playing with unconfined domains and users on Fedora 16

Daniel J Walsh dwalsh at redhat.com
Thu Feb 2 15:34:19 UTC 2012 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/02/2012 10:06 AM, Klaus Lichtenwalder wrote:
> On 02.02.2012 15:01, Dominick Grift wrote:
>> On Thu, 2012-02-02 at 14:13 +0100, Klaus Lichtenwalder wrote:
>>> [...] which would render gpg-agent probably useless...
>> 
>> I have not encountered similar avc denials here. I wonder what i
>> am doing differently.
>> 
>> I you are sure you have configured gpg agent properly , then this
>> may indeed be bug in policy.
>> 
>> The SELinux framework aims to make it easy for one to make
>> adjustments to policy.
> 
> Well, gpg-agent "just" is installed and started by the login
> process, with gpg-agent --daemon. The only configuration I was
> doing was settint the ttl time and giving "use-agent" to gnupg2.
> One avc was indeed gone after enabling the bool gpg_agent_env_file.
> But it still stumbles over the socket, which it wants to create in
> $HOME/.gnupg. Guess I'll have a look over the policy, in case I can
> detect something
> 
>> [...] klaus ALL=(ALL) TYPE=unconfined_t ROLE=unconfined_r ALL
>> 
>> if you want to use unconfined_r as you have specified above than
>> you need to map the unconfined_r to the staff_u SELinux user:
>> 
>> semanage user -m -R "staff_r system_r sysadm_r unconfined_r"
>> staff_u
> 
> Thanks, unconfined_r was missing in the semanage command above.
> 
> Still, logging in leaves me with the following denials:
> 
> time->Thu Feb  2 15:40:06 2012 type=SYSCALL
> msg=audit(1328193606.453:145): arch=40000003 syscall=11 success=yes
> exit=0 a0=a064888 a1=a0593d8 a2=a06e958 a3=a0593d8 items=0 
> ppid=3288 pid=3289 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0
> egid=0 sgid=0 fsgid=0 tty=(none) ses=3 comm="PreLogin"
> exe="/bin/bash" subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023
> key=(null) type=AVC msg=audit(1328193606.453:145): avc:  denied  {
> entrypoint } for pid=3289 comm="lxdm-binary"
> path="/etc/lxdm/PreLogin" dev=sda3 ino=393588
> scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 
> tcontext=system_u:object_r:etc_t:s0 tclass=file ---- time->Thu Feb
> 2 15:40:06 2012 type=SYSCALL msg=audit(1328193606.472:146):
> arch=40000003 syscall=11 success=yes exit=0 a0=a060525 a1=a057838
> a2=a06e958 a3=bfe1ff76 items=0 ppid=1 pid=3291 auid=1000 uid=1000
> gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000
> fsgid=1000 tty=(none) ses=3 comm="xauth" exe="/usr/bin/xauth"
> subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null) type=AVC
> msg=audit(1328193606.472:146): avc:  denied  { entrypoint } for 
> pid=3291 comm="lxdm-binary" path="/usr/bin/xauth" dev=sda3
> ino=61761 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 
> tcontext=system_u:object_r:xauth_exec_t:s0 tclass=file ---- 
> time->Thu Feb  2 15:40:06 2012 type=SYSCALL
> msg=audit(1328193606.484:147): arch=40000003 syscall=11 success=yes
> exit=0 a0=a056058 a1=a05a568 a2=a06e958 a3=a05a568 items=0 ppid=1
> pid=3294 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000
> egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=3 comm="PostLogin"
> exe="/bin/bash" subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023
> key=(null) type=AVC msg=audit(1328193606.484:147): avc:  denied  {
> entrypoint } for pid=3294 comm="lxdm-binary"
> path="/etc/lxdm/PostLogin" dev=sda3 ino=393585
> scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 
> tcontext=system_u:object_r:etc_t:s0 tclass=file
> 
> Which also seems to point to something missing. I checked all
> labels, but everything seems fine according to policy. Am I correct
> in saying that staff_u:staff_r:staff_t is missing an entrypoint
> rule for etc_t files and xauth_exec_t? The former somehow seems
> mislabeled, as an entrypoint is associated with a _exec_t?
> 
> Thanks, Klaus
> 
> 
> 
> -- selinux mailing list selinux at lists.fedoraproject.org 
> https://admin.fedoraproject.org/mailman/listinfo/selinux

Those files should be labeled bin_t.

I will change the default labeling, any other binary file in that
directory.


Open a bugzilla on the gpg_agent problems.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk8qrPoACgkQrlYvE4MpobOTcgCfaPx1wTb14fK+h1tfWyo2TFQP
fHkAn1ZDOVHkz52KhvbrZyvvUnC4OEQ1
=ZjJY
-----END PGP SIGNATURE-----

More information about the selinux mailing list