From: dwalsh@redhat.com (Daniel J Walsh)
Date: Mon, 27 Jul 2009 10:44:12 -0400
Subject: [refpolicy] services_hal.patch
In-Reply-To: <1248704344.13158.155.camel@gorn>
References: <4A2DAEB5.8010209@redhat.com> <1248704344.13158.155.camel@gorn>
Message-ID: <4A6DBD3C.3030801@redhat.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 07/27/2009 10:19 AM, Christopher J. PeBenito wrote:
> On Mon, 2009-06-08 at 20:37 -0400, Daniel J Walsh wrote:
>> http://people.fedoraproject.org/~dwalsh/SELinux/F11/services_hal.patch
>>
>> Add policy for hal-dccm
>>
>> Lots of new interfaces
>>
>> Manages dos/fusefs files
> 
> Why?
I would guess it opens files/directories for read/write.  Perhaps some kind of config file.
> 
>> Starts dhcpc
>>
>> Interfacts with ppp and uses policykit
>>
>>
>>
>> Hald acl gets and sets fixed disk attributes
>>
> 
> Renamed hal_create_log() to hal_manage_log() to match up the permissions
> allowed.
> 
>  ########################################
>  ## <summary>
> +##	Allo read/write	to a hal unix datagram socket.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`hal_rw_dgram_sockets',`
> +	gen_require(`
> +		type hald_t;
> +	')
> +
> +	dontaudit $1 hald_t:unix_dgram_socket { read write };
> +')
> +
> 
> Is this supposed to be allow or dontaudit? the interface name and
> implementation conflict.
> 
I would say it is supposed to be dontaudit, since it looks like a leak.
> Otherwise merged.
>