-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Tom London wrote:
> Running today's rawhide, targeted/enforcing.
>
> Booting up after applying today's updates, sound is disabled, and the
> following AVCs:
>
> type=AVC msg=audit(1201370968.279:17): avc: denied { execute } for
> pid=3936 comm="dbus-daemon-lau" name="console-kit-daemon" dev=dm-0
> ino=5490198 scontext=system_u:system_r:system_dbusd_t:s0
> tcontext=system_u:object_r:consolekit_exec_t:s0 tclass=file
> type=SYSCALL msg=audit(1201370968.279:17): arch=40000003 syscall=11
> success=no exit=-13 a0=9253c30 a1=9253bb0 a2=9253008 a3=de799c items=0
> ppid=3935 pid=3936 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
> egid=0 sgid=0 fsgid=0 tty=(none) comm="dbus-daemon-lau"
> exe="/lib/dbus-1/dbus-daemon-launch-helper"
> subj=system_u:system_r:system_dbusd_t:s0 key=(null)
> type=AVC msg=audit(1201370973.064:18): avc: denied { execute } for
> pid=4149 comm="dbus-daemon-lau" name="console-kit-daemon" dev=dm-0
> ino=5490198 scontext=system_u:system_r:system_dbusd_t:s0
> tcontext=system_u:object_r:consolekit_exec_t:s0 tclass=file
> type=SYSCALL msg=audit(1201370973.064:18): arch=40000003 syscall=11
> success=no exit=-13 a0=9113c30 a1=9113bb0 a2=9113008 a3=de799c items=0
> ppid=4148 pid=4149 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
> egid=0 sgid=0 fsgid=0 tty=(none) comm="dbus-daemon-lau"
> exe="/lib/dbus-1/dbus-daemon-launch-helper"
> subj=system_u:system_r:system_dbusd_t:s0 key=(null)
> <<< REPEATS >>>
>
>
>
> #============= system_dbusd_t ==============
> allow system_dbusd_t consolekit_exec_t:file execute;
>
> Rebooting in permissive mode enables sound, but produces a host of
> AVCs (/var/log/audit/audit.log attached):
>
>
> #============= system_dbusd_t ==============
> allow system_dbusd_t NetworkManager_t:dir search;
> allow system_dbusd_t NetworkManager_t:file { read getattr };
> allow system_dbusd_t NetworkManager_t:process ptrace;
> allow system_dbusd_t consolekit_exec_t:file { read execute execute_no_trans };
> allow system_dbusd_t hald_t:dbus send_msg;
> allow system_dbusd_t hald_t:dir search;
> allow system_dbusd_t hald_t:file { read getattr };
> allow system_dbusd_t hald_t:process ptrace;
> allow system_dbusd_t polkit_auth_t:dbus send_msg;
> allow system_dbusd_t polkit_auth_t:dir search;
> allow system_dbusd_t polkit_auth_t:file { read getattr };
> allow system_dbusd_t self:capability { sys_nice sys_ptrace };
> allow system_dbusd_t self:fifo_file getattr;
> allow system_dbusd_t self:process getsched;
> allow system_dbusd_t system_crond_var_lib_t:dir search;
> allow system_dbusd_t system_crond_var_lib_t:file read;
> allow system_dbusd_t tty_device_t:chr_file { read ioctl };
> allow system_dbusd_t unconfined_t:dbus send_msg;
> allow system_dbusd_t unconfined_t:dir search;
> allow system_dbusd_t unconfined_t:file { read getattr };
> allow system_dbusd_t unconfined_t:process ptrace;
> allow system_dbusd_t var_log_t:dir search;
> allow system_dbusd_t var_log_t:file { read getattr append setattr };
> allow system_dbusd_t xdm_t:dbus send_msg;
> allow system_dbusd_t xdm_t:dir search;
> allow system_dbusd_t xdm_t:file { read getattr };
> allow system_dbusd_t xdm_t:process ptrace;
>
> Nothing seems mislabeled in /etc, /*bin, /lib, /usr/*bin, ....
>
> tom
>
>
> ------------------------------------------------------------------------
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
A new transition from dbus to consolekit is necessary. I guess as of
this update dbus now starts consolekit and policykit. So I updated
tonights policy to provide the transition.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkeeSZoACgkQrlYvE4MpobODZwCg0ytSONLlrai05v4FLUy/KwYu
p50Ani3GMrRnDLZW/jC2l5jbgp/Lyae3
=KN1n
-----END PGP SIGNATURE-----
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
