LinuxLists.cc - [refpolicy] services

2009-06-09 00:37:09

Subject: [refpolicy] services_hal.patch

http://people.fedoraproject.org/~dwalsh/SELinux/F11/services_hal.patch

Add policy for hal-dccm

Lots of new interfaces

Manages dos/fusefs files

Starts dhcpc

Interfacts with ppp and uses policykit

Hald acl gets and sets fixed disk attributes

2009-07-27 14:19:01

by cpebenito

[permalink] [raw]

Subject: [refpolicy] services_hal.patch

On Mon, 2009-06-08 at 20:37 -0400, Daniel J Walsh wrote:
> http://people.fedoraproject.org/~dwalsh/SELinux/F11/services_hal.patch
>
> Add policy for hal-dccm
>
> Lots of new interfaces
>
> Manages dos/fusefs files

Why?

> Starts dhcpc
>
> Interfacts with ppp and uses policykit
>
>
>
> Hald acl gets and sets fixed disk attributes
>

Renamed hal_create_log() to hal_manage_log() to match up the permissions
allowed.

########################################
## <summary>
+## Allo read/write to a hal unix datagram socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`hal_rw_dgram_sockets',`
+ gen_require(`
+ type hald_t;
+ ')
+
+ dontaudit $1 hald_t:unix_dgram_socket { read write };
+')
+

Is this supposed to be allow or dontaudit? the interface name and
implementation conflict.

Otherwise merged.

--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150

2009-07-27 14:44:12

by Daniel Walsh

[permalink] [raw]

Subject: [refpolicy] services_hal.patch

On 07/27/2009 10:19 AM, Christopher J. PeBenito wrote:
> On Mon, 2009-06-08 at 20:37 -0400, Daniel J Walsh wrote:
>> http://people.fedoraproject.org/~dwalsh/SELinux/F11/services_hal.patch
>>
>> Add policy for hal-dccm
>>
>> Lots of new interfaces
>>
>> Manages dos/fusefs files
>
> Why?
I would guess it opens files/directories for read/write. Perhaps some kind of config file.
>
>> Starts dhcpc
>>
>> Interfacts with ppp and uses policykit
>>
>>
>>
>> Hald acl gets and sets fixed disk attributes
>>
>
> Renamed hal_create_log() to hal_manage_log() to match up the permissions
> allowed.
>
> ########################################
> ## <summary>
> +## Allo read/write to a hal unix datagram socket.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`hal_rw_dgram_sockets',`
> + gen_require(`
> + type hald_t;
> + ')
> +
> + dontaudit $1 hald_t:unix_dgram_socket { read write };
> +')
> +
>
> Is this supposed to be allow or dontaudit? the interface name and
> implementation conflict.
>
I would say it is supposed to be dontaudit, since it looks like a leak.
> Otherwise merged.
>