Some AVC denials to consider:
Miroslav Grepl
mgrepl at redhat.com
Wed Aug 5 22:13:01 UTC 2009
On 08/05/2009 01:59 PM, Daniel J Walsh wrote:
> On 08/04/2009 08:30 AM, Dominick Grift wrote:
>
>> dev_rw_generic_files(NetworkManager_t)
>>
>>
> This looks very wrong. Need to see AVC related to this.
>
>
>> allow consoletype_t device_t:file { read getattr ioctl };
>>
>>
> THis looks like a mislabeled file. As Miroslav pointed out later is this the problem with /dev/null being a file?
>
>
>> xserver_rw_xdm_home_files(staff_dbusd_t)
>>
>>
> We should add
>
> xserver_use_xdm(($1_dbusd_t) to dbus.if
> Then add
> allow $1 xdm_home_t:file append_file_perms;
> to xserver_use_xdm
>
>
>> allow staff_t staff_screen_t:process sigchld;
>> allow staff_t print_spool_t:dir getattr;
>> allow staff_t screen_var_run_t:fifo_file read;
>>
>
> add
> allow $3 $1_screen_t:process sigchld;
> to screen_role_template
> Although it does not look like we transition to screen by default now.
>
> Add
>
> lpd_list_spool(staff_t
>
> to staff.te
>
> allow staff_t screen_var_run_t:fifo_file read;
> Looks like a leak, add
>
> dontaudit $3 $1_var_run_t:fifo_file read;
>
> to scree_role_template
>
>
>> dev_rw_dri(staff_t)
>>
>>
> This is probably not a good idea, I believe this is an easy way to attack the system
> I think we currently have
>
> dev_dontaudit_rw_dri($1)
>
>
>> allow ifconfig_t device_t:file read;
>>
>> allow mount_t dgrift_t:unix_stream_socket { read write };
>>
>>
> Leak? Whatever is execing mount is leaking a file descriptor. Added a new plugin to setroubleshoot to detect links BTW.
>
>
>> allow nscd_t device_t:file read;
>>
>> allow ifconfig_t device_t:file read;
>>
>> allow mount_t dgrift_t:unix_stream_socket { read write }
>>
>> allow nscd_t device_t:file read;
>>
>> term_use_console(portreserve_t)
>>
>>
> This seems like strange one.
>
>
>> allow readahead_t proc_kcore_t:file getattr;
>>
>
>
>
>> allow readahead_ self:capability net_admin;
>>
> Rawhide has
>
> kernel_dontaudit_getattr_core_if(readahead_t)
> dontaudit readahead_t self:capability { net_admin sys_tty_config };
>
>
>> allow rpcbind_t self:udp_socket listen;
>>
>>
> Rawhide has
>
> ifdef(`hide_broken_symptoms',`
> dontaudit rpcbind_t self:udp_socket listen;
> ')
>
>> allow xdm_dbusd_t xdm_var_lib_t:dir search;
>>
>>
> Change dbus_role_template to use
> xserver_use_xdm,
>
> Add xserver_search_xdm_lib($1) to xserver_use_xdm
>
>
>> dev_rw_generic_files(auditctl_t)
>>
>>
> Looks like a leak
>
>> allow readahead_t self:capability net_admin;
>> fs_rw_tmpfs_chr_files(readahead_t)
>>
>>
> fs_dontaudit_use_tmpfs_chr_dev(readahead_t)
> is in rawhide
>
>> fprintd_dbus_chat(staff_sudo_t)
>>
>>
> Add
> optional_policy(`
> fprintd_dbus_chat($1_sudo_t)
> ')
> to
> sudo_role_template
>
>> fprintd_dbus_chat(staff_t)
>>
>> fprintd_dbus_chat(fprintd_t)
>>
>>
>
> Add
> optional_policy(`
> fprintd_dbus_chat($1_t)
> ')
> to
> userdom_restricted_xwindows_user_template
>
>
> fprintd_dbus_chat(fprintd_t)
> Does not make sense.
>
>> --
>> fedora-selinux-list mailing list
>> fedora-selinux-list at redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Changes added to selinux-policy-3.6.12-74.fc11
Thanks
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20090806/54550813/attachment.htm>
More information about the fedora-selinux-list
mailing list