Re: pulseaudio, policykit - works in permissive, fails in enforcing

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Tom London wrote:
> On Dec 3, 2007 3:54 PM, Tom London <selinux@xxxxxxxxx> wrote:
>> On Dec 3, 2007 3:50 PM, Tom London <selinux@xxxxxxxxx> wrote:
>>> Forgot to attach the AVCs......
>>>
>>> Does this one look suspicious?
>>>
>>> type=AVC msg=audit(1196722543.811:703): avc:  denied  { search } for
>>> pid=2746 comm="ck-get-x11-disp" name="2719" dev=proc ino=9484
>>> scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
>>> tcontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 tclass=dir
>>> type=SYSCALL msg=audit(1196722543.811:703): arch=40000003 syscall=5
>>> success=no exit=-13 a0=8299418 a1=8000 a2=0 a3=8000 items=0 ppid=2715
>>> pid=2746 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
>>> sgid=0 fsgid=0 tty=(none) comm="ck-get-x11-disp"
>>> exe="/usr/libexec/ck-get-x11-display-device"
>>> subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
>>>
>> Attached compressed....sigh
>>
> Reran the above in permissive mode.  This seemed suspicious:
> 
> type=AVC msg=audit(1196779565.801:132): avc:  denied  { search } for
> pid=2614 comm="ck-get-x11-disp" name="2587" dev=proc ino=9642
> scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
> tcontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 tclass=dir
> type=AVC msg=audit(1196779565.801:132): avc:  denied  { read } for
> pid=2614 comm="ck-get-x11-disp" name="stat" dev=proc ino=9861
> scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
> tcontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 tclass=file
> type=SYSCALL msg=audit(1196779565.801:132): arch=40000003 syscall=5
> success=yes exit=4 a0=8d27418 a1=8000 a2=0 a3=8000 items=0 ppid=2585
> pid=2614 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> sgid=0 fsgid=0 tty=(none) comm="ck-get-x11-disp"
> exe="/usr/libexec/ck-get-x11-display-device"
> subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
> type=AVC msg=audit(1196779565.802:133): avc:  denied  { getattr } for
> pid=2614 comm="ck-get-x11-disp" path="/proc/2587/stat" dev=proc
> ino=9861 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
> tcontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 tclass=file
> type=SYSCALL msg=audit(1196779565.802:133): arch=40000003 syscall=197
> success=yes exit=0 a0=4 a1=bff4cfc8 a2=bdcff4 a3=8d27418 items=0
> ppid=2585 pid=2614 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
> egid=0 sgid=0 fsgid=0 tty=(none) comm="ck-get-x11-disp"
> exe="/usr/libexec/ck-get-x11-display-device"
> subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
> 
> So, I did a 'audit2allow -M localpulse2' on the above.
> 
> Here is the .te file:
> 
> module localpulse2 1.0;
> 
> require {
>         type xdm_xserver_t;
>         type xdm_t;
>         class dir search;
>         class file { read getattr };
> }
> 
> #============= xdm_t ==============
> allow xdm_t xdm_xserver_t:dir search;
> allow xdm_t xdm_xserver_t:file { read getattr };
> 
> 'semodule -i localpulse2.pp' makes pulseaudio work.
> 
> Should this be added?
> 
> tom
I have added this to the latest rawhide policy 3.2.2-1

BTW: a handy tool to see what consolekit thinks of you is


> ck-list-sessions
Session2:
        uid = '3267'
        realname = 'Daniel J Walsh,,978-392-3130,508-485-6146'
        seat = 'Seat1'
        session-type = ''
        active = TRUE
        x11-display = ':0'
        x11-display-device = '/dev/tty7'
        display-device = ''
        remote-host-name = ''
        is-local = TRUE
        on-since = '2007-12-04T18:46:05Z'


If it does not show active, then consolekit thinks you are not on the
console and will not change the permissions on the devices.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFHVtD7rlYvE4MpobMRAhu3AJoDabDb46sprRHbhG1hyszuxe3ivACgh/Fu
9g6WxQLmLHKd/50xwZh5tRg=
=em8+
-----END PGP SIGNATURE-----

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux