nVIDIA binary driver audits generated by OpenGL apps
by Andrew Farris
I am working toward getting Enforcing mode to work with the nvidia
binary drivers, and having some difficulties. I see that there is some
policy with this intention , but it is not quite adequate yet, as below.
Some hints how to proceed, or solutions to this would be appreciated.
Running enforcing with /dev/nvidia* labeled as xserver_misc_device_t:
Apr 26 17:13:59 CirithUngol kernel: audit(1083024839.937:0): avc:
denied { read write } for pid=15200 exe=/usr/X11R6/bin/glxinfo
name=nvidiactl dev=hdb8 ino=65738 scontext=LordMorgul:user_r:user_t
tcontext=system_u:object_r:xserver_misc_device_t tclass=chr_file
Apr 26 17:14:04 CirithUngol kernel: audit(1083024844.641:0): avc:
denied { read write } for pid=15209 exe=/usr/X11R6/bin/glxgears
name=nvidiactl dev=hdb8 ino=65738 scontext=LordMorgul:user_r:user_t
tcontext=system_u:object_r:xserver_misc_device_t tclass=chr_file
The X server can start up as normal user without any audit of X itself
startinghen X is started in permissive mode only these audits appear,
but glxgears and glxinfo work as expected. These programs, and all my
other openGL apps, need access to /dev/nvidiactl.
The error message generated at command prompt in enforcing mode is:
Error: Could not open /dev/nvidiactl because the permissions
are too resticitive. Please see the FREQUENTLY ASKED QUESTIONS
section of /usr/share/doc/NVIDIA_GLX-1.0/README for steps
to correct.
Although the unix perms of the device nodes are all identical as below:
crw-rw-rw- 0 0 system_u:object_r:xserver_misc_device_t /dev/nvidiactl
crw-rw-rw- 1 0 0 195, 255 Apr 17 16:28 /dev/nvidiactl
To relabel the devices I uncommented the definition of
xserver_misc_device_t from ./types/device.te, and added the following
line to ./file_contexts/program/xserver.fc (then make reload, followed
by setfiles on these devices).
/dev/nvidia.* system_u:object_r:xserver_misc_device_t
And I rely on these (there are 4) lines in policy.conf after the make (I
do not understand how these are generated yet).
allow user_xserver_t xserver_misc_device_t:chr_file { ioctl read getattr
lock write append };
When running enforcing with the /dev/nvidia* devices labeled as
dri_device_t (had to try), the same behavior exists, X runs.. but
glxgears/glxinfo (and GL games) cannot access the nvidiactl device.
--
Andrew Farris, CPE senior (California Polytechnic State University, SLO)
fedora(a)andrewfarris.com :: lmorgul on irc.freenode.net
"The only thing necessary for the triumph of evil is for good men
to do nothing." (Edmond Burke)
19 years, 7 months
Policy file for 'aide' and/or 'tripwire'?
by Valdis.Kletnieks@vt.edu
Has anybody already done a policy file for Tripwire or its
open-sourced replacement 'aide'?
Trying to run 'tripwire --check' from a cron job gets this:
Apr 27 04:03:37 orange kernel: audit(1083053017.355:0): avc: denied { write }
for pid=14045 exe=/usr/sbin/tripwire name=tripwire dev=dm-5 ino=22529
scontext=system_u:system_r:system_crond_t tcontext=system_u:object_r:var_t tclass=dir
when trying to open the TEMPDIRECTORY directory:
# ls -ld --context /var/tripwire/
drwx------+ root root system_u:object_r:var_t /var/tripwire/
(The actual database files are here:
# ls --context /var/lib/tripwire
-rw-------+ root root system_u:object_r:var_lib_t orange.cirt.vt.edu.twd
-rw------- root root system_u:object_r:var_lib_t orange.cirt.vt.edu.twd.bak
drwxr-xr-x+ root root system_u:object_r:var_lib_t report
It occurs to me that it would be simple but incorrect to just use setfilecon
to coerce the contexts into something that works, and that a separate
set of tripwire_t and/or aide_t contexts is probably desired. Having no wish
to reinvent the wheel, has anybody done this already?
19 years, 7 months
Core 2 SELinux installation
by Nick
>From the message titled 'Fedora Core 2 and SELinux'
> SELinux *will* be included in Fedora Core 2 test 3 and the final
> Fedora Core 2 release. However, SELinux will be disabled by default.
> To install with SELinux support, pass 'selinux' to the installer
> on the command line. (Or, configure it appropriately in kickstart).
Why are we using the command line option to install SELinux process. I
provided to the SEL list, a comp.xml skeleton that I used to add SEL to
Core 1. In the original framework I just added dependencies that were
not on the std Linux install (i.e. sharutils). A follow through to this
could provide a separate selection within the group for policy tools and
source to allow the installer to put the source in place as well (as
shown in the category section below)
<group>
<id>selinux</id>
<uservisible>true</uservisible>
<default>true</default>
<name>SELinux Installation</name>
<description>Install this group of packages to configure the system
for SELinux installation.</description>
<grouplist>
</grouplist>
<packagelist>
<packagereq type="mandatory">sharutils</packagereq>
<packagereq type="mandatory">linuxdoc-tools</packagereq>
<packagereq type="mandatory">netpbm-progs</packagereq>
<packagereq type="mandatory">tetex-latex</packagereq>
<packagereq type="mandatory">autoconf213</packagereq>
<packagereq type="mandatory">elfutils-devel</packagereq>
<packagereq type="mandatory">libcroco-devel</packagereq>
</packagelist>
</group>
<category>
<name>SELinux</name>
<subcategories>
<subcategory>selinux</subcategory>
<subcategory>policy tools/source</subcategory>
</subcategories>
</category>
--
Nick Gray
Senior Systems Engineer
Bruzenak Inc.
