Tom London wrote:
On 5/24/05, Tom London <selinux@xxxxxxxxx> wrote:
On 5/24/05, Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote:
Tom London wrote:
Running strict/enforcing, latest rawhide.
Get the following when logging in: May 21 13:30:16 fedora gdm(pam_unix)[2946]: session opened for user tbl by (uid=0) May 21 13:30:16 fedora kernel: audit(1116707416.740:0): avc: denied { write } for name=dmix.conf dev=hda2 ino=4523476 scontext=system_u:system_r:xdm_t tcontext=system_u:object_r:etc_t tclass=file May 21 13:30:16 fedora ainit: Failed to open file /etc/alsa/pcm/dmix.conf May 21 13:30:16 fedora ainit: Error: Permission denied
The file in questions is /etc/alsa/pcm/dmix.conf.
/etc/alsa/ainit.conf has: # # overwrite target files, if exists # overwrite = yes
# # first config file - for dmix plugin # template_0 = /etc/alsa/pcm/dmix.template target_0 = /etc/alsa/pcm/dmix.conf target_root_file_0 = yes
This seems less than perfect to me.... Should dmix.conf (and dsnoop.conf) be someplace else? Labeled as xdm_rw_etc_t? (I don't know who else needs to read these files....)
tom
Do you have any idea if xdm is actually trying to write this file, or could this just be they used the wrong flags when opening the file?
No idea.
I'll test tonight on my 'strict machine'.
tom
Running strict/permissive, I get this:
May 25 06:19:54 fedora gdm(pam_unix)[2695]: session opened for user
tbl by (uid=0)
May 25 06:19:54 fedora kernel: audit(1117027194.325:0): avc: denied { write } for pid=2739 comm="ainit" name=pcm dev=hda2 ino=4524122
scontext=system_u:system_r:xdm_t tcontext=system_u:object_r:etc_t
tclass=dir
May 25 06:19:54 fedora kernel: audit(1117027194.325:0): avc: denied { add_name } for pid=2739 comm="ainit" name=dmix.conf
scontext=system_u:system_r:xdm_t tcontext=system_u:object_r:etc_t
tclass=dir
May 25 06:19:54 fedora kernel: audit(1117027194.325:0): avc: denied { create } for pid=2739 comm="ainit" name=dmix.conf
scontext=system_u:system_r:xdm_t tcontext=system_u:object_r:etc_t
tclass=file
May 25 06:19:54 fedora kernel: audit(1117027194.340:0): avc: denied { write } for pid=2739 comm="ainit" name=dmix.conf dev=hda2
ino=4522361 scontext=system_u:system_r:xdm_t
tcontext=system_u:object_r:etc_t tclass=file
May 25 06:19:56 fedora gconfd (tbl-2801): starting (version 2.10.0),
pid 2801 user 'tbl'
So it looks like xdm wants to really create/write this....
Logging out does this:
May 25 06:24:54 fedora gconfd (tbl-2801): Exiting
May 25 06:24:54 fedora gdm(pam_unix)[2695]: session closed for user tbl
May 25 06:24:54 fedora kernel: audit(1117027494.313:0): avc: denied { write } for pid=3184 comm="ainit" name=pcm dev=hda2 ino=4524122
scontext=system_u:system_r:xdm_t tcontext=system_u:object_r:etc_t
tclass=dir
May 25 06:24:54 fedora kernel: audit(1117027494.313:0): avc: denied { remove_name } for pid=3184 comm="ainit" name=dmix.conf.lock
dev=hda2 ino=4522777 scontext=system_u:system_r:xdm_t
tcontext=system_u:object_r:etc_t tclass=dir
May 25 06:24:54 fedora kernel: audit(1117027494.313:0): avc: denied { unlink } for pid=3184 comm="ainit" name=dmix.conf.lock dev=hda2
ino=4522777 scontext=system_u:system_r:xdm_t
tcontext=system_u:object_r:etc_t tclass=file
May 25 06:24:54 fedora kernel: audit(1117027494.349:0): avc: denied { unix_read unix_write } for pid=3184 comm="ainit" key=1947154681
scontext=system_u:system_r:xdm_t tcontext=tbl:staff_r:staff_t
tclass=shm
May 25 06:24:54 fedora kernel: audit(1117027494.349:0): avc: denied { associate } for pid=3184 comm="ainit" key=1947154681
scontext=system_u:system_r:xdm_t tcontext=tbl:staff_r:staff_t
tclass=shm
May 25 06:24:54 fedora kernel: audit(1117027494.349:0): avc: denied { destroy } for pid=3184 comm="ainit" key=1947154681
scontext=system_u:system_r:xdm_t tcontext=tbl:staff_r:staff_t
tclass=shm
tom
Ok looks like we need policy for ainit. and this directory.
Anyone up for it? :^)
Please open a bugzilla, so I will get it done, if no one volunteers.
Dan
--
-- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx http://www.redhat.com/mailman/listinfo/fedora-selinux-list
