New AVCs with today's rawhide.... (mostly xdm related)
Tom London
selinux at gmail.com
Mon Mar 10 14:04:27 UTC 2008
On Mon, Mar 10, 2008 at 6:37 AM, Daniel J Walsh <dwalsh at redhat.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
>
> Tom London wrote:
> > Running rawhide, targeted.
> >
> > Had problems after today's rawhide update.
> >
> > Booting in permissive mode produced:
> >
> >
> > module localxdm 1.0;
> >
> > require {
> > type unconfined_t;
> > type security_t;
> > type xdm_var_lib_t;
> > type syslogd_t;
> > type unconfined_execmem_t;
> > type xdm_xserver_t;
> > type system_map_t;
> > type mono_t;
> > type xdm_t;
> > type mount_t;
> > class unix_stream_socket { read write };
> > class x_property read;
> > class security { check_context compute_create compute_av };
> > class file { read write getattr };
> > class dir { write read mounton };
> > }
> >
> > #============= mono_t ==============
> > allow mono_t unconfined_t:x_property read;
> >
> > #============= mount_t ==============
> > allow mount_t xdm_t:unix_stream_socket { read write };
> > allow mount_t xdm_var_lib_t:dir { write read mounton };
> >
> > #============= syslogd_t ==============
> > allow syslogd_t system_map_t:file { read getattr };
> >
> > #============= unconfined_execmem_t ==============
> > allow unconfined_execmem_t unconfined_t:x_property read;
> > allow unconfined_execmem_t xdm_t:x_property read;
> >
> > #============= xdm_t ==============
> > allow xdm_t xdm_var_lib_t:dir mounton;
> >
> > #============= xdm_xserver_t ==============
> > allow xdm_xserver_t security_t:dir read;
> > allow xdm_xserver_t security_t:file { write read };
> > allow xdm_xserver_t security_t:security { check_context compute_create
> > compute_av };
> >
> > I'll attach the raw audit file below.
> >
> > In addition, there were two avcs produced in /var/log/messages before
> > the start of audit:
> >
> > Mar 8 09:49:52 localhost kernel: type=1400 audit(1204998591.798:3):
> > avc: denied { read } for pid=2257 comm="rsyslogd"
> > name="System.map-2.6.25-0.95.rc4.local2.fc9" dev=sda3 ino=6064
> > scontext=system_u:system_r:syslogd_t:s0
> > tcontext=system_u:object_r:system_map_t:s0 tclass=file
> > Mar 8 09:49:52 localhost kernel: type=1400 audit(1204998591.798:4):
> > avc: denied { getattr } for pid=2257 comm="rsyslogd"
> > path="/boot/System.map-2.6.25-0.95.rc4.local2.fc9" dev=sda3 ino=6064
> > scontext=system_u:system_r:syslogd_t:s0
> > tcontext=system_u:object_r:system_map_t:s0 tclass=file
> >
> > Not sure all of these need to be "allow", but "semodule -i
> > localxdm.pp" makes the system boot and run in enforcing mode.
> >
> > tom
> >
> >
> >
> > ------------------------------------------------------------------------
> >
> > --
> > fedora-selinux-list mailing list
> > fedora-selinux-list at redhat.com
> > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> Tom are you saying the machine would not boot in enforcing mode without
> these changes?
Uhhh.... please ignore the above.
Not sure I understand, but except for the syslog_t ones, I no longer
get these AVC when booting in enforcing. All is fine.
Sorry for the false report.
tom
--
Tom London
More information about the fedora-selinux-list
mailing list