Rawhide kernel/etc. breaks sound, system_dbusd_t AVCs

Tom London selinux at gmail.com
Sat Jan 26 23:27:21 UTC 2008 

On Jan 26, 2008 1:02 PM, Tom London <selinux at gmail.com> wrote:
>
> Wow.... lots of stuff generated by -DB. I attach /var/log/audit/audit.log.
>
> Not sure its relevant, but the only extra console-kit AVC is:
>
> type=AVC msg=audit(1201380675.325:136): avc:  denied  { sys_tty_config
> } for  pid=2728 comm="console-kit-dae" capability=26
> scontext=system_u:system_r:system_dbusd_t:s0
> tcontext=system_u:system_r:system_dbusd_t:s0 tclass=capability
>
> Something else?
>
Ooops.... forgot to attach AVCs...

Here is output from 'audit2allow', I attach the complete log.
[root at localhost ~]# audit2allow -i logDB


#============= NetworkManager_t ==============
allow NetworkManager_t dhcpc_t:process { siginh rlimitinh noatsecure };
allow NetworkManager_t ifconfig_t:process { siginh rlimitinh noatsecure };
allow NetworkManager_t initrc_t:process { siginh rlimitinh noatsecure };
allow NetworkManager_t nscd_t:process { siginh rlimitinh noatsecure };
allow NetworkManager_t security_t:dir { search getattr };
allow NetworkManager_t security_t:file read;

#============= cupsd_t ==============
allow cupsd_t default_context_t:dir search;
allow cupsd_t file_context_t:dir search;
allow cupsd_t file_context_t:file { read getattr };
allow cupsd_t krb5_conf_t:file write;
allow cupsd_t self:process setfscreate;

#============= dhcpc_t ==============
allow dhcpc_t security_t:dir { search getattr };
allow dhcpc_t security_t:file read;
allow dhcpc_t selinux_config_t:dir search;
allow dhcpc_t selinux_config_t:file { read getattr };

#============= hald_acl_t ==============
allow hald_acl_t polkit_auth_t:process { siginh rlimitinh noatsecure };
allow hald_acl_t security_t:dir { search getattr };
allow hald_acl_t security_t:file read;
allow hald_acl_t security_t:filesystem getattr;
allow hald_acl_t selinux_config_t:dir search;
allow hald_acl_t selinux_config_t:file { read getattr };

#============= hald_t ==============
allow hald_t dmidecode_t:process { siginh rlimitinh noatsecure };
allow hald_t hald_acl_t:process { siginh rlimitinh noatsecure };
allow hald_t polkit_auth_t:process { siginh rlimitinh noatsecure };

#============= ifconfig_t ==============
allow ifconfig_t security_t:dir { search getattr };
allow ifconfig_t security_t:file read;
allow ifconfig_t security_t:filesystem getattr;
allow ifconfig_t selinux_config_t:dir search;
allow ifconfig_t selinux_config_t:file { read getattr };

#============= init_t ==============
allow init_t getty_t:process { siginh rlimitinh noatsecure };
allow init_t initrc_t:process { siginh rlimitinh noatsecure };

#============= insmod_t ==============
allow insmod_t tty_device_t:chr_file { read write };
allow insmod_t xdm_xserver_t:tcp_socket { read write };
allow insmod_t xdm_xserver_t:unix_stream_socket { read write };
allow insmod_t xserver_log_t:file write;

#============= pam_t ==============
allow pam_t user_home_t:file read;

#============= polkit_auth_t ==============
allow polkit_auth_t security_t:dir { search getattr };
allow polkit_auth_t security_t:file read;
allow polkit_auth_t security_t:filesystem getattr;
allow polkit_auth_t selinux_config_t:dir search;
allow polkit_auth_t selinux_config_t:file { read getattr };

#============= setroubleshootd_t ==============
allow setroubleshootd_t rpm_var_lib_t:dir { write add_name };
allow setroubleshootd_t rpm_var_lib_t:file { write create };

#============= system_chkpwd_t ==============
allow system_chkpwd_t security_t:dir { search getattr };
allow system_chkpwd_t security_t:file read;
allow system_chkpwd_t security_t:filesystem getattr;

#============= system_dbusd_t ==============
allow system_dbusd_t NetworkManager_t:process { siginh rlimitinh noatsecure };
allow system_dbusd_t self:capability sys_tty_config;
allow system_dbusd_t xdm_t:process ptrace;

#============= udev_t ==============
allow udev_t pam_console_t:process { siginh rlimitinh noatsecure };

#============= unconfined_chkpwd_t ==============
allow unconfined_chkpwd_t security_t:dir { search getattr };
allow unconfined_chkpwd_t security_t:file read;
allow unconfined_chkpwd_t security_t:filesystem getattr;

#============= unconfined_dbusd_t ==============
allow unconfined_dbusd_t unconfined_t:process { siginh rlimitinh noatsecure };
allow unconfined_dbusd_t user_home_t:file append;

#============= xdm_t ==============
allow xdm_t pam_console_t:process { siginh rlimitinh noatsecure };
allow xdm_t system_chkpwd_t:process { siginh rlimitinh noatsecure };
allow xdm_t unconfined_t:process { siginh noatsecure };
allow xdm_t xdm_dbusd_t:process { siginh rlimitinh noatsecure };

#============= xdm_xserver_t ==============
allow xdm_xserver_t insmod_t:process { siginh rlimitinh noatsecure };
allow xdm_xserver_t mono_t:process ptrace;
allow xdm_xserver_t security_t:dir { search getattr };
allow xdm_xserver_t security_t:file read;
allow xdm_xserver_t security_t:filesystem getattr;
allow xdm_xserver_t selinux_config_t:dir search;
allow xdm_xserver_t selinux_config_t:file { read getattr };
allow xdm_xserver_t unconfined_execmem_t:process ptrace;
allow xdm_xserver_t unconfined_t:process ptrace;
allow xdm_xserver_t xdm_t:process ptrace;
[root at localhost ~]#

Any of these look suspicious?

tom
-- 
Tom London
-------------- next part --------------
A non-text attachment was scrubbed...
Name: logDB.gz
Type: application/x-gzip
Size: 6878 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20080126/1e18c29f/attachment.bin>

More information about the fedora-selinux-list mailing list