-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 02/02/2012 10:06 AM, Klaus Lichtenwalder wrote:
On 02.02.2012 15:01, Dominick Grift wrote:
> On Thu, 2012-02-02 at 14:13 +0100, Klaus Lichtenwalder wrote:
>> [...] which would render gpg-agent probably useless...
>
> I have not encountered similar avc denials here. I wonder what i
> am doing differently.
>
> I you are sure you have configured gpg agent properly , then this
> may indeed be bug in policy.
>
> The SELinux framework aims to make it easy for one to make
> adjustments to policy.
Well, gpg-agent "just" is installed and started by the login
process, with gpg-agent --daemon. The only configuration I was
doing was settint the ttl time and giving "use-agent" to gnupg2.
One avc was indeed gone after enabling the bool gpg_agent_env_file.
But it still stumbles over the socket, which it wants to create in
$HOME/.gnupg. Guess I'll have a look over the policy, in case I can
detect something
> [...] klaus ALL=(ALL) TYPE=unconfined_t ROLE=unconfined_r ALL
>
> if you want to use unconfined_r as you have specified above than
> you need to map the unconfined_r to the staff_u SELinux user:
>
> semanage user -m -R "staff_r system_r sysadm_r unconfined_r"
> staff_u
Thanks, unconfined_r was missing in the semanage command above.
Still, logging in leaves me with the following denials:
time->Thu Feb 2 15:40:06 2012 type=SYSCALL
msg=audit(1328193606.453:145): arch=40000003 syscall=11 success=yes
exit=0 a0=a064888 a1=a0593d8 a2=a06e958 a3=a0593d8 items=0
ppid=3288 pid=3289 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=3 comm="PreLogin"
exe="/bin/bash" subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023
key=(null) type=AVC msg=audit(1328193606.453:145): avc: denied {
entrypoint } for pid=3289 comm="lxdm-binary"
path="/etc/lxdm/PreLogin" dev=sda3 ino=393588
scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023
tcontext=system_u:object_r:etc_t:s0 tclass=file ---- time->Thu Feb
2 15:40:06 2012 type=SYSCALL msg=audit(1328193606.472:146):
arch=40000003 syscall=11 success=yes exit=0 a0=a060525 a1=a057838
a2=a06e958 a3=bfe1ff76 items=0 ppid=1 pid=3291 auid=1000 uid=1000
gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000
fsgid=1000 tty=(none) ses=3 comm="xauth" exe="/usr/bin/xauth"
subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null) type=AVC
msg=audit(1328193606.472:146): avc: denied { entrypoint } for
pid=3291 comm="lxdm-binary" path="/usr/bin/xauth" dev=sda3
ino=61761 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023
tcontext=system_u:object_r:xauth_exec_t:s0 tclass=file ----
time->Thu Feb 2 15:40:06 2012 type=SYSCALL
msg=audit(1328193606.484:147): arch=40000003 syscall=11 success=yes
exit=0 a0=a056058 a1=a05a568 a2=a06e958 a3=a05a568 items=0 ppid=1
pid=3294 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000
egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=3 comm="PostLogin"
exe="/bin/bash" subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023
key=(null) type=AVC msg=audit(1328193606.484:147): avc: denied {
entrypoint } for pid=3294 comm="lxdm-binary"
path="/etc/lxdm/PostLogin" dev=sda3 ino=393585
scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023
tcontext=system_u:object_r:etc_t:s0 tclass=file
Which also seems to point to something missing. I checked all
labels, but everything seems fine according to policy. Am I correct
in saying that staff_u:staff_r:staff_t is missing an entrypoint
rule for etc_t files and xauth_exec_t? The former somehow seems
mislabeled, as an entrypoint is associated with a _exec_t?
Thanks, Klaus
-- selinux mailing list selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
Those files should be labeled bin_t.
I will change the default labeling, any other binary file in that
directory.
Open a bugzilla on the gpg_agent problems.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla -
http://enigmail.mozdev.org/
iEYEARECAAYFAk8qrPoACgkQrlYvE4MpobOTcgCfaPx1wTb14fK+h1tfWyo2TFQP
fHkAn1ZDOVHkz52KhvbrZyvvUnC4OEQ1
=ZjJY
-----END PGP SIGNATURE-----