New AVCs with today's rawhide.... (mostly xdm related)
Daniel J Walsh
dwalsh at redhat.com
Mon Mar 10 13:37:15 UTC 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Tom London wrote:
> Running rawhide, targeted.
>
> Had problems after today's rawhide update.
>
> Booting in permissive mode produced:
>
>
> module localxdm 1.0;
>
> require {
> type unconfined_t;
> type security_t;
> type xdm_var_lib_t;
> type syslogd_t;
> type unconfined_execmem_t;
> type xdm_xserver_t;
> type system_map_t;
> type mono_t;
> type xdm_t;
> type mount_t;
> class unix_stream_socket { read write };
> class x_property read;
> class security { check_context compute_create compute_av };
> class file { read write getattr };
> class dir { write read mounton };
> }
>
> #============= mono_t ==============
> allow mono_t unconfined_t:x_property read;
>
> #============= mount_t ==============
> allow mount_t xdm_t:unix_stream_socket { read write };
> allow mount_t xdm_var_lib_t:dir { write read mounton };
>
> #============= syslogd_t ==============
> allow syslogd_t system_map_t:file { read getattr };
>
> #============= unconfined_execmem_t ==============
> allow unconfined_execmem_t unconfined_t:x_property read;
> allow unconfined_execmem_t xdm_t:x_property read;
>
> #============= xdm_t ==============
> allow xdm_t xdm_var_lib_t:dir mounton;
>
> #============= xdm_xserver_t ==============
> allow xdm_xserver_t security_t:dir read;
> allow xdm_xserver_t security_t:file { write read };
> allow xdm_xserver_t security_t:security { check_context compute_create
> compute_av };
>
> I'll attach the raw audit file below.
>
> In addition, there were two avcs produced in /var/log/messages before
> the start of audit:
>
> Mar 8 09:49:52 localhost kernel: type=1400 audit(1204998591.798:3):
> avc: denied { read } for pid=2257 comm="rsyslogd"
> name="System.map-2.6.25-0.95.rc4.local2.fc9" dev=sda3 ino=6064
> scontext=system_u:system_r:syslogd_t:s0
> tcontext=system_u:object_r:system_map_t:s0 tclass=file
> Mar 8 09:49:52 localhost kernel: type=1400 audit(1204998591.798:4):
> avc: denied { getattr } for pid=2257 comm="rsyslogd"
> path="/boot/System.map-2.6.25-0.95.rc4.local2.fc9" dev=sda3 ino=6064
> scontext=system_u:system_r:syslogd_t:s0
> tcontext=system_u:object_r:system_map_t:s0 tclass=file
>
> Not sure all of these need to be "allow", but "semodule -i
> localxdm.pp" makes the system boot and run in enforcing mode.
>
> tom
>
>
>
> ------------------------------------------------------------------------
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Tom are you saying the machine would not boot in enforcing mode without
these changes?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkfVOYsACgkQrlYvE4MpobP0eQCfVP90HanVNvfhas765qu+r8L8
DzMAoOqM3MPP3FaV2jSfogLp+MI9xiMQ
=1Zde
-----END PGP SIGNATURE-----
More information about the fedora-selinux-list
mailing list