Re: playing with unconfined domains and users on Fedora 16

On 02.02.2012 15:01, Dominick Grift wrote: > On Thu, 2012-02-02 at 14:13 +0100, Klaus Lichtenwalder wrote: >> [...] which would render gpg-agent probably useless... > > I have not encountered similar avc denials here. I wonder what i > am doing differently. > > I you are sure you have configured gpg agent properly , then this > may indeed be bug in policy. > > The SELinux framework aims to make it easy for one to make > adjustments to policy. Well, gpg-agent "just" is installed and started by the login process, with gpg-agent --daemon. The only configuration I was doing was settint the ttl time and giving "use-agent" to gnupg2. One avc was indeed gone after enabling the bool gpg_agent_env_file. But it still stumbles over the socket, which it wants to create in $HOME/.gnupg. Guess I'll have a look over the policy, in case I can detect something > [...] klaus ALL=(ALL) TYPE=unconfined_t ROLE=unconfined_r ALL > > if you want to use unconfined_r as you have specified above than > you need to map the unconfined_r to the staff_u SELinux user: > > semanage user -m -R "staff_r system_r sysadm_r unconfined_r" > staff_u Thanks, unconfined_r was missing in the semanage command above. Still, logging in leaves me with the following denials: time->Thu Feb 2 15:40:06 2012 type=SYSCALL msg=audit(1328193606.453:145): arch=40000003 syscall=11 success=yes exit=0 a0=a064888 a1=a0593d8 a2=a06e958 a3=a0593d8 items=0 ppid=3288 pid=3289 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=3 comm="PreLogin" exe="/bin/bash" subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1328193606.453:145): avc: denied { entrypoint } for pid=3289 comm="lxdm-binary" path="/etc/lxdm/PreLogin" dev=sda3 ino=393588 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=file ---- time->Thu Feb 2 15:40:06 2012 type=SYSCALL msg=audit(1328193606.472:146): arch=40000003 syscall=11 success=yes exit=0 a0=a060525 a1=a057838 a2=a06e958 a3=bfe1ff76 items=0 ppid=1 pid=3291 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=3 comm="xauth" exe="/usr/bin/xauth" subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1328193606.472:146): avc: denied { entrypoint } for pid=3291 comm="lxdm-binary" path="/usr/bin/xauth" dev=sda3 ino=61761 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xauth_exec_t:s0 tclass=file ---- time->Thu Feb 2 15:40:06 2012 type=SYSCALL msg=audit(1328193606.484:147): arch=40000003 syscall=11 success=yes exit=0 a0=a056058 a1=a05a568 a2=a06e958 a3=a05a568 items=0 ppid=1 pid=3294 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=3 comm="PostLogin" exe="/bin/bash" subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1328193606.484:147): avc: denied { entrypoint } for pid=3294 comm="lxdm-binary" path="/etc/lxdm/PostLogin" dev=sda3 ino=393585 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=file Which also seems to point to something missing. I checked all labels, but everything seems fine according to policy. Am I correct in saying that staff_u:staff_r:staff_t is missing an entrypoint rule for etc_t files and xauth_exec_t? The former somehow seems mislabeled, as an entrypoint is associated with a _exec_t? Thanks, Klaus -- selinux mailing list selinux(a)lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux

-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk8qrPoACgkQrlYvE4MpobOTcgCfaPx1wTb14fK+h1tfWyo2TFQP fHkAn1ZDOVHkz52KhvbrZyvvUnC4OEQ1 =ZjJY -----END PGP SIGNATURE-----