On Jan 26, 2008 1:02 PM, Tom London <selinux@xxxxxxxxx> wrote:
>
> Wow.... lots of stuff generated by -DB. I attach /var/log/audit/audit.log.
>
> Not sure its relevant, but the only extra console-kit AVC is:
>
> type=AVC msg=audit(1201380675.325:136): avc: denied { sys_tty_config
> } for pid=2728 comm="console-kit-dae" capability=26
> scontext=system_u:system_r:system_dbusd_t:s0
> tcontext=system_u:system_r:system_dbusd_t:s0 tclass=capability
>
> Something else?
>
Ooops.... forgot to attach AVCs...
Here is output from 'audit2allow', I attach the complete log.
[root@localhost ~]# audit2allow -i logDB
#============= NetworkManager_t ==============
allow NetworkManager_t dhcpc_t:process { siginh rlimitinh noatsecure };
allow NetworkManager_t ifconfig_t:process { siginh rlimitinh noatsecure };
allow NetworkManager_t initrc_t:process { siginh rlimitinh noatsecure };
allow NetworkManager_t nscd_t:process { siginh rlimitinh noatsecure };
allow NetworkManager_t security_t:dir { search getattr };
allow NetworkManager_t security_t:file read;
#============= cupsd_t ==============
allow cupsd_t default_context_t:dir search;
allow cupsd_t file_context_t:dir search;
allow cupsd_t file_context_t:file { read getattr };
allow cupsd_t krb5_conf_t:file write;
allow cupsd_t self:process setfscreate;
#============= dhcpc_t ==============
allow dhcpc_t security_t:dir { search getattr };
allow dhcpc_t security_t:file read;
allow dhcpc_t selinux_config_t:dir search;
allow dhcpc_t selinux_config_t:file { read getattr };
#============= hald_acl_t ==============
allow hald_acl_t polkit_auth_t:process { siginh rlimitinh noatsecure };
allow hald_acl_t security_t:dir { search getattr };
allow hald_acl_t security_t:file read;
allow hald_acl_t security_t:filesystem getattr;
allow hald_acl_t selinux_config_t:dir search;
allow hald_acl_t selinux_config_t:file { read getattr };
#============= hald_t ==============
allow hald_t dmidecode_t:process { siginh rlimitinh noatsecure };
allow hald_t hald_acl_t:process { siginh rlimitinh noatsecure };
allow hald_t polkit_auth_t:process { siginh rlimitinh noatsecure };
#============= ifconfig_t ==============
allow ifconfig_t security_t:dir { search getattr };
allow ifconfig_t security_t:file read;
allow ifconfig_t security_t:filesystem getattr;
allow ifconfig_t selinux_config_t:dir search;
allow ifconfig_t selinux_config_t:file { read getattr };
#============= init_t ==============
allow init_t getty_t:process { siginh rlimitinh noatsecure };
allow init_t initrc_t:process { siginh rlimitinh noatsecure };
#============= insmod_t ==============
allow insmod_t tty_device_t:chr_file { read write };
allow insmod_t xdm_xserver_t:tcp_socket { read write };
allow insmod_t xdm_xserver_t:unix_stream_socket { read write };
allow insmod_t xserver_log_t:file write;
#============= pam_t ==============
allow pam_t user_home_t:file read;
#============= polkit_auth_t ==============
allow polkit_auth_t security_t:dir { search getattr };
allow polkit_auth_t security_t:file read;
allow polkit_auth_t security_t:filesystem getattr;
allow polkit_auth_t selinux_config_t:dir search;
allow polkit_auth_t selinux_config_t:file { read getattr };
#============= setroubleshootd_t ==============
allow setroubleshootd_t rpm_var_lib_t:dir { write add_name };
allow setroubleshootd_t rpm_var_lib_t:file { write create };
#============= system_chkpwd_t ==============
allow system_chkpwd_t security_t:dir { search getattr };
allow system_chkpwd_t security_t:file read;
allow system_chkpwd_t security_t:filesystem getattr;
#============= system_dbusd_t ==============
allow system_dbusd_t NetworkManager_t:process { siginh rlimitinh noatsecure };
allow system_dbusd_t self:capability sys_tty_config;
allow system_dbusd_t xdm_t:process ptrace;
#============= udev_t ==============
allow udev_t pam_console_t:process { siginh rlimitinh noatsecure };
#============= unconfined_chkpwd_t ==============
allow unconfined_chkpwd_t security_t:dir { search getattr };
allow unconfined_chkpwd_t security_t:file read;
allow unconfined_chkpwd_t security_t:filesystem getattr;
#============= unconfined_dbusd_t ==============
allow unconfined_dbusd_t unconfined_t:process { siginh rlimitinh noatsecure };
allow unconfined_dbusd_t user_home_t:file append;
#============= xdm_t ==============
allow xdm_t pam_console_t:process { siginh rlimitinh noatsecure };
allow xdm_t system_chkpwd_t:process { siginh rlimitinh noatsecure };
allow xdm_t unconfined_t:process { siginh noatsecure };
allow xdm_t xdm_dbusd_t:process { siginh rlimitinh noatsecure };
#============= xdm_xserver_t ==============
allow xdm_xserver_t insmod_t:process { siginh rlimitinh noatsecure };
allow xdm_xserver_t mono_t:process ptrace;
allow xdm_xserver_t security_t:dir { search getattr };
allow xdm_xserver_t security_t:file read;
allow xdm_xserver_t security_t:filesystem getattr;
allow xdm_xserver_t selinux_config_t:dir search;
allow xdm_xserver_t selinux_config_t:file { read getattr };
allow xdm_xserver_t unconfined_execmem_t:process ptrace;
allow xdm_xserver_t unconfined_t:process ptrace;
allow xdm_xserver_t xdm_t:process ptrace;
[root@localhost ~]#
Any of these look suspicious?
tom
--
Tom London
Attachment:
logDB.gz
Description: GNU Zip compressed data
-- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
