Yast and selinux

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

After loggin in to OpenSUSE desktop (kde) as an unprivileged user, with selinux in permissive mode, I open yast. It prompts for the root password, and after I enter it the yast ui opens.  I immediately close yast.
 
During that process, avc's were logged:
 
type=AVC msg=audit(1274452313.558:5): avc:  denied  { remove_name } for  pid=4461 comm="su" name=".xauthFrgbnl" dev=sda2 ino=55456 scontext=user_u:user_r:user_su_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir
type=AVC msg=audit(1274452313.558:6): avc:  denied  { unlink } for  pid=4461 comm="su" name=".xauthFrgbnl" dev=sda2 ino=55456 scontext=user_u:user_r:user_su_t:s0 tcontext=user_u:object_r:admin_home_t:s0 tclass=file
type=AVC msg=audit(1274452315.321:7): avc:  denied  { lock } for  pid=4506 comm="y2controlcenter" path="/root/.config/Trolltech.conf" dev=sda2 ino=42643 scontext=user_u:user_r:user_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=file
type=AVC msg=audit(1274452315.397:8): avc:  denied  { search } for  pid=4509 comm="dbus-daemon" name="root" dev=sda2 ino=237 scontext=user_u:user_r:user_dbusd_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir
type=AVC msg=audit(1274452315.435:9): avc:  denied  { write } for  pid=4507 comm="dbus-launch" name="4ddb5cab9a9543d629c6f0e90000041b-0" dev=sda2 ino=42675 scontext=user_u:user_r:user_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=file
type=AVC msg=audit(1274452315.452:10): avc:  denied  { write } for  pid=4506 comm="y2controlcenter" name="config" dev=sda2 ino=42678 scontext=user_u:user_r:user_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir
type=AVC msg=audit(1274452315.479:11): avc:  denied  { read } for  pid=4506 comm="y2controlcenter" name="cache-linux" dev=sda2 ino=42679 scontext=user_u:user_r:user_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=lnk_file
 
It appears that yast is trying to create a new .xauth* file in the root home directory, and removing an old one, under user_su_t.  Then it is trying to get a lock in y2controlcenter and do some other things as user_u. 
 
Maybe it is ok for user_su_t to have access to root's home dir (I'm not sure) but I doubt it is ok to give permission to user_t for those other accesses.  It looks to me as if yast needs some selinux patches.  Do patches exist?
 
How does Fedora handle things like this?
 
[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux