nVIDIA binary driver audits generated by OpenGL apps
by Andrew Farris
I am working toward getting Enforcing mode to work with the nvidia
binary drivers, and having some difficulties. I see that there is some
policy with this intention , but it is not quite adequate yet, as below.
Some hints how to proceed, or solutions to this would be appreciated.
Running enforcing with /dev/nvidia* labeled as xserver_misc_device_t:
Apr 26 17:13:59 CirithUngol kernel: audit(1083024839.937:0): avc:
denied { read write } for pid=15200 exe=/usr/X11R6/bin/glxinfo
name=nvidiactl dev=hdb8 ino=65738 scontext=LordMorgul:user_r:user_t
tcontext=system_u:object_r:xserver_misc_device_t tclass=chr_file
Apr 26 17:14:04 CirithUngol kernel: audit(1083024844.641:0): avc:
denied { read write } for pid=15209 exe=/usr/X11R6/bin/glxgears
name=nvidiactl dev=hdb8 ino=65738 scontext=LordMorgul:user_r:user_t
tcontext=system_u:object_r:xserver_misc_device_t tclass=chr_file
The X server can start up as normal user without any audit of X itself
startinghen X is started in permissive mode only these audits appear,
but glxgears and glxinfo work as expected. These programs, and all my
other openGL apps, need access to /dev/nvidiactl.
The error message generated at command prompt in enforcing mode is:
Error: Could not open /dev/nvidiactl because the permissions
are too resticitive. Please see the FREQUENTLY ASKED QUESTIONS
section of /usr/share/doc/NVIDIA_GLX-1.0/README for steps
to correct.
Although the unix perms of the device nodes are all identical as below:
crw-rw-rw- 0 0 system_u:object_r:xserver_misc_device_t /dev/nvidiactl
crw-rw-rw- 1 0 0 195, 255 Apr 17 16:28 /dev/nvidiactl
To relabel the devices I uncommented the definition of
xserver_misc_device_t from ./types/device.te, and added the following
line to ./file_contexts/program/xserver.fc (then make reload, followed
by setfiles on these devices).
/dev/nvidia.* system_u:object_r:xserver_misc_device_t
And I rely on these (there are 4) lines in policy.conf after the make (I
do not understand how these are generated yet).
allow user_xserver_t xserver_misc_device_t:chr_file { ioctl read getattr
lock write append };
When running enforcing with the /dev/nvidia* devices labeled as
dri_device_t (had to try), the same behavior exists, X runs.. but
glxgears/glxinfo (and GL games) cannot access the nvidiactl device.
--
Andrew Farris, CPE senior (California Polytechnic State University, SLO)
fedora(a)andrewfarris.com :: lmorgul on irc.freenode.net
"The only thing necessary for the triumph of evil is for good men
to do nothing." (Edmond Burke)
19 years, 10 months
Policy file for 'aide' and/or 'tripwire'?
by Valdis.Kletnieks@vt.edu
Has anybody already done a policy file for Tripwire or its
open-sourced replacement 'aide'?
Trying to run 'tripwire --check' from a cron job gets this:
Apr 27 04:03:37 orange kernel: audit(1083053017.355:0): avc: denied { write }
for pid=14045 exe=/usr/sbin/tripwire name=tripwire dev=dm-5 ino=22529
scontext=system_u:system_r:system_crond_t tcontext=system_u:object_r:var_t tclass=dir
when trying to open the TEMPDIRECTORY directory:
# ls -ld --context /var/tripwire/
drwx------+ root root system_u:object_r:var_t /var/tripwire/
(The actual database files are here:
# ls --context /var/lib/tripwire
-rw-------+ root root system_u:object_r:var_lib_t orange.cirt.vt.edu.twd
-rw------- root root system_u:object_r:var_lib_t orange.cirt.vt.edu.twd.bak
drwxr-xr-x+ root root system_u:object_r:var_lib_t report
It occurs to me that it would be simple but incorrect to just use setfilecon
to coerce the contexts into something that works, and that a separate
set of tripwire_t and/or aide_t contexts is probably desired. Having no wish
to reinvent the wheel, has anybody done this already?
19 years, 10 months
Core 2 SELinux installation
by Nick
>From the message titled 'Fedora Core 2 and SELinux'
> SELinux *will* be included in Fedora Core 2 test 3 and the final
> Fedora Core 2 release. However, SELinux will be disabled by default.
> To install with SELinux support, pass 'selinux' to the installer
> on the command line. (Or, configure it appropriately in kickstart).
Why are we using the command line option to install SELinux process. I
provided to the SEL list, a comp.xml skeleton that I used to add SEL to
Core 1. In the original framework I just added dependencies that were
not on the std Linux install (i.e. sharutils). A follow through to this
could provide a separate selection within the group for policy tools and
source to allow the installer to put the source in place as well (as
shown in the category section below)
<group>
<id>selinux</id>
<uservisible>true</uservisible>
<default>true</default>
<name>SELinux Installation</name>
<description>Install this group of packages to configure the system
for SELinux installation.</description>
<grouplist>
</grouplist>
<packagelist>
<packagereq type="mandatory">sharutils</packagereq>
<packagereq type="mandatory">linuxdoc-tools</packagereq>
<packagereq type="mandatory">netpbm-progs</packagereq>
<packagereq type="mandatory">tetex-latex</packagereq>
<packagereq type="mandatory">autoconf213</packagereq>
<packagereq type="mandatory">elfutils-devel</packagereq>
<packagereq type="mandatory">libcroco-devel</packagereq>
</packagelist>
</group>
<category>
<name>SELinux</name>
<subcategories>
<subcategory>selinux</subcategory>
<subcategory>policy tools/source</subcategory>
</subcategories>
</category>
--
Nick Gray
Senior Systems Engineer
Bruzenak Inc.
nagray(a)austin.rr.com
(512) 331-7998
19 years, 10 months
Problem with Tresys tools on Core 2
by Nick
Conditions:
-----------
Install from DVD ISO
yum upgrade
installation of RPMS
checkpolicy-1.10-1.i386.rpm
policy-sources-1.11.2-18.noarch.rpm
setools-1.3-2.i386.rpm
setools-gui-1.3-2.i386.rpm
Results
-------
[root@rocket policy]# seinfo -r
Could not open policy!
[root@rocket policy]# seuser -X
Error in StartScript (/usr/share/setools/se_user.tcl):
Thanks Nick
--
Nick Gray
Senior Systems Engineer
Bruzenak Inc.
nagray(a)austin.rr.com
(512) 331-7998
19 years, 10 months
Access to cd device denied for cdp
by Andrew Farris
Playing a cd from the terminal using cdp, or cdplay (non-interactive),
results in the following avc in permissive mode (but the cd is allowed
to play):
Apr 26 15:09:24 CirithUngol kernel: audit(1083017364.035:0): avc:
denied { ioctl } for pid=10129 exe=/usr/bin/cdp path=/dev/hdc dev=hdb8
ino=66203 scontext=user_u:user_r:user_t
tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file
This is not audited in enforcing mode.. but does not work either
(program exits with "please chmod 666 /dev/cdrom as root").
/dev/cdrom is symlinked directly to /dev/hdc.
4.0K lrwxrwxrwx 1 0 0 8 Mar 29 17:26 /dev/cdrom -> /dev/hdc
4.0K brw-rw-rw- 1 0 6 22, 0 Feb 23 13:02 /dev/hdc
Is this expected, or desired behavior? Shouldn't a locally logged in
user be allowed access to audio cds? (perhaps should be -or is- tunable)
I'm working with policy-sources-1.11.2-13.
--
Andrew Farris, CPE senior (California Polytechnic State University, SLO)
fedora(a)andrewfarris.com :: lmorgul on irc.freenode.net
"The only thing necessary for the triumph of evil is for good men
to do nothing." (Edmond Burke)
19 years, 10 months
Trying to get user modification tools and policy source
by Nick
Conditions:
Install from DVD
Download of Tresys tools
Installation of several RPMs that were needed to compile these tools
yum update of system.
Problem: I can't build the Tresys tools for user account modification.
I had been doing this in the past:
> #1. useradd -m developer
> #2. passwd developer
> #3. sed -i -e /user\ root/a\ user\ developer\ roles\ \{\ staff_r\ \
> sysadm_r\ \}\; /etc/security/selinux/src/policy/users
>
> #4. cd /etc/security/selinux/src/policy
> #5. make policy
> #6. make load
I asked the SEL list about this and it was recommeded that I try Tresys
setools? seuser, seuseradd?.
Problem is, I can't build them I keep getting a message about TCL being
in the wrong place?
Anyone seen this? This is a new install, without deviations from what
needs to be done initially. I would think this would be a pretty common
problem
I obviously can't do my old procedure since the policy source wasn't
installed.
Thanks
Nix
--
Nick Gray
Senior Systems Engineer
Bruzenak Inc.
nagray(a)austin.rr.com
(512) 331-7998
19 years, 10 months
RFE: provide a command to display all roles available to a user
by Gene Czarcinski
OK, this got closed on bugzilla with the suggestion to bring it up for
discussion on the mailing list.
The problem:
Currently, there is no way for a user to display what roles are available ...
available for switching to via a newrole command.
Solution:
Provide a command to display the roles available to a user ... what roles
could be specified for that user on a newroles command.
Gene
19 years, 10 months
AVC attaching gdb to Mozilla process.
by Aleksey Nogin
Under policy-sources-1.11.2-18:
audit(1083131647.146:0): avc: denied { signal } for pid=28661
exe=/usr/bin/gdb scontext=aleksey:staff_r:staff_mozilla_t
tcontext=aleksey:staff_r:staff_t tclass=process
--
Aleksey Nogin
Home Page: http://nogin.org/
E-Mail: nogin(a)cs.caltech.edu (office), aleksey(a)nogin.org (personal)
Office: Jorgensen 70, tel: (626) 395-2907
19 years, 10 months
FC2-T2 and selinux
by Gene Czarcinski
Let me empahsize -- please be sure to specify enforcing=0 for the first boot
after install if you have installed with selinux "active".
If you do not, the X configuration and firstboot get screwed up. I may be
easier to just reinstall than trying to fix things.
Gene
19 years, 10 months
FC2-T3 selinux warning
by Gene Czarcinski
Install (fresh, everything) FC2-T3 seems to have some policy related problems:
1. /root/.default_contexts has wrong attribute (restorecon fixes it).
2. I seems to need to boot enforcing=0 for the firstboot (otherwise the
display does not initialize properly).
After updating to latest updates from development (including policy,
policycoreutils, and libselinux):
1. trying to login a syadm_r user cannot find the home directory
2. creating new users definitiely assigns wrong attributes to /home/user/*
Gene
19 years, 10 months