New AVCs with today's rawhide.... (mostly xdm related)
Tom London
selinux at gmail.com
Mon Mar 10 15:06:55 UTC 2008
On Mon, Mar 10, 2008 at 8:00 AM, Daniel J Walsh <dwalsh at redhat.com> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Tom London wrote:
> > On Mon, Mar 10, 2008 at 6:37 AM, Daniel J Walsh <dwalsh at redhat.com> wrote:
> >> -----BEGIN PGP SIGNED MESSAGE-----
> >> Hash: SHA1
> >>
> >>
> >>
> >> Tom London wrote:
> >> > Running rawhide, targeted.
> >> >
> >> > Had problems after today's rawhide update.
> >> >
> >> > Booting in permissive mode produced:
> >> >
> >> >
> >> > module localxdm 1.0;
> >> >
> >> > require {
> >> > type unconfined_t;
> >> > type security_t;
> >> > type xdm_var_lib_t;
> >> > type syslogd_t;
> >> > type unconfined_execmem_t;
> >> > type xdm_xserver_t;
> >> > type system_map_t;
> >> > type mono_t;
> >> > type xdm_t;
> >> > type mount_t;
> >> > class unix_stream_socket { read write };
> >> > class x_property read;
> >> > class security { check_context compute_create compute_av };
> >> > class file { read write getattr };
> >> > class dir { write read mounton };
> >> > }
> >> >
> >> > #============= mono_t ==============
> >> > allow mono_t unconfined_t:x_property read;
> >> >
> >> > #============= mount_t ==============
> >> > allow mount_t xdm_t:unix_stream_socket { read write };
> >> > allow mount_t xdm_var_lib_t:dir { write read mounton };
> >> >
> >> > #============= syslogd_t ==============
> >> > allow syslogd_t system_map_t:file { read getattr };
> >> >
> >> > #============= unconfined_execmem_t ==============
> >> > allow unconfined_execmem_t unconfined_t:x_property read;
> >> > allow unconfined_execmem_t xdm_t:x_property read;
> >> >
> >> > #============= xdm_t ==============
> >> > allow xdm_t xdm_var_lib_t:dir mounton;
> >> >
> >> > #============= xdm_xserver_t ==============
> >> > allow xdm_xserver_t security_t:dir read;
> >> > allow xdm_xserver_t security_t:file { write read };
> >> > allow xdm_xserver_t security_t:security { check_context compute_create
> >> > compute_av };
> >> >
> >> > I'll attach the raw audit file below.
> >> >
> >> > In addition, there were two avcs produced in /var/log/messages before
> >> > the start of audit:
> >> >
> >> > Mar 8 09:49:52 localhost kernel: type=1400 audit(1204998591.798:3):
> >> > avc: denied { read } for pid=2257 comm="rsyslogd"
> >> > name="System.map-2.6.25-0.95.rc4.local2.fc9" dev=sda3 ino=6064
> >> > scontext=system_u:system_r:syslogd_t:s0
> >> > tcontext=system_u:object_r:system_map_t:s0 tclass=file
> >> > Mar 8 09:49:52 localhost kernel: type=1400 audit(1204998591.798:4):
> >> > avc: denied { getattr } for pid=2257 comm="rsyslogd"
> >> > path="/boot/System.map-2.6.25-0.95.rc4.local2.fc9" dev=sda3 ino=6064
> >> > scontext=system_u:system_r:syslogd_t:s0
> >> > tcontext=system_u:object_r:system_map_t:s0 tclass=file
> >> >
> >> > Not sure all of these need to be "allow", but "semodule -i
> >> > localxdm.pp" makes the system boot and run in enforcing mode.
> >> >
> >> > tom
> >> >
> >> >
> >> >
> >> > ------------------------------------------------------------------------
> >> >
> >> > --
> >> > fedora-selinux-list mailing list
> >> > fedora-selinux-list at redhat.com
> >> > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> >> Tom are you saying the machine would not boot in enforcing mode without
> >> these changes?
> >
> > Uhhh.... please ignore the above.
> >
> > Not sure I understand, but except for the syslog_t ones, I no longer
> > get these AVC when booting in enforcing. All is fine.
> >
> > Sorry for the false report.
> >
> > tom
> >
> >
> No the X ones are being caused by booting in permissive mode. The
> system attempts to turn on X Controls, where as they are denied without
> a boolean setting in enforcing.
>
> getsebool xserver_object_manager
>
> I am not sure whether the syslog_t one is a bug or does it really need
> that access.
>
I'm booting/running with that access denied (at least the read one,
only seem to get the getattr one in permissive mode).
I did have one "funny enforcing reboot" just after the last update to
syslog where a bunch of service croaked on startup (got ptrace AVCs
from gdb, I think). I then rebooted in permissive and got the whole
lot above (with all the services starting OK).
I cannot reproduce the "funny reboot". Must be bad karma....
tom
--
Tom London
More information about the fedora-selinux-list
mailing list