New AVCs with today's rawhide.... (mostly xdm related)
Daniel J Walsh
dwalsh at redhat.com
Mon Mar 10 15:00:25 UTC 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Tom London wrote:
> On Mon, Mar 10, 2008 at 6:37 AM, Daniel J Walsh <dwalsh at redhat.com> wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>>
>>
>> Tom London wrote:
>> > Running rawhide, targeted.
>> >
>> > Had problems after today's rawhide update.
>> >
>> > Booting in permissive mode produced:
>> >
>> >
>> > module localxdm 1.0;
>> >
>> > require {
>> > type unconfined_t;
>> > type security_t;
>> > type xdm_var_lib_t;
>> > type syslogd_t;
>> > type unconfined_execmem_t;
>> > type xdm_xserver_t;
>> > type system_map_t;
>> > type mono_t;
>> > type xdm_t;
>> > type mount_t;
>> > class unix_stream_socket { read write };
>> > class x_property read;
>> > class security { check_context compute_create compute_av };
>> > class file { read write getattr };
>> > class dir { write read mounton };
>> > }
>> >
>> > #============= mono_t ==============
>> > allow mono_t unconfined_t:x_property read;
>> >
>> > #============= mount_t ==============
>> > allow mount_t xdm_t:unix_stream_socket { read write };
>> > allow mount_t xdm_var_lib_t:dir { write read mounton };
>> >
>> > #============= syslogd_t ==============
>> > allow syslogd_t system_map_t:file { read getattr };
>> >
>> > #============= unconfined_execmem_t ==============
>> > allow unconfined_execmem_t unconfined_t:x_property read;
>> > allow unconfined_execmem_t xdm_t:x_property read;
>> >
>> > #============= xdm_t ==============
>> > allow xdm_t xdm_var_lib_t:dir mounton;
>> >
>> > #============= xdm_xserver_t ==============
>> > allow xdm_xserver_t security_t:dir read;
>> > allow xdm_xserver_t security_t:file { write read };
>> > allow xdm_xserver_t security_t:security { check_context compute_create
>> > compute_av };
>> >
>> > I'll attach the raw audit file below.
>> >
>> > In addition, there were two avcs produced in /var/log/messages before
>> > the start of audit:
>> >
>> > Mar 8 09:49:52 localhost kernel: type=1400 audit(1204998591.798:3):
>> > avc: denied { read } for pid=2257 comm="rsyslogd"
>> > name="System.map-2.6.25-0.95.rc4.local2.fc9" dev=sda3 ino=6064
>> > scontext=system_u:system_r:syslogd_t:s0
>> > tcontext=system_u:object_r:system_map_t:s0 tclass=file
>> > Mar 8 09:49:52 localhost kernel: type=1400 audit(1204998591.798:4):
>> > avc: denied { getattr } for pid=2257 comm="rsyslogd"
>> > path="/boot/System.map-2.6.25-0.95.rc4.local2.fc9" dev=sda3 ino=6064
>> > scontext=system_u:system_r:syslogd_t:s0
>> > tcontext=system_u:object_r:system_map_t:s0 tclass=file
>> >
>> > Not sure all of these need to be "allow", but "semodule -i
>> > localxdm.pp" makes the system boot and run in enforcing mode.
>> >
>> > tom
>> >
>> >
>> >
>> > ------------------------------------------------------------------------
>> >
>> > --
>> > fedora-selinux-list mailing list
>> > fedora-selinux-list at redhat.com
>> > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>> Tom are you saying the machine would not boot in enforcing mode without
>> these changes?
>
> Uhhh.... please ignore the above.
>
> Not sure I understand, but except for the syslog_t ones, I no longer
> get these AVC when booting in enforcing. All is fine.
>
> Sorry for the false report.
>
> tom
>
>
No the X ones are being caused by booting in permissive mode. The
system attempts to turn on X Controls, where as they are denied without
a boolean setting in enforcing.
getsebool xserver_object_manager
I am not sure whether the syslog_t one is a bug or does it really need
that access.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkfVTQkACgkQrlYvE4MpobMVdQCg1Woz7b3eZ19AjmHC3BJ9WYbV
mzgAnjjhNJ7eRsIT7F4OyAh5UEM+asSP
=Z/5b
-----END PGP SIGNATURE-----
More information about the fedora-selinux-list
mailing list