New AVCs with today's rawhide.... (mostly xdm related)

Tom London selinux at gmail.com
Mon Mar 10 14:04:27 UTC 2008 

On Mon, Mar 10, 2008 at 6:37 AM, Daniel J Walsh <dwalsh at redhat.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
>  Hash: SHA1
>
>
>
>  Tom London wrote:
>  > Running rawhide, targeted.
>  >
>  > Had problems after today's rawhide update.
>  >
>  > Booting in permissive mode produced:
>  >
>  >
>  > module localxdm 1.0;
>  >
>  > require {
>  >       type unconfined_t;
>  >       type security_t;
>  >       type xdm_var_lib_t;
>  >       type syslogd_t;
>  >       type unconfined_execmem_t;
>  >       type xdm_xserver_t;
>  >       type system_map_t;
>  >       type mono_t;
>  >       type xdm_t;
>  >       type mount_t;
>  >       class unix_stream_socket { read write };
>  >       class x_property read;
>  >       class security { check_context compute_create compute_av };
>  >       class file { read write getattr };
>  >       class dir { write read mounton };
>  > }
>  >
>  > #============= mono_t ==============
>  > allow mono_t unconfined_t:x_property read;
>  >
>  > #============= mount_t ==============
>  > allow mount_t xdm_t:unix_stream_socket { read write };
>  > allow mount_t xdm_var_lib_t:dir { write read mounton };
>  >
>  > #============= syslogd_t ==============
>  > allow syslogd_t system_map_t:file { read getattr };
>  >
>  > #============= unconfined_execmem_t ==============
>  > allow unconfined_execmem_t unconfined_t:x_property read;
>  > allow unconfined_execmem_t xdm_t:x_property read;
>  >
>  > #============= xdm_t ==============
>  > allow xdm_t xdm_var_lib_t:dir mounton;
>  >
>  > #============= xdm_xserver_t ==============
>  > allow xdm_xserver_t security_t:dir read;
>  > allow xdm_xserver_t security_t:file { write read };
>  > allow xdm_xserver_t security_t:security { check_context compute_create
>  > compute_av };
>  >
>  > I'll attach the raw audit file below.
>  >
>  > In addition, there were two avcs produced in /var/log/messages before
>  > the start of audit:
>  >
>  > Mar  8 09:49:52 localhost kernel: type=1400 audit(1204998591.798:3):
>  > avc:  denied  { read } for  pid=2257 comm="rsyslogd"
>  > name="System.map-2.6.25-0.95.rc4.local2.fc9" dev=sda3 ino=6064
>  > scontext=system_u:system_r:syslogd_t:s0
>  > tcontext=system_u:object_r:system_map_t:s0 tclass=file
>  > Mar  8 09:49:52 localhost kernel: type=1400 audit(1204998591.798:4):
>  > avc:  denied  { getattr } for  pid=2257 comm="rsyslogd"
>  > path="/boot/System.map-2.6.25-0.95.rc4.local2.fc9" dev=sda3 ino=6064
>  > scontext=system_u:system_r:syslogd_t:s0
>  > tcontext=system_u:object_r:system_map_t:s0 tclass=file
>  >
>  > Not sure all of these need to be "allow", but "semodule -i
>  > localxdm.pp" makes the system boot and run in enforcing mode.
>  >
>  > tom
>  >
>  >
>  >
>  > ------------------------------------------------------------------------
>  >
>  > --
>  > fedora-selinux-list mailing list
>  > fedora-selinux-list at redhat.com
>  > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>  Tom are you saying the machine would not boot in enforcing mode without
>  these changes?

Uhhh.... please ignore the above.

Not sure I understand, but except for the syslog_t ones,  I no longer
get these AVC when booting in enforcing.  All is fine.

Sorry for the false report.

tom


-- 
Tom London

More information about the fedora-selinux-list mailing list