pulseaudio, policykit - works in permissive, fails in enforcing
Daniel J Walsh
dwalsh at redhat.com
Wed Dec 5 16:25:31 UTC 2007
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Tom London wrote:
> On Dec 3, 2007 3:54 PM, Tom London <selinux at gmail.com> wrote:
>> On Dec 3, 2007 3:50 PM, Tom London <selinux at gmail.com> wrote:
>>> Forgot to attach the AVCs......
>>>
>>> Does this one look suspicious?
>>>
>>> type=AVC msg=audit(1196722543.811:703): avc: denied { search } for
>>> pid=2746 comm="ck-get-x11-disp" name="2719" dev=proc ino=9484
>>> scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
>>> tcontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 tclass=dir
>>> type=SYSCALL msg=audit(1196722543.811:703): arch=40000003 syscall=5
>>> success=no exit=-13 a0=8299418 a1=8000 a2=0 a3=8000 items=0 ppid=2715
>>> pid=2746 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
>>> sgid=0 fsgid=0 tty=(none) comm="ck-get-x11-disp"
>>> exe="/usr/libexec/ck-get-x11-display-device"
>>> subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
>>>
>> Attached compressed....sigh
>>
> Reran the above in permissive mode. This seemed suspicious:
>
> type=AVC msg=audit(1196779565.801:132): avc: denied { search } for
> pid=2614 comm="ck-get-x11-disp" name="2587" dev=proc ino=9642
> scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
> tcontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 tclass=dir
> type=AVC msg=audit(1196779565.801:132): avc: denied { read } for
> pid=2614 comm="ck-get-x11-disp" name="stat" dev=proc ino=9861
> scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
> tcontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 tclass=file
> type=SYSCALL msg=audit(1196779565.801:132): arch=40000003 syscall=5
> success=yes exit=4 a0=8d27418 a1=8000 a2=0 a3=8000 items=0 ppid=2585
> pid=2614 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> sgid=0 fsgid=0 tty=(none) comm="ck-get-x11-disp"
> exe="/usr/libexec/ck-get-x11-display-device"
> subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
> type=AVC msg=audit(1196779565.802:133): avc: denied { getattr } for
> pid=2614 comm="ck-get-x11-disp" path="/proc/2587/stat" dev=proc
> ino=9861 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
> tcontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 tclass=file
> type=SYSCALL msg=audit(1196779565.802:133): arch=40000003 syscall=197
> success=yes exit=0 a0=4 a1=bff4cfc8 a2=bdcff4 a3=8d27418 items=0
> ppid=2585 pid=2614 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
> egid=0 sgid=0 fsgid=0 tty=(none) comm="ck-get-x11-disp"
> exe="/usr/libexec/ck-get-x11-display-device"
> subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
>
> So, I did a 'audit2allow -M localpulse2' on the above.
>
> Here is the .te file:
>
> module localpulse2 1.0;
>
> require {
> type xdm_xserver_t;
> type xdm_t;
> class dir search;
> class file { read getattr };
> }
>
> #============= xdm_t ==============
> allow xdm_t xdm_xserver_t:dir search;
> allow xdm_t xdm_xserver_t:file { read getattr };
>
> 'semodule -i localpulse2.pp' makes pulseaudio work.
>
> Should this be added?
>
> tom
I have added this to the latest rawhide policy 3.2.2-1
BTW: a handy tool to see what consolekit thinks of you is
> ck-list-sessions
Session2:
uid = '3267'
realname = 'Daniel J Walsh,,978-392-3130,508-485-6146'
seat = 'Seat1'
session-type = ''
active = TRUE
x11-display = ':0'
x11-display-device = '/dev/tty7'
display-device = ''
remote-host-name = ''
is-local = TRUE
on-since = '2007-12-04T18:46:05Z'
If it does not show active, then consolekit thinks you are not on the
console and will not change the permissions on the devices.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iD8DBQFHVtD7rlYvE4MpobMRAhu3AJoDabDb46sprRHbhG1hyszuxe3ivACgh/Fu
9g6WxQLmLHKd/50xwZh5tRg=
=em8+
-----END PGP SIGNATURE-----
More information about the fedora-selinux-list
mailing list