New AVCs with today's rawhide.... (mostly xdm related)

Daniel J Walsh dwalsh at redhat.com
Mon Mar 10 13:37:15 UTC 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Tom London wrote:
> Running rawhide, targeted.
> 
> Had problems after today's rawhide update.
> 
> Booting in permissive mode produced:
> 
> 
> module localxdm 1.0;
> 
> require {
> 	type unconfined_t;
> 	type security_t;
> 	type xdm_var_lib_t;
> 	type syslogd_t;
> 	type unconfined_execmem_t;
> 	type xdm_xserver_t;
> 	type system_map_t;
> 	type mono_t;
> 	type xdm_t;
> 	type mount_t;
> 	class unix_stream_socket { read write };
> 	class x_property read;
> 	class security { check_context compute_create compute_av };
> 	class file { read write getattr };
> 	class dir { write read mounton };
> }
> 
> #============= mono_t ==============
> allow mono_t unconfined_t:x_property read;
> 
> #============= mount_t ==============
> allow mount_t xdm_t:unix_stream_socket { read write };
> allow mount_t xdm_var_lib_t:dir { write read mounton };
> 
> #============= syslogd_t ==============
> allow syslogd_t system_map_t:file { read getattr };
> 
> #============= unconfined_execmem_t ==============
> allow unconfined_execmem_t unconfined_t:x_property read;
> allow unconfined_execmem_t xdm_t:x_property read;
> 
> #============= xdm_t ==============
> allow xdm_t xdm_var_lib_t:dir mounton;
> 
> #============= xdm_xserver_t ==============
> allow xdm_xserver_t security_t:dir read;
> allow xdm_xserver_t security_t:file { write read };
> allow xdm_xserver_t security_t:security { check_context compute_create
> compute_av };
> 
> I'll attach the raw audit file below.
> 
> In addition, there were two avcs produced in /var/log/messages before
> the start of audit:
> 
> Mar  8 09:49:52 localhost kernel: type=1400 audit(1204998591.798:3):
> avc:  denied  { read } for  pid=2257 comm="rsyslogd"
> name="System.map-2.6.25-0.95.rc4.local2.fc9" dev=sda3 ino=6064
> scontext=system_u:system_r:syslogd_t:s0
> tcontext=system_u:object_r:system_map_t:s0 tclass=file
> Mar  8 09:49:52 localhost kernel: type=1400 audit(1204998591.798:4):
> avc:  denied  { getattr } for  pid=2257 comm="rsyslogd"
> path="/boot/System.map-2.6.25-0.95.rc4.local2.fc9" dev=sda3 ino=6064
> scontext=system_u:system_r:syslogd_t:s0
> tcontext=system_u:object_r:system_map_t:s0 tclass=file
> 
> Not sure all of these need to be "allow", but "semodule -i
> localxdm.pp" makes the system boot and run in enforcing mode.
> 
> tom
> 
> 
> 
> ------------------------------------------------------------------------
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Tom are you saying the machine would not boot in enforcing mode without
these changes?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkfVOYsACgkQrlYvE4MpobP0eQCfVP90HanVNvfhas765qu+r8L8
DzMAoOqM3MPP3FaV2jSfogLp+MI9xiMQ
=1Zde
-----END PGP SIGNATURE-----

More information about the fedora-selinux-list mailing list