On Sun, 2007-09-16 at 22:42 +0200, Göran Uddeborg wrote:
I'm using xdm rather than gdm. SELinux prevents
/sbin/pam_console_apply (pam_console_t) "write" to /var/log/xdm.log
(var_log_t). It happens once every time someone logs in or out. See
the attached mail from SETroubleshoot for an example.
To understand what is going on, I tried to strace the processes. But
pam_console_apply doesn't attempt to write anything at all! See the
attached (compressed) strace from pid 4480, the process mentioned in
the SETroubleshoot mail.
Xdm has stderr pointing to /var/log/xdm.log, so it's not unlikely that
the open fd is inherited by pam_console_apply. But if the inheritance
itself was disallowed, wouldn't it be a "use" that would be denied by
SELinux rather than a "write"?
What am I missing?
(The system is not up-to-date. It is possible this message would go
away with an upgrade. I'm not looking for a way to get rid of the
message here, I'm trying to understand what is going on.)
SELinux rechecks access to open files upon execve if the security
context of the process is changing, and when descriptors are passed
across local IPC. That revalidation includes both the fd use check (can
the process use an open file description created by another security
context, potentially communicating/interfering with that context by
means of the open file's seek pointer and flags) and the file read/write
checks (can the process access the file in a manner consistent with the
open file description)?
--
Stephen Smalley
National Security Agency