On Tue, 2017-02-14 at 17:13 +0000, Jeremy Young wrote:
> I thought it'd be prudent to ask the list's opinion before opening a
> bug report. I'm not experiencing any visible issues, but can
> repeatedly generate this AVC, one that only seems to be generated
> since I've enabled pam_yubico on my laptop. I'm fine adding a
> dontaudit rule to my local policy but should I send a bug report for
> this? If so, is this an SELinux report or one to Yubico?
Looks like the kernel checks CAP_WAKE_ALARM prematurely in
timerfd_create() and timerfd_settime(); it is only truly required for
CLOCK_REALTIME_ALARM and CLOCK_BOOTTIME_ALARM. So we'll likely see
lots of false denials there. Should flip the order of the tests in the
kernel. dontaudit should be fine in the interim.
> SELinux is preventing gdm-session-wor from using the wake_alarm
> capability.
>
> ***** Plugin catchall (100. confidence)
> suggests **************************
>
> If you believe that gdm-session-wor should have the wake_alarm
> capability by default.
> Then you should report this as a bug.
> You can generate a local policy module to allow this access.
> Do
> allow this access for now by executing:
> # ausearch -c 'gdm-session-wor' --raw | audit2allow -M my-
> gdmsessionwor
> # semodule -X 300 -i my-gdmsessionwor.pp
>
> Additional Information:
> Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023
> Target Context system_u:system_r:xdm_t:s0-s0:c0.c1023
> Target Objects Unknown [ capability2 ]
> Source gdm-session-wor
> Source Path gdm-session-wor
> Port <Unknown>
> Host (removed)
> Source RPM Packages
> Target RPM Packages
> Policy RPM selinux-policy-3.13.1-225.6.fc25.noarch
> Selinux Enabled True
> Policy Type targeted
> Enforcing Mode Enforcing
> Host Name (removed)
> Platform Linux HOSTNAME 4.9.8-201.fc25.x86_64 #1
> SMP
> Tue Feb 7 11:28:07 UTC 2017 x86_64
> x86_64
> Alert Count 1228
> First Seen 2017-02-13 07:43:45 CST
> Last Seen 2017-02-14 08:36:50 CST
> Local ID 55722700-2042-427e-911c-5ed8fe9aaf8b
>
> Raw Audit Messages
> type=AVC msg=audit(1487083010.410:7611): avc: denied { wake_alarm }
> for pid=699 comm="gdm-session-wor"
> capability=35 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
> tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=capability2
> permissive=0
>
>
> Hash: gdm-session-wor,xdm_t,xdm_t,capability2,wake_alarm
> _______________________________________________
> selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
> To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
