From: martin@martinorr.name (Martin Orr) Date: Fri, 24 Oct 2008 18:34:20 +0100 Subject: [refpolicy] open permission and directory search Message-ID: <4902071C.8090705@martinorr.name> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Since enabling the open permission, I get lots of denials like: Oct 21 20:05:53 caligula kernel: type=1400 audit(1224615953.555:5): avc: denied { open } for pid=3016 comm="hald-addon-acpi" name="var" dev=dm-0 ino=811201 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir So far as I can see, open permission is checked every time a directory is walked through in a path, so I think it is necessary to add open to search_dir_perms. Index: policy/support/obj_perm_sets.spt =================================================================== --- policy/support/obj_perm_sets.spt.orig +++ policy/support/obj_perm_sets.spt @@ -181,7 +181,7 @@ # define(`getattr_dir_perms',`{ getattr }') define(`setattr_dir_perms',`{ setattr }') -define(`search_dir_perms',`{ getattr search }') +define(`search_dir_perms',`{ getattr search open }') define(`list_dir_perms',`{ getattr search open read lock ioctl }') define(`add_entry_dir_perms',`{ getattr search open lock ioctl write add_name }') define(`del_entry_dir_perms',`{ getattr search open lock ioctl write remove_name }') Best wishes, -- Martin Orr