From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Mon, 27 Oct 2008 08:23:02 -0400
Subject: [refpolicy] open permission and directory search
In-Reply-To: <4902071C.8090705@martinorr.name>
References: <4902071C.8090705@martinorr.name>
Message-ID: <1225110182.4943.22.camel@gorn>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Fri, 2008-10-24 at 18:34 +0100, Martin Orr wrote:
> Since enabling the open permission, I get lots of denials like:
> Oct 21 20:05:53 caligula kernel: type=1400 audit(1224615953.555:5): avc:
> denied  { open } for  pid=3016 comm="hald-addon-acpi" name="var" dev=dm-0
> ino=811201 scontext=system_u:system_r:hald_t:s0
> tcontext=system_u:object_r:var_t:s0 tclass=dir
> 
> So far as I can see, open permission is checked every time a directory is
> walked through in a path, so I think it is necessary to add open to
> search_dir_perms.

Yes, I found that when I turned on the open permissions.  I've been
talking to Eric Paris about it, as I think its incorrect that open is
being checked in this case.  Unfortunately, even if that permission
check is dropped the above case, I'm going to have to allow it for a
while since its in a release kernel.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150