AVC messages at boot and kdm login (latest Rawhide)
Russell Coker
russell at coker.com.au
Thu Mar 11 13:41:35 UTC 2004
On Thu, 11 Mar 2004 23:38, Aleksey Nogin <aleksey at nogin.org> wrote:
> Mar 11 04:19:44 dell kernel: audit(1079007536.909:0): avc: denied {
> execute } for pid=15 exe=/sbin/init name=bash dev=hda2 ino=3662881
> scontext=system_u:system_r:init_t
> tcontext=system_u:object_r:shell_exec_t tclass=file
Why is init trying to execute the shell directly? Surely it should be
executing rc.sysinit, sulogin, or something else?
> Mar 11 04:19:49 dell kernel: audit(1079007547.555:0): avc: denied {
> mounton } for pid=327 exe=/bin/mount path=/var/lib/rpc_pipes dev=hda2
> ino=425580 scontext=system_u:system_r:mount_t
> tcontext=system_u:object_r:var_lib_t tclass=dir
What is this about?
> Mar 11 04:19:49 dell kernel: audit(1079007583.849:0): avc: denied {
> dac_override } for pid=1296 exe=/bin/bash capability=1
> scontext=system_u:system_r:dhcpc_t tcontext=system_u:system_r:dhcpc_t
> tclass=capability
> Mar 11 04:19:50 dell kernel: audit(1079007590.445:0): avc: denied {
> fsetid } for pid=1504 exe=/bin/chmod capability=4
> scontext=system_u:system_r:dhcpc_t tcontext=system_u:system_r:dhcpc_t
> tclass=capability
I guess it doesn't do any harm to add dac_override, I'll put it in my tree.
Why does it need fsetid? What file is it chmod'ing?
> Mar 11 04:19:53 dell kernel: audit(1079007591.541:0): avc: denied {
> dac_override } for pid=1614 exe=/usr/sbin/sendmail.sendmail
> capability=1 scontext=system_u:system_r:sendmail_t
> tcontext=system_u:system_r:sendmail_t tclass=capability
I'll look into this later.
> Mar 11 04:19:53 dell kernel: audit(1079007592.875:0): avc: denied {
> read write } for pid=1661 exe=/usr/sbin/gpm name=gpmdata dev=hda2
> ino=72912 scontext=system_u:system_r:gpm_t
> tcontext=system_u:object_r:device_t tclass=fifo_file
That should have type gpmctl_t, I'll change gpm.fc.
> Mar 11 04:19:53 dell kernel: audit(1079007592.976:0): avc: denied {
> read write } for pid=1665 exe=/usr/sbin/gpm name=event0 dev=hda2
> ino=4219044 scontext=system_u:system_r:gpm_t
> tcontext=system_u:object_r:device_t tclass=chr_file
> Mar 11 04:19:53 dell kernel: audit(1079007592.976:0): avc: denied {
> ioctl } for pid=1665 exe=/usr/sbin/gpm path=/dev/input/event0 dev=hda2
> ino=4219044 scontext=system_u:system_r:gpm_t
> tcontext=system_u:object_r:device_t tclass=chr_file
How does /dev/input really work? As I understand it event0 could be a
keyboard or a mouse. So maybe we want a separate type for this so that when
using gpm it can access it, but when the user is granted direct mouse access
they can't read the keyboard directly.
Does this make sense?
> Mar 11 04:20:29 dell kernel: audit(1079007629.554:0): avc: denied {
> read } for pid=2098 exe=/usr/bin/kdm name=mem dev=hda2 ino=2683359
> scontext=system_u:system_r:xdm_t
> tcontext=system_u:object_r:memory_device_t tclass=chr_file
That's a bug in kdm. It should use /dev/random instead. Reading arbitary
kernel memory as a source of random numbers is bogus anyway.
> Mar 11 04:20:36 dell kernel: audit(1079007636.465:0): avc: denied {
> read } for pid=2112 exe=/usr/X11R6/bin/XFree86 name=event0 dev=hda2
> ino=4219044 scontext=system_u:system_r:xdm_xserver_t
> tcontext=system_u:object_r:device_t tclass=chr_file
This will be easy to solve once we solve the gpm issue above.
> Mar 11 04:20:42 dell kernel: audit(1079007642.899:0): avc: denied {
> write } for pid=2121 exe=/usr/bin/kdm_greet name=.qtrc.lock dev=hda2
> ino=670527 scontext=system_u:system_r:xdm_t
> tcontext=system_u:object_r:lib_t tclass=file
What directory is this in? We just need to get the directory in question
labeled as var_lib_xdm_t.
> Mar 11 04:20:52 dell kernel: audit(1079007652.672:0): avc: denied {
> setattr } for pid=2113 exe=/usr/bin/kdm name=sg0 dev=hda2 ino=2688146
> scontext=system_u:system_r:xdm_t
> tcontext=system_u:object_r:scsi_generic_device_t tclass=chr_file
dontaudit or allow? What should we do?
It probably doesn't matter much as the default policy does not permit the user
to access the SCSI generic device.
> Mar 11 04:20:52 dell kernel: audit(1079007652.936:0): avc: denied {
> entrypoint } for pid=2131 exe=/usr/bin/kdm path=/etc/kde/kdm/Xsession
> dev=hda2 ino=1226634 scontext=user_u:user_r:user_t
> tcontext=system_u:object_r:etc_t tclass=file
/etc/kde/kdm/Xsession -- system_u:object_r:xsession_exec_t
We need to add the above to xdm.fc.
> Mar 11 04:20:54 dell kernel: audit(1079007654.232:0): avc: denied {
> getattr } for pid=2131 exe=/bin/tcsh path=/var/log/messages dev=hda2
> ino=3613840 scontext=user_u:user_r:user_t
> tcontext=system_u:object_r:var_log_t tclass=file
That is because the user is trying to do bad things. The file is set mode
0600 in Unix permissions and equivalent in SE Linux permissions by default.
> And another interesting one I saw later:
>
> Mar 11 04:21:32 dell kernel: audit(1079007691.925:0): avc: denied {
> search } for pid=2363 exe=/usr/bin/ksysguardd
> scontext=user_u:user_r:user_t tcontext=system_u:object_r:sysctl_dev_t
> tclass=dir
The problem here is that the user wants access to lots of info on the machine,
and we don't want to give it all up. Maybe we can make this a tunable.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
More information about the fedora-selinux-list
mailing list