nagray(a)austin.rr.com
(512) 331-7998
19 years, 7 months
Problem with Tresys tools on Core 2
by Nick
Conditions:
-----------
Install from DVD ISO
yum upgrade
installation of RPMS
checkpolicy-1.10-1.i386.rpm
policy-sources-1.11.2-18.noarch.rpm
setools-1.3-2.i386.rpm
setools-gui-1.3-2.i386.rpm
Results
-------
[root@rocket policy]# seinfo -r
Could not open policy!
[root@rocket policy]# seuser -X
Error in StartScript (/usr/share/setools/se_user.tcl):
Thanks Nick
--
Nick Gray
Senior Systems Engineer
Bruzenak Inc.
nagray(a)austin.rr.com
(512) 331-7998
19 years, 7 months
Access to cd device denied for cdp
by Andrew Farris
Playing a cd from the terminal using cdp, or cdplay (non-interactive),
results in the following avc in permissive mode (but the cd is allowed
to play):
Apr 26 15:09:24 CirithUngol kernel: audit(1083017364.035:0): avc:
denied { ioctl } for pid=10129 exe=/usr/bin/cdp path=/dev/hdc dev=hdb8
ino=66203 scontext=user_u:user_r:user_t
tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file
This is not audited in enforcing mode.. but does not work either
(program exits with "please chmod 666 /dev/cdrom as root").
/dev/cdrom is symlinked directly to /dev/hdc.
4.0K lrwxrwxrwx 1 0 0 8 Mar 29 17:26 /dev/cdrom -> /dev/hdc
4.0K brw-rw-rw- 1 0 6 22, 0 Feb 23 13:02 /dev/hdc
Is this expected, or desired behavior? Shouldn't a locally logged in
user be allowed access to audio cds? (perhaps should be -or is- tunable)
I'm working with policy-sources-1.11.2-13.
--
Andrew Farris, CPE senior (California Polytechnic State University, SLO)
fedora(a)andrewfarris.com :: lmorgul on irc.freenode.net
"The only thing necessary for the triumph of evil is for good men
to do nothing." (Edmond Burke)
19 years, 7 months
Trying to get user modification tools and policy source
by Nick
Conditions:
Install from DVD
Download of Tresys tools
Installation of several RPMs that were needed to compile these tools
yum update of system.
Problem: I can't build the Tresys tools for user account modification.
I had been doing this in the past:
> #1. useradd -m developer
> #2. passwd developer
> #3. sed -i -e /user\ root/a\ user\ developer\ roles\ \{\ staff_r\ \
> sysadm_r\ \}\; /etc/security/selinux/src/policy/users
>
> #4. cd /etc/security/selinux/src/policy
> #5. make policy
> #6. make load
I asked the SEL list about this and it was recommeded that I try Tresys
setools? seuser, seuseradd?.
Problem is, I can't build them I keep getting a message about TCL being
in the wrong place?
Anyone seen this? This is a new install, without deviations from what
needs to be done initially. I would think this would be a pretty common
problem
I obviously can't do my old procedure since the policy source wasn't
installed.
Thanks
Nix
--
Nick Gray
Senior Systems Engineer
Bruzenak Inc.
nagray(a)austin.rr.com
(512) 331-7998
19 years, 7 months
RFE: provide a command to display all roles available to a user
by Gene Czarcinski
OK, this got closed on bugzilla with the suggestion to bring it up for
discussion on the mailing list.
The problem:
Currently, there is no way for a user to display what roles are available ...
available for switching to via a newrole command.
Solution:
Provide a command to display the roles available to a user ... what roles
could be specified for that user on a newroles command.
Gene
19 years, 7 months
AVC attaching gdb to Mozilla process.
by Aleksey Nogin
Under policy-sources-1.11.2-18:
audit(1083131647.146:0): avc: denied { signal } for pid=28661
exe=/usr/bin/gdb scontext=aleksey:staff_r:staff_mozilla_t
tcontext=aleksey:staff_r:staff_t tclass=process
--
Aleksey Nogin
Home Page: http://nogin.org/
E-Mail: nogin(a)cs.caltech.edu (office), aleksey(a)nogin.org (personal)
Office: Jorgensen 70, tel: (626) 395-2907
19 years, 7 months
FC2-T2 and selinux
by Gene Czarcinski
Let me empahsize -- please be sure to specify enforcing=0 for the first boot
after install if you have installed with selinux "active".
If you do not, the X configuration and firstboot get screwed up. I may be
easier to just reinstall than trying to fix things.
Gene
19 years, 7 months
FC2-T3 selinux warning
by Gene Czarcinski
Install (fresh, everything) FC2-T3 seems to have some policy related problems:
1. /root/.default_contexts has wrong attribute (restorecon fixes it).
2. I seems to need to boot enforcing=0 for the firstboot (otherwise the
display does not initialize properly).
After updating to latest updates from development (including policy,
policycoreutils, and libselinux):
1. trying to login a syadm_r user cannot find the home directory
2. creating new users definitiely assigns wrong attributes to /home/user/*
Gene
19 years, 7 months
