Re: AVC messages at boot and kdm login (latest Rawhide)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 11.03.2004 05:41, Russell Coker wrote:

Mar 11 04:19:53 dell kernel: audit(1079007592.976:0): avc:  denied  {
read write } for  pid=1665 exe=/usr/sbin/gpm name=event0 dev=hda2
ino=4219044 scontext=system_u:system_r:gpm_t
tcontext=system_u:object_r:device_t tclass=chr_file
Mar 11 04:19:53 dell kernel: audit(1079007592.976:0): avc:  denied  {
ioctl } for  pid=1665 exe=/usr/sbin/gpm path=/dev/input/event0 dev=hda2
ino=4219044 scontext=system_u:system_r:gpm_t
tcontext=system_u:object_r:device_t tclass=chr_file


How does /dev/input really work? As I understand it event0 could be a keyboard or a mouse. So maybe we want a separate type for this so that when using gpm it can access it, but when the user is granted direct mouse access they can't read the keyboard directly.

Does this make sense?

May be. This is already reported - https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=117369

Mar 11 04:20:29 dell kernel: audit(1079007629.554:0): avc:  denied  {
read } for  pid=2098 exe=/usr/bin/kdm name=mem dev=hda2 ino=2683359
scontext=system_u:system_r:xdm_t
tcontext=system_u:object_r:memory_device_t tclass=chr_file


That's a bug in kdm. It should use /dev/random instead. Reading arbitary kernel memory as a source of random numbers is bogus anyway.

OK, entered in Bugzilla - https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=118051

Mar 11 04:20:42 dell kernel: audit(1079007642.899:0): avc:  denied  {
write } for  pid=2121 exe=/usr/bin/kdm_greet name=.qtrc.lock dev=hda2
ino=670527 scontext=system_u:system_r:xdm_t
tcontext=system_u:object_r:lib_t tclass=file


What directory is this in? 

/usr/lib/qt-3.3/etc/settings/qtrc

We just need to get the directory in question labeled as var_lib_xdm_t.

Well, should it be writing to it, or just reading? I do not see why it would be reasonable for kdm_greet to touch it...

Mar 11 04:20:52 dell kernel: audit(1079007652.672:0): avc:  denied  {
setattr } for  pid=2113 exe=/usr/bin/kdm name=sg0 dev=hda2 ino=2688146
scontext=system_u:system_r:xdm_t
tcontext=system_u:object_r:scsi_generic_device_t tclass=chr_file



dontaudit or allow?  What should we do?

It probably doesn't matter much as the default policy does not permit the user to access the SCSI generic device.

Well, I have a symlink /dev/cdwriter -> /dev/sg0. Not sure if it is still meaningful or whether it is left from the "hdc=ide_scsi" times.

--
Aleksey Nogin

Home Page: http://nogin.org/
E-Mail: nogin@xxxxxxxxxxxxxx (office), aleksey@xxxxxxxxx (personal)
Office: Jorgensen 70, tel: (626) 395-2907


[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux