When haldaemon starts, and typically just after the text 'login:' appears but before the graphical stuff takes over, I get:
Sep 25 10:28:57 fedora kernel: audit(1096133337.944:0): avc: denied { read write } for pid=3187 exe=/usr/sbin/hald name=lp0 dev=tmpfs ino=5073 scontext=system_u:system_r:hald_t tcontext=system_u:object_r:printer_device_t tclass=chr_file
referring to /dev/usb/lp0.
Does hald need read/write access to the printer_device?
Seems strange, but if so, we need to add to hald.te. If not, any idea what's happening?
tom
On Sun, 26 Sep 2004 04:27, Tom London selinux@gmail.com wrote:
When haldaemon starts, and typically just after the text 'login:' appears but before the graphical stuff takes over, I get:
Sep 25 10:28:57 fedora kernel: audit(1096133337.944:0): avc: denied { read write } for pid=3187 exe=/usr/sbin/hald name=lp0 dev=tmpfs ino=5073 scontext=system_u:system_r:hald_t tcontext=system_u:object_r:printer_device_t tclass=chr_file
referring to /dev/usb/lp0.
Does hald need read/write access to the printer_device?
Does hald need it right now? Probably, but I'm not sure.
Will it need such access in the future to perform the tasks that it is designed for? Definitely! There is a lot of variation among printer hardware and hald is the correct program to inform you of what type of printer you have just connected. I've attached a patch to add the access.
Understand and agree about read access, but the AVC shows it wanting write access as well.
Your patch allows read/getattr/ioctl. but not write. I can certainly imagine a dialog protocol that would require both read and write, but I'm not certain if this is in fact used here.
What do you think? tom
On Sun, 26 Sep 2004 05:34:51 +1000, Russell Coker russell@coker.com.au wrote:
On Sun, 26 Sep 2004 04:27, Tom London selinux@gmail.com wrote:
When haldaemon starts, and typically just after the text 'login:' appears but before the graphical stuff takes over, I get:
Sep 25 10:28:57 fedora kernel: audit(1096133337.944:0): avc: denied { read write } for pid=3187 exe=/usr/sbin/hald name=lp0 dev=tmpfs ino=5073 scontext=system_u:system_r:hald_t tcontext=system_u:object_r:printer_device_t tclass=chr_file
referring to /dev/usb/lp0.
Does hald need read/write access to the printer_device?
Does hald need it right now? Probably, but I'm not sure.
Will it need such access in the future to perform the tasks that it is designed for? Definitely! There is a lot of variation among printer hardware and hald is the correct program to inform you of what type of printer you have just connected. I've attached a patch to add the access.
-- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page
On Sun, 26 Sep 2004 05:54, Tom London selinux@gmail.com wrote:
Understand and agree about read access, but the AVC shows it wanting write access as well.
Your patch allows read/getattr/ioctl. but not write. I can certainly imagine a dialog protocol that would require both read and write, but I'm not certain if this is in fact used here.
What do you think?
I think we should allow write as well, I've attached a new patch.
If it wanted write access to fixed_disk_device_t or something then we would have to look into it seriously. But write to a printer doesn't seem so important and it's something that is needed for some status queries.
If hald ever goes as far as querying the paper size then it'll definitely need such access.
selinux@lists.fedoraproject.org