Agree with Stephen.
Fixed:
https://github.com/fedora-selinux/selinux-policy/commit/adf9ead984c36a9b04361ed6612e938194a98b1f
On 02/14/2017 10:21 PM, Stephen Smalley wrote:
On Tue, 2017-02-14 at 17:13 +0000, Jeremy Young wrote:
I thought it'd be prudent to ask the list's opinion before opening a
bug report. I'm not experiencing any visible issues, but can
repeatedly generate this AVC, one that only seems to be generated
since I've enabled pam_yubico on my laptop. I'm fine adding a
dontaudit rule to my local policy but should I send a bug report for
this? If so, is this an SELinux report or one to Yubico?
Looks like the kernel checks CAP_WAKE_ALARM prematurely in
timerfd_create() and timerfd_settime(); it is only truly required for
CLOCK_REALTIME_ALARM and CLOCK_BOOTTIME_ALARM. So we'll likely see
lots of false denials there. Should flip the order of the tests in the
kernel. dontaudit should be fine in the interim.
SELinux is preventing gdm-session-wor from using the wake_alarm
capability.
***** Plugin catchall (100. confidence)
suggests **************************
If you believe that gdm-session-wor should have the wake_alarm
capability by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'gdm-session-wor' --raw | audit2allow -M my-
gdmsessionwor
# semodule -X 300 -i my-gdmsessionwor.pp
Additional Information:
Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Objects Unknown [ capability2 ]
Source gdm-session-wor
Source Path gdm-session-wor
Port <Unknown>
Host (removed)
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.13.1-225.6.fc25.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name (removed)
Platform Linux HOSTNAME 4.9.8-201.fc25.x86_64 #1
SMP
Tue Feb 7 11:28:07 UTC 2017 x86_64
x86_64
Alert Count 1228
First Seen 2017-02-13 07:43:45 CST
Last Seen 2017-02-14 08:36:50 CST
Local ID 55722700-2042-427e-911c-5ed8fe9aaf8b
Raw Audit Messages
type=AVC msg=audit(1487083010.410:7611): avc: denied { wake_alarm }
for pid=699 comm="gdm-session-wor"
capability=35 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=capability2
permissive=0
Hash: gdm-session-wor,xdm_t,xdm_t,capability2,wake_alarm
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
--
Lukas Vrabec
SELinux Solutions
Red Hat, Inc.
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
