Tom London wrote:
On 5/24/05, Tom London <selinux(a)gmail.com> wrote:
>On 5/24/05, Daniel J Walsh <dwalsh(a)redhat.com> wrote:
>
>
>>Tom London wrote:
>>
>>
>>
>>>Running strict/enforcing, latest rawhide.
>>>
>>>Get the following when logging in:
>>>May 21 13:30:16 fedora gdm(pam_unix)[2946]: session opened for user
>>>tbl by (uid=0)
>>>May 21 13:30:16 fedora kernel: audit(1116707416.740:0): avc: denied
>>>{ write } for name=dmix.conf dev=hda2 ino=4523476
>>>scontext=system_u:system_r:xdm_t tcontext=system_u:object_r:etc_t
>>>tclass=file
>>>May 21 13:30:16 fedora ainit: Failed to open file /etc/alsa/pcm/dmix.conf
>>>May 21 13:30:16 fedora ainit: Error: Permission denied
>>>
>>>The file in questions is /etc/alsa/pcm/dmix.conf.
>>>
>>>/etc/alsa/ainit.conf has:
>>>#
>>># overwrite target files, if exists
>>>#
>>>overwrite = yes
>>>
>>>#
>>># first config file - for dmix plugin
>>>#
>>>template_0 = /etc/alsa/pcm/dmix.template
>>>target_0 = /etc/alsa/pcm/dmix.conf
>>>target_root_file_0 = yes
>>>
>>>This seems less than perfect to me....
>>>Should dmix.conf (and dsnoop.conf) be someplace else? Labeled as
>>>xdm_rw_etc_t? (I don't know who else needs to read these files....)
>>>
>>>tom
>>>
>>>
>>>
>>>
>>>
>>Do you have any idea if xdm is actually trying to write this file, or
>>could this just be they used the wrong flags when opening the file?
>>
>>
>>
>No idea.
>
>I'll test tonight on my 'strict machine'.
>
>tom
>
>
>
Running strict/permissive, I get this:
May 25 06:19:54 fedora gdm(pam_unix)[2695]: session opened for user
tbl by (uid=0)
May 25 06:19:54 fedora kernel: audit(1117027194.325:0): avc: denied
{ write } for pid=2739 comm="ainit" name=pcm dev=hda2 ino=4524122
scontext=system_u:system_r:xdm_t tcontext=system_u:object_r:etc_t
tclass=dir
May 25 06:19:54 fedora kernel: audit(1117027194.325:0): avc: denied
{ add_name } for pid=2739 comm="ainit" name=dmix.conf
scontext=system_u:system_r:xdm_t tcontext=system_u:object_r:etc_t
tclass=dir
May 25 06:19:54 fedora kernel: audit(1117027194.325:0): avc: denied
{ create } for pid=2739 comm="ainit" name=dmix.conf
scontext=system_u:system_r:xdm_t tcontext=system_u:object_r:etc_t
tclass=file
May 25 06:19:54 fedora kernel: audit(1117027194.340:0): avc: denied
{ write } for pid=2739 comm="ainit" name=dmix.conf dev=hda2
ino=4522361 scontext=system_u:system_r:xdm_t
tcontext=system_u:object_r:etc_t tclass=file
May 25 06:19:56 fedora gconfd (tbl-2801): starting (version 2.10.0),
pid 2801 user 'tbl'
So it looks like xdm wants to really create/write this....
Logging out does this:
May 25 06:24:54 fedora gconfd (tbl-2801): Exiting
May 25 06:24:54 fedora gdm(pam_unix)[2695]: session closed for user tbl
May 25 06:24:54 fedora kernel: audit(1117027494.313:0): avc: denied
{ write } for pid=3184 comm="ainit" name=pcm dev=hda2 ino=4524122
scontext=system_u:system_r:xdm_t tcontext=system_u:object_r:etc_t
tclass=dir
May 25 06:24:54 fedora kernel: audit(1117027494.313:0): avc: denied
{ remove_name } for pid=3184 comm="ainit" name=dmix.conf.lock
dev=hda2 ino=4522777 scontext=system_u:system_r:xdm_t
tcontext=system_u:object_r:etc_t tclass=dir
May 25 06:24:54 fedora kernel: audit(1117027494.313:0): avc: denied
{ unlink } for pid=3184 comm="ainit" name=dmix.conf.lock dev=hda2
ino=4522777 scontext=system_u:system_r:xdm_t
tcontext=system_u:object_r:etc_t tclass=file
May 25 06:24:54 fedora kernel: audit(1117027494.349:0): avc: denied
{ unix_read unix_write } for pid=3184 comm="ainit" key=1947154681
scontext=system_u:system_r:xdm_t tcontext=tbl:staff_r:staff_t
tclass=shm
May 25 06:24:54 fedora kernel: audit(1117027494.349:0): avc: denied
{ associate } for pid=3184 comm="ainit" key=1947154681
scontext=system_u:system_r:xdm_t tcontext=tbl:staff_r:staff_t
tclass=shm
May 25 06:24:54 fedora kernel: audit(1117027494.349:0): avc: denied
{ destroy } for pid=3184 comm="ainit" key=1947154681
scontext=system_u:system_r:xdm_t tcontext=tbl:staff_r:staff_t
tclass=shm
tom
Ok looks like we need policy for ainit. and this directory.
Anyone up for it? :^)
Please open a bugzilla, so I will get it done, if no one volunteers.
Dan
--