ainit (xdm_t) wants to write /etc/alsa/pcm/dmix.conf (etc_t) ...

Daniel J Walsh dwalsh at redhat.com
Wed May 25 14:44:13 UTC 2005 

Tom London wrote:

>On 5/24/05, Tom London <selinux at gmail.com> wrote:
>  
>
>>On 5/24/05, Daniel J Walsh <dwalsh at redhat.com> wrote:
>>    
>>
>>>Tom London wrote:
>>>
>>>      
>>>
>>>>Running strict/enforcing, latest rawhide.
>>>>
>>>>Get the following when logging in:
>>>>May 21 13:30:16 fedora gdm(pam_unix)[2946]: session opened for user
>>>>tbl by (uid=0)
>>>>May 21 13:30:16 fedora kernel: audit(1116707416.740:0): avc:  denied
>>>>{ write } for  name=dmix.conf dev=hda2 ino=4523476
>>>>scontext=system_u:system_r:xdm_t tcontext=system_u:object_r:etc_t
>>>>tclass=file
>>>>May 21 13:30:16 fedora ainit: Failed to open file /etc/alsa/pcm/dmix.conf
>>>>May 21 13:30:16 fedora ainit: Error: Permission denied
>>>>
>>>>The file in questions is /etc/alsa/pcm/dmix.conf.
>>>>
>>>>/etc/alsa/ainit.conf has:
>>>>#
>>>># overwrite target files, if exists
>>>>#
>>>>overwrite = yes
>>>>
>>>>#
>>>># first config file - for dmix plugin
>>>>#
>>>>template_0 = /etc/alsa/pcm/dmix.template
>>>>target_0  = /etc/alsa/pcm/dmix.conf
>>>>target_root_file_0 = yes
>>>>
>>>>This seems less than perfect to me....
>>>>Should dmix.conf (and dsnoop.conf) be someplace else? Labeled as
>>>>xdm_rw_etc_t? (I don't know who else needs to read these files....)
>>>>
>>>>tom
>>>>
>>>>
>>>>
>>>>        
>>>>
>>>Do you have any idea if xdm is actually trying to write this file, or
>>>could this just be they used the wrong flags when opening the file?
>>>
>>>      
>>>
>>No idea.
>>
>>I'll test tonight on my 'strict machine'.
>>
>>tom
>>
>>    
>>
>Running strict/permissive, I get this:
>
>May 25 06:19:54 fedora gdm(pam_unix)[2695]: session opened for user
>tbl by (uid=0)
>May 25 06:19:54 fedora kernel: audit(1117027194.325:0): avc:  denied 
>{ write } for  pid=2739 comm="ainit" name=pcm dev=hda2 ino=4524122
>scontext=system_u:system_r:xdm_t tcontext=system_u:object_r:etc_t
>tclass=dir
>May 25 06:19:54 fedora kernel: audit(1117027194.325:0): avc:  denied 
>{ add_name } for  pid=2739 comm="ainit" name=dmix.conf
>scontext=system_u:system_r:xdm_t tcontext=system_u:object_r:etc_t
>tclass=dir
>May 25 06:19:54 fedora kernel: audit(1117027194.325:0): avc:  denied 
>{ create } for  pid=2739 comm="ainit" name=dmix.conf
>scontext=system_u:system_r:xdm_t tcontext=system_u:object_r:etc_t
>tclass=file
>May 25 06:19:54 fedora kernel: audit(1117027194.340:0): avc:  denied 
>{ write } for  pid=2739 comm="ainit" name=dmix.conf dev=hda2
>ino=4522361 scontext=system_u:system_r:xdm_t
>tcontext=system_u:object_r:etc_t tclass=file
>May 25 06:19:56 fedora gconfd (tbl-2801): starting (version 2.10.0),
>pid 2801 user 'tbl'
>
>So it looks like xdm wants to really create/write this....
>
>Logging out does this:
>
>May 25 06:24:54 fedora gconfd (tbl-2801): Exiting
>May 25 06:24:54 fedora gdm(pam_unix)[2695]: session closed for user tbl
>May 25 06:24:54 fedora kernel: audit(1117027494.313:0): avc:  denied 
>{ write } for  pid=3184 comm="ainit" name=pcm dev=hda2 ino=4524122
>scontext=system_u:system_r:xdm_t tcontext=system_u:object_r:etc_t
>tclass=dir
>May 25 06:24:54 fedora kernel: audit(1117027494.313:0): avc:  denied 
>{ remove_name } for  pid=3184 comm="ainit" name=dmix.conf.lock
>dev=hda2 ino=4522777 scontext=system_u:system_r:xdm_t
>tcontext=system_u:object_r:etc_t tclass=dir
>May 25 06:24:54 fedora kernel: audit(1117027494.313:0): avc:  denied 
>{ unlink } for  pid=3184 comm="ainit" name=dmix.conf.lock dev=hda2
>ino=4522777 scontext=system_u:system_r:xdm_t
>tcontext=system_u:object_r:etc_t tclass=file
>May 25 06:24:54 fedora kernel: audit(1117027494.349:0): avc:  denied 
>{ unix_read unix_write } for  pid=3184 comm="ainit" key=1947154681
>scontext=system_u:system_r:xdm_t tcontext=tbl:staff_r:staff_t
>tclass=shm
>May 25 06:24:54 fedora kernel: audit(1117027494.349:0): avc:  denied 
>{ associate } for  pid=3184 comm="ainit" key=1947154681
>scontext=system_u:system_r:xdm_t tcontext=tbl:staff_r:staff_t
>tclass=shm
>May 25 06:24:54 fedora kernel: audit(1117027494.349:0): avc:  denied 
>{ destroy } for  pid=3184 comm="ainit" key=1947154681
>scontext=system_u:system_r:xdm_t tcontext=tbl:staff_r:staff_t
>tclass=shm
>
>tom
>  
>
Ok looks like we need policy for ainit. and this directory.

Anyone up for it?  :^)

Please open a bugzilla, so I will get it done, if no one volunteers.



Dan

--

More information about the fedora-selinux-list mailing list