Re: New AVCs with today's rawhide.... (mostly xdm related)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Tom London wrote:
> On Mon, Mar 10, 2008 at 6:37 AM, Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>>  Hash: SHA1
>>
>>
>>
>>  Tom London wrote:
>>  > Running rawhide, targeted.
>>  >
>>  > Had problems after today's rawhide update.
>>  >
>>  > Booting in permissive mode produced:
>>  >
>>  >
>>  > module localxdm 1.0;
>>  >
>>  > require {
>>  >       type unconfined_t;
>>  >       type security_t;
>>  >       type xdm_var_lib_t;
>>  >       type syslogd_t;
>>  >       type unconfined_execmem_t;
>>  >       type xdm_xserver_t;
>>  >       type system_map_t;
>>  >       type mono_t;
>>  >       type xdm_t;
>>  >       type mount_t;
>>  >       class unix_stream_socket { read write };
>>  >       class x_property read;
>>  >       class security { check_context compute_create compute_av };
>>  >       class file { read write getattr };
>>  >       class dir { write read mounton };
>>  > }
>>  >
>>  > #============= mono_t ==============
>>  > allow mono_t unconfined_t:x_property read;
>>  >
>>  > #============= mount_t ==============
>>  > allow mount_t xdm_t:unix_stream_socket { read write };
>>  > allow mount_t xdm_var_lib_t:dir { write read mounton };
>>  >
>>  > #============= syslogd_t ==============
>>  > allow syslogd_t system_map_t:file { read getattr };
>>  >
>>  > #============= unconfined_execmem_t ==============
>>  > allow unconfined_execmem_t unconfined_t:x_property read;
>>  > allow unconfined_execmem_t xdm_t:x_property read;
>>  >
>>  > #============= xdm_t ==============
>>  > allow xdm_t xdm_var_lib_t:dir mounton;
>>  >
>>  > #============= xdm_xserver_t ==============
>>  > allow xdm_xserver_t security_t:dir read;
>>  > allow xdm_xserver_t security_t:file { write read };
>>  > allow xdm_xserver_t security_t:security { check_context compute_create
>>  > compute_av };
>>  >
>>  > I'll attach the raw audit file below.
>>  >
>>  > In addition, there were two avcs produced in /var/log/messages before
>>  > the start of audit:
>>  >
>>  > Mar  8 09:49:52 localhost kernel: type=1400 audit(1204998591.798:3):
>>  > avc:  denied  { read } for  pid=2257 comm="rsyslogd"
>>  > name="System.map-2.6.25-0.95.rc4.local2.fc9" dev=sda3 ino=6064
>>  > scontext=system_u:system_r:syslogd_t:s0
>>  > tcontext=system_u:object_r:system_map_t:s0 tclass=file
>>  > Mar  8 09:49:52 localhost kernel: type=1400 audit(1204998591.798:4):
>>  > avc:  denied  { getattr } for  pid=2257 comm="rsyslogd"
>>  > path="/boot/System.map-2.6.25-0.95.rc4.local2.fc9" dev=sda3 ino=6064
>>  > scontext=system_u:system_r:syslogd_t:s0
>>  > tcontext=system_u:object_r:system_map_t:s0 tclass=file
>>  >
>>  > Not sure all of these need to be "allow", but "semodule -i
>>  > localxdm.pp" makes the system boot and run in enforcing mode.
>>  >
>>  > tom
>>  >
>>  >
>>  >
>>  > ------------------------------------------------------------------------
>>  >
>>  > --
>>  > fedora-selinux-list mailing list
>>  > fedora-selinux-list@xxxxxxxxxx
>>  > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>  Tom are you saying the machine would not boot in enforcing mode without
>>  these changes?
> 
> Uhhh.... please ignore the above.
> 
> Not sure I understand, but except for the syslog_t ones,  I no longer
> get these AVC when booting in enforcing.  All is fine.
> 
> Sorry for the false report.
> 
> tom
> 
> 
No the X ones are being caused by booting in permissive mode.  The
system attempts to turn on X Controls, where as they are denied without
a boolean setting in enforcing.

getsebool xserver_object_manager

I am not sure whether the syslog_t one is a bug or does it really need
that access.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkfVTQkACgkQrlYvE4MpobMVdQCg1Woz7b3eZ19AjmHC3BJ9WYbV
mzgAnjjhNJ7eRsIT7F4OyAh5UEM+asSP
=Z/5b
-----END PGP SIGNATURE-----

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux