From: martin@martinorr.name (Martin Orr)
Date: Fri, 24 Oct 2008 18:34:20 +0100
Subject: [refpolicy] open permission and directory search
Message-ID: <4902071C.8090705@martinorr.name>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Since enabling the open permission, I get lots of denials like:
Oct 21 20:05:53 caligula kernel: type=1400 audit(1224615953.555:5): avc:
denied  { open } for  pid=3016 comm="hald-addon-acpi" name="var" dev=dm-0
ino=811201 scontext=system_u:system_r:hald_t:s0
tcontext=system_u:object_r:var_t:s0 tclass=dir

So far as I can see, open permission is checked every time a directory is
walked through in a path, so I think it is necessary to add open to
search_dir_perms.

Index: policy/support/obj_perm_sets.spt
===================================================================
--- policy/support/obj_perm_sets.spt.orig
+++ policy/support/obj_perm_sets.spt
@@ -181,7 +181,7 @@
 #
 define(`getattr_dir_perms',`{ getattr }')
 define(`setattr_dir_perms',`{ setattr }')
-define(`search_dir_perms',`{ getattr search }')
+define(`search_dir_perms',`{ getattr search open }')
 define(`list_dir_perms',`{ getattr search open read lock ioctl }')
 define(`add_entry_dir_perms',`{ getattr search open lock ioctl write add_name }')
 define(`del_entry_dir_perms',`{ getattr search open lock ioctl write remove_name }')

Best wishes,

-- 
Martin Orr