Re: Xorg modprobe denials

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Tue, 2007-12-18 at 08:34 -0500, Stephen Smalley wrote:
> On Mon, 2007-12-17 at 22:47 -0500, Chris PeBenito wrote:
> > On Mon, 2007-12-17 at 22:14 -0500, Eamon Walsh wrote:
> > > Attached are some denials that modprobe is encountering while loading 
> > > Xorg DRI kernel modules while X server is starting up.  tty7 is the 
> > > terminal where the X server is being launched (Ctrl-Alt-F7).  I'm aware 
> > > that the Xorg.0.log file is supposed to be labeled xserver_log_t, but my 
> > > guess is that would be denied as well.  Think this may be log messages 
> > > except for the renicing stuff.
> > > 
> > > This is xselinux branch of refpolicy running in enforcing mode.
> > 
> > Based on the other kernel messages, I'm guessing that the insmod
> > succeeded despite the tty and capability denials?  If so I suppose we
> > can dontaudit it.
> 
> I don't think we want to dontaudit the capability denials.

And just to note, denials from insmod can be triggered either by
userspace activity of insmod or by the module initialization code of the
loaded module.

> > > plain text document attachment (audit_x.txt)
> > > Dec 17 21:25:34 moss-charon kernel: audit(1197944734.892:71): avc:  denied  { read write } for  pid=2220 comm="modprobe" name="tty7" dev=tmpfs ino=240 scontext=system_u:system_r:insmod_t:s0-s0:c0.c255 tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file
> > > Dec 17 21:25:34 moss-charon kernel: audit(1197944734.893:72): avc:  denied  { write } for  pid=2220 comm="modprobe" path="/usr/local/var/log/Xorg.0.log" dev=dm-0 ino=5701638 scontext=system_u:system_r:insmod_t:s0-s0:c0.c255 tcontext=system_u:object_r:usr_t:s0 tclass=file
> > > Dec 17 21:25:34 moss-charon kernel: audit(1197944734.893:73): avc:  denied  { read write } for  pid=2220 comm="modprobe" path="/dev/tty7" dev=tmpfs ino=240 scontext=system_u:system_r:insmod_t:s0-s0:c0.c255 tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file
> > > Dec 17 21:25:34 moss-charon kernel: audit(1197944734.926:74): avc:  denied  { sys_nice } for  pid=2220 comm="modprobe" capability=23 scontext=system_u:system_r:insmod_t:s0-s0:c0.c255 tcontext=system_u:system_r:insmod_t:s0-s0:c0.c255 tclass=capability
> > > Dec 17 21:25:34 moss-charon kernel: [drm] Initialized drm 1.1.0 20060810
> > > Dec 17 21:25:34 moss-charon kernel: audit(1197944734.932:75): avc:  denied  { sys_nice } for  pid=2220 comm="modprobe" capability=23 scontext=system_u:system_r:insmod_t:s0-s0:c0.c255 tcontext=system_u:system_r:insmod_t:s0-s0:c0.c255 tclass=capability
> > > Dec 17 21:25:34 moss-charon kernel: ACPI: PCI Interrupt 0000:00:02.0[A] -> GSI 16 (level, low) -> IRQ 16
> > > Dec 17 21:25:34 moss-charon kernel: [drm] Initialized i915 1.11.0 20071122 on minor 0
> > > Dec 17 21:25:34 moss-charon kernel: mtrr: type mismatch for c0000000,10000000 old: write-back new: write-combining
> > > Dec 17 21:25:40 moss-charon kernel: mtrr: type mismatch for c0000000,10000000 old: write-back new: write-combining
> > > 
> > 
-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux