key {search write} for xdm_t (and /sbin/su)?

Tomas Mraz tmraz at redhat.com
Mon Jul 17 08:59:33 UTC 2006 

On Sat, 2006-07-15 at 09:50 -0700, Tom London wrote:
> Running latest rawhide, targeted/enforcing.
> 
> Notice the following in /var/log/audit/audit.log:
> 
> type=AVC msg=audit(1152981861.606:20): avc:  denied  { search } for
> pid=2505 comm="gdm-binary"
> scontext=system_u:system_r:xdm_t:s0-s0:c0.c255
> tcontext=system_u:system_r:xdm_t:s0-s0:c0.c255 tclass=key
> type=SYSCALL msg=audit(1152981861.606:20): arch=40000003 syscall=288
> success=no exit=-13 a0=3 a1=292e05f8 a2=35ce48 a3=7ce759 items=0
> ppid=2471 pid=2505 auid=500 uid=0 gid=500 euid=0 suid=0 fsuid=0 egid=0
> sgid=500 fsgid=0 tty=(none) comm="gdm-binary"
> exe="/usr/sbin/gdm-binary" subj=system_u:system_r:xdm_t:s0-s0:c0.c255
> key=(null)
> 
> type=AVC msg=audit(1152981872.490:26): avc:  denied  { write } for
> pid=2804 comm="gdm-binary"
> scontext=system_u:system_r:xdm_t:s0-s0:c0.c255
> tcontext=system_u:system_r:xdm_t:s0-s0:c0.c255 tclass=key
> type=SYSCALL msg=audit(1152981872.490:26): arch=40000003 syscall=288
> success=no exit=-13 a0=8 a1=fffffffc a2=fffffffd a3=1f4 items=0
> ppid=2471 pid=2804 auid=4294967295 uid=500 gid=500 euid=0 suid=0
> fsuid=0 egid=500 sgid=500 fsgid=500 tty=(none) comm="gdm-binary"
> exe="/usr/sbin/gdm-binary" subj=system_u:system_r:xdm_t:s0-s0:c0.c255
> key=(null)
> 
> and
> 
> type=AVC msg=audit(1152981908.300:32): avc:  denied  { write } for
> pid=3037 comm="su" scontext=user_u:system_r:unconfined_t:s0
> tcontext=user_u:system_r:unconfined_t:s0 tclass=key
> type=SYSCALL msg=audit(1152981908.300:32): arch=40000003 syscall=288
> success=no exit=-13 a0=8 a1=fffffffc a2=fffffffd a3=0 items=0
> ppid=2984 pid=3037 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=500
> sgid=500 fsgid=500 tty=pts0 comm="su" exe="/bin/su"
> subj=user_u:system_r:unconfined_t:s0 key=(null)
> 
> Believe the second results from me entering 'su -'.

This is caused by adding pam_keyinit.so to default configurations of
gdm, su and other login services. It will also be added
to /etc/pam.d/system-auth(-ac) so it will be called for all services
calling pam_open_session. This module initializes the user's session
keyring in kernel so that should be probably allowed.

-- 
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
                                              Turkish proverb

More information about the fedora-selinux-list mailing list