On Thu, 2012-02-02 at 16:06 +0100, Klaus Lichtenwalder wrote:
> On 02.02.2012 15:01, Dominick Grift wrote:
> > On Thu, 2012-02-02 at 14:13 +0100, Klaus Lichtenwalder wrote:
> >>[...]
> >> which would render gpg-agent probably useless...
> >
> > I have not encountered similar avc denials here. I wonder what i am
> > doing differently.
> >
> > I you are sure you have configured gpg agent properly , then this may
> > indeed be bug in policy.
> >
> > The SELinux framework aims to make it easy for one to make adjustments
> > to policy.
>
> Well, gpg-agent "just" is installed and started by the login process,
> with gpg-agent --daemon. The only configuration I was doing was settint
> the ttl time and giving "use-agent" to gnupg2. One avc was indeed gone
> after enabling the bool gpg_agent_env_file. But it still stumbles over
> the socket, which it wants to create in $HOME/.gnupg. Guess I'll have a
> look over the policy, in case I can detect something
I think this should fix it:
mkdir ~/mygpg; cd ~/mygpg; echo "policy_module(mygpg, 1.0.0)
optional_policy(\` gen_require(\` type gpg_agent_t, gpg_secret_t; ')
manage_sock_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)')" >
mygpg.te;
make -f /usr/share/selinux/devel/Makefile mygpg.pp
sudo semodule -i mygpg.pp
> > [...]
> > klaus ALL=(ALL) TYPE=unconfined_t ROLE=unconfined_r ALL
> >
> > if you want to use unconfined_r as you have specified above than you
> > need to map the unconfined_r to the staff_u SELinux user:
> >
> > semanage user -m -R "staff_r system_r sysadm_r unconfined_r" staff_u
>
> Thanks, unconfined_r was missing in the semanage command above.
>
> Still, logging in leaves me with the following denials:
>
> time->Thu Feb 2 15:40:06 2012
> type=SYSCALL msg=audit(1328193606.453:145): arch=40000003 syscall=11
> success=yes exit=0 a0=a064888 a1=a0593d8 a2=a06e958 a3=a0593d8 items=0
> ppid=3288 pid=3289 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> sgid=0 fsgid=0 tty=(none) ses=3 comm="PreLogin" exe="/bin/bash"
> subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null)
> type=AVC msg=audit(1328193606.453:145): avc: denied { entrypoint } for
> pid=3289 comm="lxdm-binary" path="/etc/lxdm/PreLogin" dev=sda3
> ino=393588 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:etc_t:s0 tclass=file
> ----
I think this should fix it:
label /etc/lxdm/PreLogin type bin_t
semanage fcontext -a -t bin_t "/etc/lxdm/PreLogin"
restorecon -R -v /etc/lxdm/PreLogin
> time->Thu Feb 2 15:40:06 2012
> type=SYSCALL msg=audit(1328193606.472:146): arch=40000003 syscall=11
> success=yes exit=0 a0=a060525 a1=a057838 a2=a06e958 a3=bfe1ff76 items=0
> ppid=1 pid=3291 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000
> fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=3 comm="xauth"
> exe="/usr/bin/xauth" subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null)
> type=AVC msg=audit(1328193606.472:146): avc: denied { entrypoint } for
> pid=3291 comm="lxdm-binary" path="/usr/bin/xauth" dev=sda3 ino=61761
> scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:xauth_exec_t:s0 tclass=file
Not sure about this one but try this:
mkdir ~/myxserver; cd ~/myxserver; echo "policy_module(myxserver, 1.0.0)
optional_policy(\` gen_require(\` type staff_t, xaut_exec_t; ')
can_exec(staff_t, xauth_exec_t)')" > myxserver.te;
make -f /usr/share/selinux/devel/Makefile myxserver.pp
sudo semodule -i myxserver.pp
> ----
> time->Thu Feb 2 15:40:06 2012
> type=SYSCALL msg=audit(1328193606.484:147): arch=40000003 syscall=11
> success=yes exit=0 a0=a056058 a1=a05a568 a2=a06e958 a3=a05a568 items=0
> ppid=1 pid=3294 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000
> fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=3
> comm="PostLogin" exe="/bin/bash"
> subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null)
> type=AVC msg=audit(1328193606.484:147): avc: denied { entrypoint } for
> pid=3294 comm="lxdm-binary" path="/etc/lxdm/PostLogin" dev=sda3
> ino=393585 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:etc_t:s0 tclass=file
>
I think this should fix it:
label /etc/lxdm/PostLogin type bin_t
semanage fcontext -a -t bin_t "/etc/lxdm/PostLogin"
restorecon -R -v /etc/lxdm/PostLogin
> Which also seems to point to something missing. I checked all labels,
> but everything seems fine according to policy. Am I correct in saying
> that staff_u:staff_r:staff_t is missing an entrypoint rule for etc_t
> files and xauth_exec_t? The former somehow seems mislabeled, as an
> entrypoint is associated with a _exec_t?
>
> Thanks,
> Klaus
> --
> selinux mailing list
> selinux@xxxxxxxxxxxxxxxxxxxxxxx
> https://admin.fedoraproject.org/mailman/listinfo/selinux
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
