On 02.02.2012 15:01, Dominick Grift wrote:
> On Thu, 2012-02-02 at 14:13 +0100, Klaus Lichtenwalder wrote:
>>[...]
>> which would render gpg-agent probably useless...
>
> I have not encountered similar avc denials here. I wonder what i am
> doing differently.
>
> I you are sure you have configured gpg agent properly , then this may
> indeed be bug in policy.
>
> The SELinux framework aims to make it easy for one to make adjustments
> to policy.
Well, gpg-agent "just" is installed and started by the login process,
with gpg-agent --daemon. The only configuration I was doing was settint
the ttl time and giving "use-agent" to gnupg2. One avc was indeed gone
after enabling the bool gpg_agent_env_file. But it still stumbles over
the socket, which it wants to create in $HOME/.gnupg. Guess I'll have a
look over the policy, in case I can detect something
> [...]
> klaus ALL=(ALL) TYPE=unconfined_t ROLE=unconfined_r ALL
>
> if you want to use unconfined_r as you have specified above than you
> need to map the unconfined_r to the staff_u SELinux user:
>
> semanage user -m -R "staff_r system_r sysadm_r unconfined_r" staff_u
Thanks, unconfined_r was missing in the semanage command above.
Still, logging in leaves me with the following denials:
time->Thu Feb 2 15:40:06 2012
type=SYSCALL msg=audit(1328193606.453:145): arch=40000003 syscall=11
success=yes exit=0 a0=a064888 a1=a0593d8 a2=a06e958 a3=a0593d8 items=0
ppid=3288 pid=3289 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) ses=3 comm="PreLogin" exe="/bin/bash"
subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1328193606.453:145): avc: denied { entrypoint } for
pid=3289 comm="lxdm-binary" path="/etc/lxdm/PreLogin" dev=sda3
ino=393588 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023
tcontext=system_u:object_r:etc_t:s0 tclass=file
----
time->Thu Feb 2 15:40:06 2012
type=SYSCALL msg=audit(1328193606.472:146): arch=40000003 syscall=11
success=yes exit=0 a0=a060525 a1=a057838 a2=a06e958 a3=bfe1ff76 items=0
ppid=1 pid=3291 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000
fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=3 comm="xauth"
exe="/usr/bin/xauth" subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1328193606.472:146): avc: denied { entrypoint } for
pid=3291 comm="lxdm-binary" path="/usr/bin/xauth" dev=sda3 ino=61761
scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023
tcontext=system_u:object_r:xauth_exec_t:s0 tclass=file
----
time->Thu Feb 2 15:40:06 2012
type=SYSCALL msg=audit(1328193606.484:147): arch=40000003 syscall=11
success=yes exit=0 a0=a056058 a1=a05a568 a2=a06e958 a3=a05a568 items=0
ppid=1 pid=3294 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000
fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=3
comm="PostLogin" exe="/bin/bash"
subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1328193606.484:147): avc: denied { entrypoint } for
pid=3294 comm="lxdm-binary" path="/etc/lxdm/PostLogin" dev=sda3
ino=393585 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023
tcontext=system_u:object_r:etc_t:s0 tclass=file
Which also seems to point to something missing. I checked all labels,
but everything seems fine according to policy. Am I correct in saying
that staff_u:staff_r:staff_t is missing an entrypoint rule for etc_t
files and xauth_exec_t? The former somehow seems mislabeled, as an
entrypoint is associated with a _exec_t?
Thanks,
Klaus
--
------------------------------------------------------------------------
Klaus Lichtenwalder, Dipl. Inform., http://www.lichtenwalder.name
PGP Key fingerprint: FEDE 1D2A EE70 FB60 9CA2 669D 2F59 3F34 6E81 5A89
Attachment:
signature.asc
Description: OpenPGP digital signature
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
