Re: Some AVC denials to consider:

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 08/05/2009 01:59 PM, Daniel J Walsh wrote:
On 08/04/2009 08:30 AM, Dominick Grift wrote:
  
dev_rw_generic_files(NetworkManager_t)

    
This looks very wrong.  Need to see AVC related to this.

  
allow consoletype_t device_t:file { read getattr ioctl };

    
THis looks like a mislabeled file.  As Miroslav pointed out later is this the problem with /dev/null being a file?

  
xserver_rw_xdm_home_files(staff_dbusd_t)

    
We should add 

xserver_use_xdm(($1_dbusd_t) to dbus.if
Then add 
allow $1 xdm_home_t:file append_file_perms;
to xserver_use_xdm

  
allow staff_t staff_screen_t:process sigchld;
allow staff_t print_spool_t:dir getattr;
allow staff_t screen_var_run_t:fifo_file read;
    

add
	allow $3 $1_screen_t:process sigchld;
to screen_role_template
Although it does not look like we transition to screen by default now.

Add

	lpd_list_spool(staff_t

to staff.te

allow staff_t screen_var_run_t:fifo_file read;
Looks like a leak, add 

	dontaudit $3 $1_var_run_t:fifo_file read;

to scree_role_template

  
dev_rw_dri(staff_t)

    
This is probably not a good idea,  I believe this is an easy way to attack the system
I think we currently have

	dev_dontaudit_rw_dri($1)

  
allow ifconfig_t device_t:file read;

allow mount_t dgrift_t:unix_stream_socket { read write };

    
Leak?  Whatever is execing mount is leaking a file descriptor.  Added a new plugin to setroubleshoot to detect links BTW.
 
  
allow nscd_t device_t:file read;

allow ifconfig_t device_t:file read;

allow mount_t dgrift_t:unix_stream_socket { read write }

allow nscd_t device_t:file read;

term_use_console(portreserve_t)

    
This seems like strange one.  

  
allow readahead_t proc_kcore_t:file getattr;
    


  
allow readahead_ self:capability net_admin;
    
Rawhide has 

kernel_dontaudit_getattr_core_if(readahead_t)
dontaudit readahead_t self:capability { net_admin sys_tty_config };

  
allow rpcbind_t self:udp_socket listen;

    
Rawhide has

ifdef(`hide_broken_symptoms',`
	dontaudit rpcbind_t self:udp_socket listen;
')
  
allow xdm_dbusd_t xdm_var_lib_t:dir search;

    
Change dbus_role_template to use
xserver_use_xdm,

Add xserver_search_xdm_lib($1) to xserver_use_xdm

  
dev_rw_generic_files(auditctl_t)

    
Looks like a leak
  
allow readahead_t self:capability net_admin;
fs_rw_tmpfs_chr_files(readahead_t)

    
fs_dontaudit_use_tmpfs_chr_dev(readahead_t)
is in rawhide
  
fprintd_dbus_chat(staff_sudo_t)

    
Add
	optional_policy(`
		fprintd_dbus_chat($1_sudo_t)
	')
to
	sudo_role_template
  
fprintd_dbus_chat(staff_t)

fprintd_dbus_chat(fprintd_t)

    

Add
	optional_policy(`
		fprintd_dbus_chat($1_t)
	')
to
userdom_restricted_xwindows_user_template


fprintd_dbus_chat(fprintd_t)
Does not make sense.
  
-- 
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
    

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Changes added to selinux-policy-3.6.12-74.fc11 

Thanks
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux