New AVCs with today's rawhide.... (mostly xdm related)
Tom London
selinux at gmail.com
Sat Mar 8 18:07:35 UTC 2008
Running rawhide, targeted.
Had problems after today's rawhide update.
Booting in permissive mode produced:
module localxdm 1.0;
require {
type unconfined_t;
type security_t;
type xdm_var_lib_t;
type syslogd_t;
type unconfined_execmem_t;
type xdm_xserver_t;
type system_map_t;
type mono_t;
type xdm_t;
type mount_t;
class unix_stream_socket { read write };
class x_property read;
class security { check_context compute_create compute_av };
class file { read write getattr };
class dir { write read mounton };
}
#============= mono_t ==============
allow mono_t unconfined_t:x_property read;
#============= mount_t ==============
allow mount_t xdm_t:unix_stream_socket { read write };
allow mount_t xdm_var_lib_t:dir { write read mounton };
#============= syslogd_t ==============
allow syslogd_t system_map_t:file { read getattr };
#============= unconfined_execmem_t ==============
allow unconfined_execmem_t unconfined_t:x_property read;
allow unconfined_execmem_t xdm_t:x_property read;
#============= xdm_t ==============
allow xdm_t xdm_var_lib_t:dir mounton;
#============= xdm_xserver_t ==============
allow xdm_xserver_t security_t:dir read;
allow xdm_xserver_t security_t:file { write read };
allow xdm_xserver_t security_t:security { check_context compute_create
compute_av };
I'll attach the raw audit file below.
In addition, there were two avcs produced in /var/log/messages before
the start of audit:
Mar 8 09:49:52 localhost kernel: type=1400 audit(1204998591.798:3):
avc: denied { read } for pid=2257 comm="rsyslogd"
name="System.map-2.6.25-0.95.rc4.local2.fc9" dev=sda3 ino=6064
scontext=system_u:system_r:syslogd_t:s0
tcontext=system_u:object_r:system_map_t:s0 tclass=file
Mar 8 09:49:52 localhost kernel: type=1400 audit(1204998591.798:4):
avc: denied { getattr } for pid=2257 comm="rsyslogd"
path="/boot/System.map-2.6.25-0.95.rc4.local2.fc9" dev=sda3 ino=6064
scontext=system_u:system_r:syslogd_t:s0
tcontext=system_u:object_r:system_map_t:s0 tclass=file
Not sure all of these need to be "allow", but "semodule -i
localxdm.pp" makes the system boot and run in enforcing mode.
tom
--
Tom London
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: audit-log.txt
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20080308/716f536f/attachment.txt>
More information about the fedora-selinux-list
mailing list