On Mon, 2005-03-28 at 12:04 -0500, Stephen Smalley wrote:
> On Mon, 2005-03-28 at 12:02 -0500, Ivan Gyurdiev wrote:
> > > Ah, we don't get the desired information because it is being passed by
> > > address for the socketcall multiplexer. Maybe run hald under strace (in
> > > permissive mode, of course).
> >
> > Does this help?
> >
> > socket(PF_NETLINK, SOCK_DGRAM, 15) = 7
>
> Yes. Per include/linux/netlink.h, protocol 15 is
> NETLINK_KOBJECT_UEVENT, which is used by lib/kobject_uevent.c. Looks
> like it is purely a kernel-to-userspace notification mechanism, so we
> might want a separate class for it to allow access to such notifications
> but we don't need any nlmsg_read/write checking for it. James, what do
> you think? In the meantime, you can allow hald access to netlink_socket
> in the policy, but we'll ultimately want to replace that with a finer-
> grained rule once the new class is in place.

What about all the other denials?

That last one violates an assertion if allowed.

/usr/libexec/hald-probe-input denied { read } on mouse_device_t:chr_file /usr/libexec/hald-addon-acpi denied { write } on acpid.socket (apmd_var_run_t)
/usr/libexec/hald-add-selinux-mount-option denied { search } on /selinux (security_t)
/usr/sbin/hald denied { getattr } on /dev/mapper/control (lvm_control_t) /usr/sbin/dmidecode denied { read } on /dev/mem (memory_device_t)

-- 
Ivan Gyurdiev <ivg2@cornell.edu>
Cornell University


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.