New AVCs with today's rawhide.... (mostly xdm related)

Tom London selinux at gmail.com
Mon Mar 10 15:06:55 UTC 2008 

On Mon, Mar 10, 2008 at 8:00 AM, Daniel J Walsh <dwalsh at redhat.com> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
>  Hash: SHA1
>
>  Tom London wrote:
>  > On Mon, Mar 10, 2008 at 6:37 AM, Daniel J Walsh <dwalsh at redhat.com> wrote:
>  >> -----BEGIN PGP SIGNED MESSAGE-----
>  >>  Hash: SHA1
>  >>
>  >>
>  >>
>  >>  Tom London wrote:
>  >>  > Running rawhide, targeted.
>  >>  >
>  >>  > Had problems after today's rawhide update.
>  >>  >
>  >>  > Booting in permissive mode produced:
>  >>  >
>  >>  >
>  >>  > module localxdm 1.0;
>  >>  >
>  >>  > require {
>  >>  >       type unconfined_t;
>  >>  >       type security_t;
>  >>  >       type xdm_var_lib_t;
>  >>  >       type syslogd_t;
>  >>  >       type unconfined_execmem_t;
>  >>  >       type xdm_xserver_t;
>  >>  >       type system_map_t;
>  >>  >       type mono_t;
>  >>  >       type xdm_t;
>  >>  >       type mount_t;
>  >>  >       class unix_stream_socket { read write };
>  >>  >       class x_property read;
>  >>  >       class security { check_context compute_create compute_av };
>  >>  >       class file { read write getattr };
>  >>  >       class dir { write read mounton };
>  >>  > }
>  >>  >
>  >>  > #============= mono_t ==============
>  >>  > allow mono_t unconfined_t:x_property read;
>  >>  >
>  >>  > #============= mount_t ==============
>  >>  > allow mount_t xdm_t:unix_stream_socket { read write };
>  >>  > allow mount_t xdm_var_lib_t:dir { write read mounton };
>  >>  >
>  >>  > #============= syslogd_t ==============
>  >>  > allow syslogd_t system_map_t:file { read getattr };
>  >>  >
>  >>  > #============= unconfined_execmem_t ==============
>  >>  > allow unconfined_execmem_t unconfined_t:x_property read;
>  >>  > allow unconfined_execmem_t xdm_t:x_property read;
>  >>  >
>  >>  > #============= xdm_t ==============
>  >>  > allow xdm_t xdm_var_lib_t:dir mounton;
>  >>  >
>  >>  > #============= xdm_xserver_t ==============
>  >>  > allow xdm_xserver_t security_t:dir read;
>  >>  > allow xdm_xserver_t security_t:file { write read };
>  >>  > allow xdm_xserver_t security_t:security { check_context compute_create
>  >>  > compute_av };
>  >>  >
>  >>  > I'll attach the raw audit file below.
>  >>  >
>  >>  > In addition, there were two avcs produced in /var/log/messages before
>  >>  > the start of audit:
>  >>  >
>  >>  > Mar  8 09:49:52 localhost kernel: type=1400 audit(1204998591.798:3):
>  >>  > avc:  denied  { read } for  pid=2257 comm="rsyslogd"
>  >>  > name="System.map-2.6.25-0.95.rc4.local2.fc9" dev=sda3 ino=6064
>  >>  > scontext=system_u:system_r:syslogd_t:s0
>  >>  > tcontext=system_u:object_r:system_map_t:s0 tclass=file
>  >>  > Mar  8 09:49:52 localhost kernel: type=1400 audit(1204998591.798:4):
>  >>  > avc:  denied  { getattr } for  pid=2257 comm="rsyslogd"
>  >>  > path="/boot/System.map-2.6.25-0.95.rc4.local2.fc9" dev=sda3 ino=6064
>  >>  > scontext=system_u:system_r:syslogd_t:s0
>  >>  > tcontext=system_u:object_r:system_map_t:s0 tclass=file
>  >>  >
>  >>  > Not sure all of these need to be "allow", but "semodule -i
>  >>  > localxdm.pp" makes the system boot and run in enforcing mode.
>  >>  >
>  >>  > tom
>  >>  >
>  >>  >
>  >>  >
>  >>  > ------------------------------------------------------------------------
>  >>  >
>  >>  > --
>  >>  > fedora-selinux-list mailing list
>  >>  > fedora-selinux-list at redhat.com
>  >>  > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>  >>  Tom are you saying the machine would not boot in enforcing mode without
>  >>  these changes?
>  >
>  > Uhhh.... please ignore the above.
>  >
>  > Not sure I understand, but except for the syslog_t ones,  I no longer
>  > get these AVC when booting in enforcing.  All is fine.
>  >
>  > Sorry for the false report.
>  >
>  > tom
>  >
>  >
>  No the X ones are being caused by booting in permissive mode.  The
>  system attempts to turn on X Controls, where as they are denied without
>  a boolean setting in enforcing.
>
>  getsebool xserver_object_manager
>
>  I am not sure whether the syslog_t one is a bug or does it really need
>  that access.
>

I'm booting/running with that access denied (at least the read one,
only seem to get the getattr one in permissive mode).

I did have one "funny enforcing reboot" just after the last update to
syslog where a bunch of service croaked  on startup (got ptrace AVCs
from gdb, I think). I then rebooted in permissive and got the whole
lot above (with all the services starting OK).

I cannot reproduce the "funny reboot".   Must be bad karma....

tom
-- 
Tom London

More information about the fedora-selinux-list mailing list