* for bootsplash to operate correctly...
@ 2004-09-08 22:41 Luke Kenneth Casson Leighton
2004-09-09 3:01 ` Chris PeBenito
0 siblings, 1 reply; 3+ messages in thread
From: Luke Kenneth Casson Leighton @ 2004-09-08 22:41 UTC (permalink / raw)
To: SE-Linux
... i hacked in the three following permissions:
# this is to allow splash to write to /proc/splash
allow initrc_t proc_t:file { write };
# this is for /sbin/fbresolution to write to /dev/fb0
allow initrc_t framebuf_device:t:chr_file { write };
# this is for fbmngplay to do err... *clueless*
allow initrc_t self:capability { sys_admin };
i look forward to one day writing a policy for the bootsplash
package :)
l.
--
--
Truth, honesty and respect are rare commodities that all spring from
the same well: Love. If you love yourself and everyone and everything
around you, funnily and coincidentally enough, life gets a lot better.
--
<a href="http://lkcl.net"> lkcl.net </a> <br />
<a href="mailto:lkcl@lkcl.net"> lkcl@lkcl.net </a> <br />
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: for bootsplash to operate correctly...
2004-09-08 22:41 for bootsplash to operate correctly Luke Kenneth Casson Leighton
@ 2004-09-09 3:01 ` Chris PeBenito
2004-09-09 9:57 ` Luke Kenneth Casson Leighton
0 siblings, 1 reply; 3+ messages in thread
From: Chris PeBenito @ 2004-09-09 3:01 UTC (permalink / raw)
To: Luke Kenneth Casson Leighton; +Cc: SE-Linux
[-- Attachment #1.1: Type: text/plain, Size: 1014 bytes --]
On Wed, 2004-09-08 at 18:41, Luke Kenneth Casson Leighton wrote:
> ... i hacked in the three following permissions:
>
> # this is to allow splash to write to /proc/splash
> allow initrc_t proc_t:file { write };
> # this is for fbmngplay to do err... *clueless*
> allow initrc_t self:capability { sys_admin };
>
> i look forward to one day writing a policy for the bootsplash
> package :)
>
I threw together a bootsplash policy several months ago to get the
Gentoo LiveCD going. I always forget about it since I only use
bootsplash on the LiveCD. I didn't encounter that sys_admin capability
that you have, but it might be a result of the bootsplash setings. We
probably should label /proc/splash differently, now that I think about
it.
--
Chris PeBenito
<pebenito@gentoo.org>
Developer,
Hardened Gentoo Linux
Embedded Gentoo Linux
Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243
Key fingerprint = B0E6 877A 883F A57A 8E6A CB00 BC8E E42D E6AF 9243
[-- Attachment #1.2: bootsplash.fc --]
[-- Type: text/plain, Size: 123 bytes --]
/sbin/fbresolution -- system_u:object_r:bootsplash_exec_t
/sbin/fbtruetype.static -- system_u:object_r:bootsplash_exec_t
[-- Attachment #1.3: bootsplash.te --]
[-- Type: text/plain, Size: 559 bytes --]
#DESC bootsplash - Bootsplash screen
#
# Author: Chris PeBenito <pebenito@gentoo.org>
#
type bootsplash_t, domain;
type bootsplash_exec_t, file_type, exec_type;
role system_r types bootsplash_t;
uses_shlib(bootsplash_t)
domain_auto_trans(initrc_t, bootsplash_exec_t, bootsplash_t)
allow bootsplash_t init_t:fd use;
allow initrc_t proc_t:file write;
allow bootsplash_t framebuf_device_t:chr_file { read write ioctl };
allow bootsplash_t console_device_t:chr_file { read write };
allow bootsplash_t tty_device_t:chr_file { read write };
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: for bootsplash to operate correctly...
2004-09-09 3:01 ` Chris PeBenito
@ 2004-09-09 9:57 ` Luke Kenneth Casson Leighton
0 siblings, 0 replies; 3+ messages in thread
From: Luke Kenneth Casson Leighton @ 2004-09-09 9:57 UTC (permalink / raw)
To: Chris PeBenito; +Cc: SE-Linux
On Wed, Sep 08, 2004 at 11:01:11PM -0400, Chris PeBenito wrote:
> On Wed, 2004-09-08 at 18:41, Luke Kenneth Casson Leighton wrote:
> > ... i hacked in the three following permissions:
> >
> > # this is to allow splash to write to /proc/splash
> > allow initrc_t proc_t:file { write };
>
> > # this is for fbmngplay to do err... *clueless*
> > allow initrc_t self:capability { sys_admin };
> >
> > i look forward to one day writing a policy for the bootsplash
> > package :)
> >
>
> I threw together a bootsplash policy several months ago to get the
> Gentoo LiveCD going. I always forget about it since I only use
> bootsplash on the LiveCD. I didn't encounter that sys_admin capability
> that you have, but it might be a result of the bootsplash setings. We
> probably should label /proc/splash differently, now that I think about
> it.
fbmngplay is the "animations" program.
[change of topic]
i had to disable that for other reasons: because it is running,
it seems to lock out the /usr partition. because of that,
umount at shutdown actually remounts it as read-only. because
of _that_, stupid-debian-selinux can't stupid-remount the
stupid-/usr partition and you end up with an unusable system.
if i disable selinux before one of these boots (permissive) then
it boots up fine.
l.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2004-09-09 9:46 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-09-08 22:41 for bootsplash to operate correctly Luke Kenneth Casson Leighton
2004-09-09 3:01 ` Chris PeBenito
2004-09-09 9:57 ` Luke Kenneth Casson Leighton
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.