On Sun, 2007-09-16 at 22:42 +0200, Göran Uddeborg wrote: > I'm using xdm rather than gdm. SELinux prevents > /sbin/pam_console_apply (pam_console_t) "write" to /var/log/xdm.log > (var_log_t). It happens once every time someone logs in or out. See > the attached mail from SETroubleshoot for an example. > > To understand what is going on, I tried to strace the processes. But > pam_console_apply doesn't attempt to write anything at all! See the > attached (compressed) strace from pid 4480, the process mentioned in > the SETroubleshoot mail. > > Xdm has stderr pointing to /var/log/xdm.log, so it's not unlikely that > the open fd is inherited by pam_console_apply. But if the inheritance > itself was disallowed, wouldn't it be a "use" that would be denied by > SELinux rather than a "write"? > > What am I missing? > > (The system is not up-to-date. It is possible this message would go > away with an upgrade. I'm not looking for a way to get rid of the > message here, I'm trying to understand what is going on.) SELinux rechecks access to open files upon execve if the security context of the process is changing, and when descriptors are passed across local IPC. That revalidation includes both the fd use check (can the process use an open file description created by another security context, potentially communicating/interfering with that context by means of the open file's seek pointer and flags) and the file read/write checks (can the process access the file in a manner consistent with the open file description)? -- Stephen Smalley National Security Agency -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
