2008-10-24 17:34:20

by martin

[permalink] [raw]
Subject: [refpolicy] open permission and directory search

Since enabling the open permission, I get lots of denials like:
Oct 21 20:05:53 caligula kernel: type=1400 audit(1224615953.555:5): avc:
denied { open } for pid=3016 comm="hald-addon-acpi" name="var" dev=dm-0
ino=811201 scontext=system_u:system_r:hald_t:s0
tcontext=system_u:object_r:var_t:s0 tclass=dir

So far as I can see, open permission is checked every time a directory is
walked through in a path, so I think it is necessary to add open to
search_dir_perms.

Index: policy/support/obj_perm_sets.spt
===================================================================
--- policy/support/obj_perm_sets.spt.orig
+++ policy/support/obj_perm_sets.spt
@@ -181,7 +181,7 @@
#
define(`getattr_dir_perms',`{ getattr }')
define(`setattr_dir_perms',`{ setattr }')
-define(`search_dir_perms',`{ getattr search }')
+define(`search_dir_perms',`{ getattr search open }')
define(`list_dir_perms',`{ getattr search open read lock ioctl }')
define(`add_entry_dir_perms',`{ getattr search open lock ioctl write add_name }')
define(`del_entry_dir_perms',`{ getattr search open lock ioctl write remove_name }')

Best wishes,

--
Martin Orr


2008-10-27 12:23:02

by cpebenito

[permalink] [raw]
Subject: [refpolicy] open permission and directory search

On Fri, 2008-10-24 at 18:34 +0100, Martin Orr wrote:
> Since enabling the open permission, I get lots of denials like:
> Oct 21 20:05:53 caligula kernel: type=1400 audit(1224615953.555:5): avc:
> denied { open } for pid=3016 comm="hald-addon-acpi" name="var" dev=dm-0
> ino=811201 scontext=system_u:system_r:hald_t:s0
> tcontext=system_u:object_r:var_t:s0 tclass=dir
>
> So far as I can see, open permission is checked every time a directory is
> walked through in a path, so I think it is necessary to add open to
> search_dir_perms.

Yes, I found that when I turned on the open permissions. I've been
talking to Eric Paris about it, as I think its incorrect that open is
being checked in this case. Unfortunately, even if that permission
check is dropped the above case, I'm going to have to allow it for a
while since its in a release kernel.

--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150