From: dwalsh@redhat.com (Daniel J Walsh)
Date: Mon, 27 Jul 2009 10:44:12 -0400
Subject: [refpolicy] services_hal.patch
In-Reply-To: <1248704344.13158.155.camel@gorn>
References: <4A2DAEB5.8010209@redhat.com> <1248704344.13158.155.camel@gorn>
Message-ID: <4A6DBD3C.3030801@redhat.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com
On 07/27/2009 10:19 AM, Christopher J. PeBenito wrote:
> On Mon, 2009-06-08 at 20:37 -0400, Daniel J Walsh wrote:
>> http://people.fedoraproject.org/~dwalsh/SELinux/F11/services_hal.patch
>>
>> Add policy for hal-dccm
>>
>> Lots of new interfaces
>>
>> Manages dos/fusefs files
>
> Why?
I would guess it opens files/directories for read/write. Perhaps some kind of config file.
>
>> Starts dhcpc
>>
>> Interfacts with ppp and uses policykit
>>
>>
>>
>> Hald acl gets and sets fixed disk attributes
>>
>
> Renamed hal_create_log() to hal_manage_log() to match up the permissions
> allowed.
>
> ########################################
> ##
> +## Allo read/write to a hal unix datagram socket.
> +##
> +##
> +##
> +## Domain allowed access.
> +##
> +##
> +#
> +interface(`hal_rw_dgram_sockets',`
> + gen_require(`
> + type hald_t;
> + ')
> +
> + dontaudit $1 hald_t:unix_dgram_socket { read write };
> +')
> +
>
> Is this supposed to be allow or dontaudit? the interface name and
> implementation conflict.
>
I would say it is supposed to be dontaudit, since it looks like a leak.
> Otherwise merged.
>