From: mgrepl@redhat.com (Miroslav Grepl) Date: Mon, 21 Feb 2011 15:14:21 +0000 Subject: [refpolicy] [patch 1/1] dmesg: reads /proc/version In-Reply-To: <1298092023.3101.48.camel@tesla.lan> References: <4D5E97A6.1040603@redhat.com> <1298092023.3101.48.camel@tesla.lan> Message-ID: <4D62814D.6010301@redhat.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 02/19/2011 05:07 AM, Guido Trentalancia wrote: > Hello Miroslav ! > > On Fri, 18/02/2011 at 16.00 +0000, Miroslav Grepl wrote: >> http://mgrepl.fedorapeople.org/F15/admin_dmesg.patch >> >> * dmesg reads /proc/version >> * dmesg needs to access to abrt files > I couldn't find any reference in the source code for dmesg from > util-linux-ng versions 2.18 and 2.19 about the fact that "dmesg > reads /proc/version". > > Nor I have any indication from the audit logs on the test system I am > running that dmesg ever required that permission. > > Only mount needs to stat() /proc/version. > > So, where did you get that from ? There was a bug saying type=AVC msg=audit(1293078612.406:8): avc: denied { read } for pid=2405 comm="dmesg" path="/proc/version" dev=proc ino=4026532016 scontext=system_u:system_r:dmesg_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file > And I am not using abrt, but to be honest, I could not find any > reference to abrt files access either. > > Regards, > > Guido >