_games_trans) { > > domain_auto_trans($1_t, games_exec_t, $1_games_t) > > } > > +can_exec($1_games_t, games_exec_t) It needs to re-execute itself?? =============== Question: Is it better to create orbit-$USER in a startup script, or to include selinux support in libORBit2 in order to properly set the context of /tmp/orbit-$USER to ROLE_orbit_tmp_t when it's created? -- Ivan Gyurdiev Cornell University -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.