Running today's rawhide, targeted/enforcing.
Booting up after applying today's updates, sound is disabled, and the
following AVCs:
type=AVC msg=audit(1201370968.279:17): avc: denied { execute } for
pid=3936 comm="dbus-daemon-lau" name="console-kit-daemon" dev=dm-0
ino=5490198 scontext=system_u:system_r:system_dbusd_t:s0
tcontext=system_u:object_r:consolekit_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1201370968.279:17): arch=40000003 syscall=11
success=no exit=-13 a0=9253c30 a1=9253bb0 a2=9253008 a3=de799c items=0
ppid=3935 pid=3936 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) comm="dbus-daemon-lau"
exe="/lib/dbus-1/dbus-daemon-launch-helper"
subj=system_u:system_r:system_dbusd_t:s0 key=(null)
type=AVC msg=audit(1201370973.064:18): avc: denied { execute } for
pid=4149 comm="dbus-daemon-lau" name="console-kit-daemon" dev=dm-0
ino=5490198 scontext=system_u:system_r:system_dbusd_t:s0
tcontext=system_u:object_r:consolekit_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1201370973.064:18): arch=40000003 syscall=11
success=no exit=-13 a0=9113c30 a1=9113bb0 a2=9113008 a3=de799c items=0
ppid=4148 pid=4149 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) comm="dbus-daemon-lau"
exe="/lib/dbus-1/dbus-daemon-launch-helper"
subj=system_u:system_r:system_dbusd_t:s0 key=(null)
<<< REPEATS >>>
#============= system_dbusd_t ==============
allow system_dbusd_t consolekit_exec_t:file execute;
Rebooting in permissive mode enables sound, but produces a host of
AVCs (/var/log/audit/audit.log attached):
#============= system_dbusd_t ==============
allow system_dbusd_t NetworkManager_t:dir search;
allow system_dbusd_t NetworkManager_t:file { read getattr };
allow system_dbusd_t NetworkManager_t:process ptrace;
allow system_dbusd_t consolekit_exec_t:file { read execute execute_no_trans };
allow system_dbusd_t hald_t:dbus send_msg;
allow system_dbusd_t hald_t:dir search;
allow system_dbusd_t hald_t:file { read getattr };
allow system_dbusd_t hald_t:process ptrace;
allow system_dbusd_t polkit_auth_t:dbus send_msg;
allow system_dbusd_t polkit_auth_t:dir search;
allow system_dbusd_t polkit_auth_t:file { read getattr };
allow system_dbusd_t self:capability { sys_nice sys_ptrace };
allow system_dbusd_t self:fifo_file getattr;
allow system_dbusd_t self:process getsched;
allow system_dbusd_t system_crond_var_lib_t:dir search;
allow system_dbusd_t system_crond_var_lib_t:file read;
allow system_dbusd_t tty_device_t:chr_file { read ioctl };
allow system_dbusd_t unconfined_t:dbus send_msg;
allow system_dbusd_t unconfined_t:dir search;
allow system_dbusd_t unconfined_t:file { read getattr };
allow system_dbusd_t unconfined_t:process ptrace;
allow system_dbusd_t var_log_t:dir search;
allow system_dbusd_t var_log_t:file { read getattr append setattr };
allow system_dbusd_t xdm_t:dbus send_msg;
allow system_dbusd_t xdm_t:dir search;
allow system_dbusd_t xdm_t:file { read getattr };
allow system_dbusd_t xdm_t:process ptrace;
Nothing seems mislabeled in /etc, /*bin, /lib, /usr/*bin, ....
tom
--
Tom London
Attachment:
log2
Description: Binary data
-- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
