Ok, here is what hald required to stop complaining. Which ones should be dontaudit? I take it you won't like allowing hald to write to /selinux, and read /dev/mem.

re: dmidecode -
dmidecode decodes the DMI data present in x86 and IA64 BIOS's.

Can't that be made to run in its own domain?

diff -aur policy.old/domains/program/hald.te policy/domains/program/hald.te
--- policy.old/domains/program/hald.te 2005-04-02 17:37:37.000000000 -0500
+++ policy/domains/program/hald.te 2005-04-02 18:06:02.000000000
-0500
@@ -43,6 +43,7 @@

 allow hald_t event_device_t:chr_file { getattr read ioctl };
 allow hald_t printer_device_t:chr_file rw_file_perms;
 allow hald_t urandom_device_t:chr_file read;

 ifdef(`updfstab.te', `
 domain_auto_trans(hald_t, updfstab_exec_t, updfstab_t) @@ -73,3 +74,20 @@
 tmp_domain(hald)
 allow hald_t mnt_t:dir search;
 r_dir_file(hald_t, proc_net_t)
+
+# For /usr/libexec/hald-add-selinux-mount-option
+allow hald_t security_t:dir search;
+allow hald_t security_t:file { read write };
+allow hald_t security_t:security check_context;
+
+# For /usr/libxexc/hald-addon-acpi - writes to /var/run/acpid.socket
+allow hald_t apmd_var_run_t:sock_file write;
+allow hald_t apmd_t:unix_stream_socket connectto;
+
+# For /usr/sbin/dmidecode
+# Violates assertion
+#allow hald_t memory_device_t:chr_file read;
+allow hald_t self:capability sys_rawio;
+
+# ??
+allow hald_t lvm_control_t:chr_file getattr;

-- 
Ivan Gyurdiev <ivg2@cornell.edu>
Cornell University


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.