New AVCs with today's rawhide.... (mostly xdm related)

Tom London selinux at gmail.com
Sat Mar 8 18:07:35 UTC 2008 

Running rawhide, targeted.

Had problems after today's rawhide update.

Booting in permissive mode produced:


module localxdm 1.0;

require {
	type unconfined_t;
	type security_t;
	type xdm_var_lib_t;
	type syslogd_t;
	type unconfined_execmem_t;
	type xdm_xserver_t;
	type system_map_t;
	type mono_t;
	type xdm_t;
	type mount_t;
	class unix_stream_socket { read write };
	class x_property read;
	class security { check_context compute_create compute_av };
	class file { read write getattr };
	class dir { write read mounton };
}

#============= mono_t ==============
allow mono_t unconfined_t:x_property read;

#============= mount_t ==============
allow mount_t xdm_t:unix_stream_socket { read write };
allow mount_t xdm_var_lib_t:dir { write read mounton };

#============= syslogd_t ==============
allow syslogd_t system_map_t:file { read getattr };

#============= unconfined_execmem_t ==============
allow unconfined_execmem_t unconfined_t:x_property read;
allow unconfined_execmem_t xdm_t:x_property read;

#============= xdm_t ==============
allow xdm_t xdm_var_lib_t:dir mounton;

#============= xdm_xserver_t ==============
allow xdm_xserver_t security_t:dir read;
allow xdm_xserver_t security_t:file { write read };
allow xdm_xserver_t security_t:security { check_context compute_create
compute_av };

I'll attach the raw audit file below.

In addition, there were two avcs produced in /var/log/messages before
the start of audit:

Mar  8 09:49:52 localhost kernel: type=1400 audit(1204998591.798:3):
avc:  denied  { read } for  pid=2257 comm="rsyslogd"
name="System.map-2.6.25-0.95.rc4.local2.fc9" dev=sda3 ino=6064
scontext=system_u:system_r:syslogd_t:s0
tcontext=system_u:object_r:system_map_t:s0 tclass=file
Mar  8 09:49:52 localhost kernel: type=1400 audit(1204998591.798:4):
avc:  denied  { getattr } for  pid=2257 comm="rsyslogd"
path="/boot/System.map-2.6.25-0.95.rc4.local2.fc9" dev=sda3 ino=6064
scontext=system_u:system_r:syslogd_t:s0
tcontext=system_u:object_r:system_map_t:s0 tclass=file

Not sure all of these need to be "allow", but "semodule -i
localxdm.pp" makes the system boot and run in enforcing mode.

tom

-- 
Tom London
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: audit-log.txt
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20080308/716f536f/attachment.txt>

More information about the fedora-selinux-list mailing list