Colin Walters wrote:
On Fri, 2004-07-09 at 01:13 -0400, Richard Hally wrote:
Attached (and below) is a diff of a one line addition for mozilla_macros.te from the the selinux-policy-strict-sources-1.14.1-5.
audit2allow generated the following from the avc denied messages I received when trying to run Mozilla: allow staff_mozilla_t xdm_tmp_t:dir { search };
Just running denials through audit2allow is generally the wrong thing. Often the denials are symptomatic of deeper problems like mislabeled files, or deep design issues (e.g. GConf), or simply bugs in the software (like mdadm opening files in /proc read/write), or configuration problems (running Postfix chrooted).
In this particular case, having Mozilla able to access the XDM
temporarily files is almost certainly the wrong solution. In order to
diagnose it we need to know what file it was accessing (information
contained in the raw dmesg output, but not in audit2allow) and what you
were doing at the time.
Here are the avc denied messages from trying to start mozilla web browser. When I say trying to start I mean clicking on the mozilla icon on the panel and watching the hour-glass cursor spin for a while and then it goes away. "nothing happens". BTW, the load_policy messages are because I had to "enableaudit" when building the policy to get the avc messages. This behavior started a couple of weeks ago. Previously mozilla had worked in enforcing mode.
Also further below are a couple of avc denied messages from booting that may be related to the problem as they have to do with xdm. They refer to a different file (.ICE-unix vice .X11-unix) but may be related. There was a bug having to do with this xdm probelm (bug 127099.)
Jul 8 23:51:35 new2 kernel: audit(1089345095.411:0): avc: granted { load_policy } for pid=4238 exe=/usr/sbin/load_policy scontext=root:sysadm_r:load_policy_t tcontext=system_u:object_r:security_t tclass=security
Jul 8 23:51:36 new2 kernel: security: 6 users, 7 roles, 1273 types, 1 bools
Jul 8 23:51:36 new2 kernel: security: 51 classes, 345889 rules
Jul 8 23:52:07 new2 kernel: audit(1089345127.662:0): avc: granted { load_policy } for pid=4296 exe=/usr/sbin/load_policy scontext=root:sysadm_r:load_policy_t tcontext=system_u:object_r:security_t tclass=security
Jul 8 23:52:07 new2 kernel: security: 6 users, 7 roles, 1273 types, 1 bools
Jul 8 23:52:07 new2 kernel: security: 51 classes, 304966 rules
Jul 8 23:52:15 new2 kernel: audit(1089345135.764:0): avc: denied { search } for pid=4315 exe=/usr/lib/mozilla-1.7/mozilla-xremote-client name=.X11-unix dev=hda2 ino=1840558 scontext=richard:staff_r:staff_mozilla_t tcontext=system_u:object_r:xdm_tmp_t tclass=dir
Jul 8 23:52:15 new2 kernel: audit(1089345135.772:0): avc: denied { search } for pid=4301 exe=/usr/lib/mozilla-1.7/mozilla-xremote-client name=.X11-unix dev=hda2 ino=1840558 scontext=richard:staff_r:staff_mozilla_t tcontext=system_u:object_r:xdm_tmp_t tclass=dir
from booting:
Jul 8 14:45:44 new2 kernel: audit(1089312344.553:0): avc: denied { setattr }
for pid=2513 exe=/usr/bin/gdm-binary name=.ICE-unix dev=hda2 ino=1840546 scontext=system_u:system_r:xdm_t tcontext=system_u:object_r:xdm_xserver_tmp_t tclass=dir
Jul 8 14:45:44 new2 kernel: audit(1089312344.554:0): avc: denied { setattr }
for pid=2513 exe=/usr/bin/gdm-binary name=.ICE-unix dev=hda2 ino=1840546 scontext=system_u:system_r:xdm_t tcontext=system_u:object_r:xdm_xserver_tmp_t tclass=dir
HTH Richard Hally
