selinux-policy-strict-1.23.13-4: suggestions?

Tom London <selinux@xxxxxxxxx> · Sat, 30 Apr 2005 14:16:51 -0700

Running strict/enforcing, latest rawhide.

I finally got around to 'blowing the dust off' of my strict PC. I
updated to latest rawhide, did a 'fixfiles relabel', and rebooted.

Graphical login failed. Appears that xdm is failing on creating a sem:
Apr 30 13:20:44 fedora kernel: audit(1114892386.776:0): avc:  denied 
{ create } for  key=1417649221 scontext=system_u:system_r:xdm_t
tcontext=system_u:system_r:xdm_t tclass=sem
Apr 30 13:25:35 fedora kernel: audit(1114892735.514:0): avc:  denied 
{ unix_read unix_write } for  key=199061348
scontext=system_u:system_r:xdm_t tcontext=system_u:system_r:xdm_t
tclass=sem

Adding:
allow xdm_t self:sem { create unix_read unix_write };
to xdm.te seems to fix this.  That OK?

Also, running firefox proxied through privoxy generates:
Apr 30 13:48:23 fedora kernel: audit(1114894103.357:0): avc:  denied 
{ name_connect } for  dest=8118 scontext=user_u:user_r:user_mozilla_t
tcontext=system_u:object_r:port_t tclass=tcp_socket
or
allow user_mozilla_t port_t:tcp_socket name_connect;
That right?

Going through /var/log/messages:
Early on, I get this:
Apr 30 13:27:05 fedora kernel: SELinux:  Completing initialization.
Apr 30 13:27:05 fedora kernel: SELinux:  Setting up existing superblocks.
Apr 30 13:27:05 fedora kernel: audit(1114867589.097:0): avc:  denied 
{ write } for  path=pipe:[1886] dev=pipefs ino=1886
scontext=system_u:system_r:kernel_t
tcontext=system_u:object_r:unlabeled_t tclass=fifo_file
Apr 30 13:27:05 fedora kernel: SELinux: initialized (dev hda2, type
ext3), uses xattr
Apr 30 13:27:06 fedora kernel: SELinux: initialized (dev tmpfs, type
tmpfs), uses transition SIDs
and
Apr 30 13:27:06 fedora kernel: SELinux: initialized (dev rootfs, type
rootfs), uses genfs_contexts
Apr 30 13:27:06 fedora kernel: SELinux: initialized (dev sysfs, type
sysfs), uses genfs_contexts
Apr 30 13:27:06 fedora kernel: audit(1114867589.937:0): avc:  denied 
{ read } for  name=class@vc@vcsa1 dev=tmpfs ino=1836
scontext=system_u:system_r:udev_t tcontext=system_u:object_r:tmpfs_t
tclass=file
Apr 30 13:27:06 fedora kernel: audit(1114867589.939:0): avc:  denied 
{ read } for  name=class@vc@vcs1 dev=tmpfs ino=1830
scontext=system_u:system_r:udev_t tcontext=system_u:object_r:tmpfs_t
tclass=file
Apr 30 13:27:06 fedora kernel: SELinux: initialized (dev usbfs, type
usbfs), uses genfs_contexts
Apr 30 13:27:06 fedora kernel: audit(1114867590.492:0): avc:  denied 
{ create } for  name=input scontext=system_u:system_r:udev_t
tcontext=system_u:object_r:tmpfs_t tclass=dir
Apr 30 13:27:06 fedora kernel: audit(1114867590.494:0): avc:  denied 
{ create } for  name=input scontext=system_u:system_r:udev_t
tcontext=system_u:object_r:tmpfs_t tclass=dir
Apr 30 13:27:06 fedora kernel: audit(1114867591.604:0): avc:  denied 
{ write } for  name=class@vc@vcs1 dev=tmpfs ino=1830
scontext=system_u:system_r:udev_t tcontext=system_u:object_r:tmpfs_t
tclass=file
Apr 30 13:27:06 fedora kernel: audit(1114867591.627:0): avc:  denied 
{ write } for  name=class@vc@vcsa1 dev=tmpfs ino=1836
scontext=system_u:system_r:udev_t tcontext=system_u:object_r:tmpfs_t
tclass=file
Apr 30 13:27:06 fedora kernel: audit(1114867591.754:0): avc:  denied 
{ read } for  name=class@vc@vcs1 dev=tmpfs ino=1830
scontext=system_u:system_r:udev_t tcontext=system_u:object_r:tmpfs_t
tclass=file
Apr 30 13:27:06 fedora kernel: audit(1114867591.764:0): avc:  denied 
{ read } for  name=class@vc@vcsa1 dev=tmpfs ino=1836
scontext=system_u:system_r:udev_t tcontext=system_u:object_r:tmpfs_t
tclass=file
Apr 30 13:27:06 fedora kernel: audit(1114867592.051:0): avc:  denied 
{ write } for  name=class@vc@vcsa1 dev=tmpfs ino=1836
scontext=system_u:system_r:udev_t tcontext=system_u:object_r:tmpfs_t
tclass=file
<<<<SNIP>>>>
Apr 30 13:27:06 fedora kernel: audit(1114867595.180:0): avc:  denied 
{ search } for  name=485 dev=proc ino=31784962
scontext=system_u:system_r:kernel_t tcontext=system_u:system_r:init_t
tclass=dir
Apr 30 13:27:06 fedora kernel: audit(1114867595.180:0): avc:  denied 
{ search } for  name=494 dev=proc ino=32374786
scontext=system_u:system_r:kernel_t
tcontext=system_u:system_r:initrc_t tclass=dir
Apr 30 13:27:06 fedora kernel: audit(1114867595.180:0): avc:  denied 
{ search } for  name=545 dev=proc ino=35717122
scontext=system_u:system_r:kernel_t
tcontext=system_u:system_r:hotplug_t tclass=dir

