[packagekit] SELinux issues
Matej Cepl
mcepl at redhat.com
Thu Oct 11 15:31:40 PDT 2007
Hi,
I don't know how much do you want to get involved with SELinux in
this early stage of the development, but I am trying (as
a bugmaster I am supposed to take some level of pain) to use
Rawhide with SELinux switched on and when I've got working
setroubleshoot again, I discovered some AVC denials against
packagekit (see grep packagekit /var/log/audit/audit.log on
http://www.ceplovi.cz/matej/tmp/selinux-audit-log.txt ) and
I have generated with audit2allow this policy module:
module mypackagekit 1.0;
require {
type unconfined_t;
type var_run_t;
type usr_t;
type etc_t;
type var_t;
type hald_var_lib_t;
type system_dbusd_t;
class process getsched;
class capability sys_nice;
class dir { write read search add_name remove_name };
class file { write getattr read create unlink execute execute_no_trans };
}
#============= system_dbusd_t ==============
allow system_dbusd_t etc_t:file write;
allow system_dbusd_t hald_var_lib_t:dir search;
allow system_dbusd_t self:capability sys_nice;
allow system_dbusd_t self:process getsched;
allow system_dbusd_t unconfined_t:dir search;
allow system_dbusd_t unconfined_t:file { read getattr };
allow system_dbusd_t usr_t:file { execute execute_no_trans };
allow system_dbusd_t var_run_t:file { read getattr unlink };
allow system_dbusd_t var_t:dir { write read add_name remove_name };
allow system_dbusd_t var_t:file { write create unlink getattr };
I have absolutely no clue what does it mean, I may have some
problems with labelling of my disk (actually /.autorelabel is
waiting on the next reboot), but I thought that you may be
interested (in case you know what you see here) in this as a kind
of possible-problems diagnostics.
Matěj
More information about the PackageKit
mailing list