On Thu, 15 Apr 2004 18:33, Dennis Gilmore <dennis@xxxxxxxx> wrote:
> Apr 15 11:26:06 asgard kernel: audit(1081992347.449:0): avc: denied
> { getattr } for pid=774 exe=/sbin/pam_console_apply path=/dev/input/js2
> dev=hde2 ino=234962788 scontext=system_u:system_r:pam_console_t
> tcontext=system_u:object_r:unlabeled_t tclass=chr_file
/dev/input/js* should have the type mouse_device_t. Please do a "ls -Z" on
them and tell me what it says. NB It is not going to say unlabeled_t, it
will say whatever is on disk, the kernel uses unlabeled_t if what's on disk
makes no sense with the currently loaded policy.
> Apr 15 11:26:06 asgard kernel: audit(1081992347.464:0): avc: denied
> { dac_override } for pid=774 exe=/sbin/pam_console_apply capability=1
> scontext=system_u:system_r:pam_console_t
> tcontext=system_u:system_r:pam_console_t tclass=capability
What is it trying to do here?
> Apr 15 11:26:06 asgard kernel: audit(1081992347.464:0): avc: denied
> { dac_read_search } for pid=774 exe=/sbin/pam_console_apply capability=2
> scontext=system_u:system_r:pam_console_t
> tcontext=system_u:system_r:pam_console_t tclass=capability
The fact that it tries both in quick succession means that all it really
wanted is read.
> Apr 15 11:26:06 asgard kernel: inode_doinit_with_dentry: getxattr returned
> 13 for dev=hde2 ino=234962799
13 == EACCES? That can't be right. Steve, what do you think about this?
> Apr 15 11:27:19 asgard /sbin/mingetty[1796]: tty1: Operation not permitted
> Apr 15 11:27:19 asgard /sbin/mingetty[1797]: tty2: Operation not permitted
> Apr 15 11:27:19 asgard /sbin/mingetty[1798]: tty3: Operation not permitted
> Apr 15 11:27:19 asgard kernel: audit(1081992439.217:0): avc: denied
> { fowner } for pid=1796 exe=/sbin/mingetty capability=3
> scontext=system_u:system_r:getty_t tcontext=system_u:system_r:getty_t
> tclass=capability
Interesting. Who owns your tty devices?
Granting this capability should not cause a problem so please test allowing
this and see if it does some good. We don't want to grant capabilities
wildly, but this will be OK if there are cases that need it.
> Apr 15 11:27:19 asgard kernel: audit(1081992439.880:0): avc: denied {
> read } for pid=1802 exe=/usr/bin/kdm name=mem dev=hde2 ino=33580795
> scontext=system_u:system_r:xdm_t tcontext=system_u:object_r:memory_device_t
> tclass=chr_file
> Apr 15 11:27:19 asgard kdm[1802]: Cannot read randomFile "/dev/mem"; X
> cookies may be easily guessable
This one is already in bugzilla. You could put an allow rule in custom.te if
you want to reduce the noise. But we deliberately don't want to allow this
in the default policy. kdm needs to be fixed (it was always broken).
> Apr 15 11:27:19 asgard kernel: audit(1081992439.921:0): avc: denied
> { getattr } for pid=1818 exe=/usr/X11R6/bin/Xorg path=/var/log/Xorg.0.log
> dev=hde2 ino=302135865 scontext=system_u:system_r:xdm_t
> tcontext=system_u:object_r:var_log_t tclass=file
Put the following in file_contexts/program/xserver.fc
/var/log/XOrg.* -- system_u:object_r:xserver_log_t
I have attached a suitable xserver.fc file.
Then you have to relabel /var/log after rebuilding the file_contexts file.
Regarding the long message, all the messages after 11:27:19 appeared to be
repeats. The X server and getty will continue restarting forever so will
produce an unlimited amount of messages if they can't startup correctly.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
# X server
/dev/agpgart -c system_u:object_r:agp_device_t
/dev/dri(/.*)? system_u:object_r:dri_device_t
/usr/X11R6/bin/Xwrapper -- system_u:object_r:xserver_exec_t
/usr/X11R6/bin/X -- system_u:object_r:xserver_exec_t
/usr/X11R6/bin/XFree86 -- system_u:object_r:xserver_exec_t
/usr/X11R6/bin/Xipaq -- system_u:object_r:xserver_exec_t
/var/lib/xkb(/.*)? system_u:object_r:var_lib_xkb_t
/usr/X11R6/lib(64)?/X11/xkb -d system_u:object_r:var_lib_xkb_t
/usr/X11R6/lib(64)?/X11/xkb/.* -- system_u:object_r:var_lib_xkb_t
/usr/X11R6/lib(64)?/X11/xkb/xkbcomp -- system_u:object_r:bin_t
/var/log/XFree86.* -- system_u:object_r:xserver_log_t
/var/log/XOrg.* -- system_u:object_r:xserver_log_t
/etc/init\.d/xfree86-common -- system_u:object_r:xserver_exec_t
/tmp/\.X11-unix -d system_u:object_r:xdm_xserver_tmp_t
/tmp/\.X11-unix/.* -s <<none>>
/tmp/\.ICE-unix -d system_u:object_r:xdm_xserver_tmp_t
/tmp/\.ICE-unix/.* -s <<none>>