and

Apr 30 13:27:08 fedora kernel: ohci1394: fw-host0: OHCI-1394 1.0
(PCI): IRQ=[11]  MMIO=[ed100000-ed1007ff]  Max Packet=[2048]
Apr 30 13:27:08 fedora kernel: audit(1114867609.739:0): avc:  denied 
{ getattr } for  path=/etc/hotplug dev=hda2 ino=4472955
scontext=system_u:system_r:insmod_t
tcontext=system_u:object_r:hotplug_etc_t tclass=dir
Apr 30 13:27:09 fedora kernel: audit(1114867609.739:0): avc:  denied 
{ search } for  name=hotplug dev=hda2 ino=4472955
scontext=system_u:system_r:insmod_t
tcontext=system_u:object_r:hotplug_etc_t tclass=dir

and
Apr 30 13:27:10 fedora kernel: audit(1114892828.091:0): avc:  denied 
{ execute } for  name=auto.net dev=hda2 ino=4474546
scontext=system_u:system_r:initrc_t
tcontext=system_u:object_r:automount_etc_t tclass=file
Apr 30 13:27:10 fedora kernel: audit(1114892828.595:0): avc:  denied 
{ write } for  name=/ dev=hda2 ino=2
scontext=system_u:system_r:automount_t
tcontext=system_u:object_r:root_t tclass=dir
Apr 30 13:27:10 fedora kernel: audit(1114892828.677:0): avc:  denied 
{ dac_override } for  capability=1
scontext=system_u:system_r:automount_t
tcontext=system_u:system_r:automount_t tclass=capability
Apr 30 13:27:10 fedora kernel: audit(1114892828.787:0): avc:  denied 
{ write } for  name=/ dev=hda2 ino=2
scontext=system_u:system_r:automount_t
tcontext=system_u:object_r:root_t tclass=dir

Sorry if these are already fixed.
   tom

-- 
Tom London

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
http://www.redhat.com/mailman/listinfo/fedora-selinux-list