Re: disabling the boolean staff_exec_content prevents future logins after restarts

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 11/07/2017 11:54 AM, sindano sindano wrote:

Hi Lukas,

ran into the same issue as before even after relabeling the /run files prior to a reboot. the files got relabeled back to dbusd_t mp_t context(1): The output of  ausearch command can be found below(2)

Im running fedora 26:
Linux localhost.localdomain 4.13.10-200.fc26.x86_64 #1 SMP Fri Oct 27 15:34:40 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
my id is:
$ id
uid=1000(chira) gid=1000(chira) groups=1000(chira),10(wheel) context=staff_u:staff_r:staff_t:s0-s0:c0.c1023



1.restorecon -nrv /run/user/
  restorecon: Could not stat /run/user/1000/gvfs: Permission denied.
Would relabel /run/user/1000/dbus-1 from staff_u:object_r:session_dbusd_tmp_t:s0 to staff_u:object_r:user_tmp_t:s0
Would relabel /run/user/1000/dbus-1/services from staff_u:object_r:session_dbusd_tmp_t:s0 to staff_u:object_r:user_tmp_t:s0
Would relabel /run/user/42/dbus-1 from unconfined_u:object_r:session_dbusd_tmp_t:s0 to unconfined_u:object_r:user_tmp_t:s0
Would relabel /run/user/42/dbus-1/services from unconfined_u:object_r:session_dbusd_tmp_t:s0 to unconfined_u:object_r:user_tmp_t:s0

2. Output of 'ausearch -m AVC,USER_AVC,SELINUX_ERR -ts today'  after relabel and restart
----
time->Tue Nov  7 12:25:29 2017
type=USER_AVC msg=audit(1510050329.510:414): pid=1044 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.DBus member=Hello dest=org.freedesktop.DBus spid=1700 scontext=staff_u:staff_r:staff_gkeyringd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
----
time->Tue Nov  7 12:25:30 2017
type=PROCTITLE msg=audit(1510050330.690:447): proctitle=2F7573722F62696E2F676E6F6D652D6B657972696E672D6461656D6F6E002D2D6461656D6F6E697A65002D2D6C6F67696E
type=PATH msg=audit(1510050330.690:447): item=0 name="/run/user/1000/bus" inode=33432 dev=00:36 mode=0140666 ouid=1000 ogid=1000 rdev=00:00 obj=staff_u:object_r:user_tmp_t:s0 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=CWD msg=audit(1510050330.690:447): cwd="/"
type=SOCKADDR msg=audit(1510050330.690:447): saddr=01002F72756E2F757365722F313030302F627573000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
type=SYSCALL msg=audit(1510050330.690:447): arch=c000003e syscall=42 success=no exit=-13 a0=9 a1=7ffcb94c67a0 a2=6e a3=0 items=1 ppid=1 pid=1700 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=2 comm="gnome-keyring-d" exe="/usr/bin/gnome-keyring-daemon" subj=staff_u:staff_r:staff_gkeyringd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1510050330.690:447): avc:  denied  { write } for  pid=1700 comm="gnome-keyring-d" name="bus" dev="tmpfs" ino=33432 scontext=staff_u:staff_r:staff_gkeyringd_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:user_tmp_t:s0 tclass=sock_file permissive=0


Hi,

Are you able to reproduce it with following build?

https://koji.fedoraproject.org/koji/buildinfo?buildID=995729

Thanks,
Lukas.


-BR
Sindano
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx




--
Lukas Vrabec
Software Engineer, Security Technologies
Red Hat, Inc.
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux