fedora-selinux August 2010 archive
Main Archive Page > Month Archives  > fedora-selinux archives
fedora-selinux: Re: pipefs AVC

Re: pipefs AVC

From: Dominick Grift <domg472_at_nospam>
Date: Sun Aug 29 2010 - 12:17:15 GMT
To: Mr Dash Four <mr.dash.four@googlemail.com>

On 08/29/2010 01:45 PM, Mr Dash Four wrote:
>
>> its a fifo_file on device pipefs with name/path: pipe:[11951]
>>
>> This type of internal communication is very common. We use the following
>> policy for this:
>>
>> allow voip_sandbox_t self:fifo_file rw_fifo_file_perms;
>>
> Is 'rw_fifo_file_perms' custom-defined somewhere?
>
> All I can see on the fifo_file is { append create execute getattr ioctl
> link lock mounton quotaon read relabelfrom relabelto rename setattr
> swapon unlink write }, of which, 'read' and 'write' are the relevant
> ones. If I do 'allow voip_sandbox_t self:fifo_file { read write }' would
> that be the same thing or am I missing something?
>

http://oss.tresys.com/projects/refpolicy/browser/policy/support/obj_perm_sets.spt

line 241:

define(`rw_fifo_file_perms',`{ getattr open read write append ioctl lock }')

Basically a set of common permissions to read and write fifo files. Not
quite the same as just { read write } but not too excessive either.

I always use "macros" where ever possible that will make policy
maintenance much easier.

-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux