5:54 p.m.
On Dec 3, 2007 3:50 PM, Tom London <selinux(a)gmail.com> wrote:
Forgot to attach the AVCs......
Does this one look suspicious?
type=AVC msg=audit(1196722543.811:703): avc: denied { search } for
pid=2746 comm="ck-get-x11-disp" name="2719" dev=proc ino=9484
scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
tcontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 tclass=dir
type=SYSCALL msg=audit(1196722543.811:703): arch=40000003 syscall=5
success=no exit=-13 a0=8299418 a1=8000 a2=0 a3=8000 items=0 ppid=2715
pid=2746 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) comm="ck-get-x11-disp"
exe="/usr/libexec/ck-get-x11-display-device"
subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
Attached compressed....sigh
tom
--
Tom London
12:16 p.m.
New subject: pulseaudio, policykit - works in permissive, fails in enforcing
On Dec 3, 2007 3:54 PM, Tom London <selinux(a)gmail.com> wrote:
On Dec 3, 2007 3:50 PM, Tom London <selinux(a)gmail.com> wrote:
> Forgot to attach the AVCs......
>
> Does this one look suspicious?
>
> type=AVC msg=audit(1196722543.811:703): avc: denied { search } for
> pid=2746 comm="ck-get-x11-disp" name="2719" dev=proc ino=9484
> scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
> tcontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 tclass=dir
> type=SYSCALL msg=audit(1196722543.811:703): arch=40000003 syscall=5
> success=no exit=-13 a0=8299418 a1=8000 a2=0 a3=8000 items=0 ppid=2715
> pid=2746 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> sgid=0 fsgid=0 tty=(none) comm="ck-get-x11-disp"
> exe="/usr/libexec/ck-get-x11-display-device"
> subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
>
Attached compressed....sigh
Reran the above in permissive mode. This seemed suspicious:
type=AVC msg=audit(1196779565.801:132): avc: denied { search } for
pid=2614 comm="ck-get-x11-disp" name="2587" dev=proc ino=9642
scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
tcontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 tclass=dir
type=AVC msg=audit(1196779565.801:132): avc: denied { read } for
pid=2614 comm="ck-get-x11-disp" name="stat" dev=proc ino=9861
scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
tcontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 tclass=file
type=SYSCALL msg=audit(1196779565.801:132): arch=40000003 syscall=5
success=yes exit=4 a0=8d27418 a1=8000 a2=0 a3=8000 items=0 ppid=2585
pid=2614 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) comm="ck-get-x11-disp"
exe="/usr/libexec/ck-get-x11-display-device"
subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1196779565.802:133): avc: denied { getattr } for
pid=2614 comm="ck-get-x11-disp" path="/proc/2587/stat" dev=proc
ino=9861 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
tcontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 tclass=file
type=SYSCALL msg=audit(1196779565.802:133): arch=40000003 syscall=197
success=yes exit=0 a0=4 a1=bff4cfc8 a2=bdcff4 a3=8d27418 items=0
ppid=2585 pid=2614 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) comm="ck-get-x11-disp"
exe="/usr/libexec/ck-get-x11-display-device"
subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
So, I did a 'audit2allow -M localpulse2' on the above.
Here is the .te file:
module localpulse2 1.0;
require {
type xdm_xserver_t;
type xdm_t;
class dir search;
class file { read getattr };
}
#============= xdm_t ==============
allow xdm_t xdm_xserver_t:dir search;
allow xdm_t xdm_xserver_t:file { read getattr };
'semodule -i localpulse2.pp' makes pulseaudio work.
Should this be added?
tom
--
Tom London
10:25 a.m.
New subject: pulseaudio, policykit - works in permissive, fails in enforcing
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Tom London wrote:
On Dec 3, 2007 3:54 PM, Tom London <selinux(a)gmail.com> wrote:
> On Dec 3, 2007 3:50 PM, Tom London <selinux(a)gmail.com> wrote:
>> Forgot to attach the AVCs......
>>
>> Does this one look suspicious?
>>
>> type=AVC msg=audit(1196722543.811:703): avc: denied { search } for
>> pid=2746 comm="ck-get-x11-disp" name="2719" dev=proc
ino=9484
>> scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
>> tcontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 tclass=dir
>> type=SYSCALL msg=audit(1196722543.811:703): arch=40000003 syscall=5
>> success=no exit=-13 a0=8299418 a1=8000 a2=0 a3=8000 items=0 ppid=2715
>> pid=2746 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
>> sgid=0 fsgid=0 tty=(none) comm="ck-get-x11-disp"
>> exe="/usr/libexec/ck-get-x11-display-device"
>> subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
>>
> Attached compressed....sigh
>
Reran the above in permissive mode. This seemed suspicious:
type=AVC msg=audit(1196779565.801:132): avc: denied { search } for
pid=2614 comm="ck-get-x11-disp" name="2587" dev=proc ino=9642
scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
tcontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 tclass=dir
type=AVC msg=audit(1196779565.801:132): avc: denied { read } for
pid=2614 comm="ck-get-x11-disp" name="stat" dev=proc ino=9861
scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
tcontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 tclass=file
type=SYSCALL msg=audit(1196779565.801:132): arch=40000003 syscall=5
success=yes exit=4 a0=8d27418 a1=8000 a2=0 a3=8000 items=0 ppid=2585
pid=2614 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) comm="ck-get-x11-disp"
exe="/usr/libexec/ck-get-x11-display-device"
subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1196779565.802:133): avc: denied { getattr } for
pid=2614 comm="ck-get-x11-disp" path="/proc/2587/stat" dev=proc
ino=9861 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
tcontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 tclass=file
type=SYSCALL msg=audit(1196779565.802:133): arch=40000003 syscall=197
success=yes exit=0 a0=4 a1=bff4cfc8 a2=bdcff4 a3=8d27418 items=0
ppid=2585 pid=2614 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) comm="ck-get-x11-disp"
exe="/usr/libexec/ck-get-x11-display-device"
subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
So, I did a 'audit2allow -M localpulse2' on the above.
Here is the .te file:
module localpulse2 1.0;
require {
type xdm_xserver_t;
type xdm_t;
class dir search;
class file { read getattr };
}
#============= xdm_t ==============
allow xdm_t xdm_xserver_t:dir search;
allow xdm_t xdm_xserver_t:file { read getattr };
'semodule -i localpulse2.pp' makes pulseaudio work.
Should this be added?
tom
I have added this to the latest rawhide policy 3.2.2-1
BTW: a handy tool to see what consolekit thinks of you is
ck-list-sessions
Session2:
uid = '3267'
realname = 'Daniel J Walsh,,978-392-3130,508-485-6146'
seat = 'Seat1'
session-type = ''
active = TRUE
x11-display = ':0'
x11-display-device = '/dev/tty7'
display-device = ''
remote-host-name = ''
is-local = TRUE
on-since = '2007-12-04T18:46:05Z'
If it does not show active, then consolekit thinks you are not on the
console and will not change the permissions on the devices.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iD8DBQFHVtD7rlYvE4MpobMRAhu3AJoDabDb46sprRHbhG1hyszuxe3ivACgh/Fu
9g6WxQLmLHKd/50xwZh5tRg=
=em8+
-----END PGP SIGNATURE-----
5985
days inactive
5987
days old
selinux@lists.fedoraproject.org
2 comments
2 participants
participants (2)
-
Daniel J Walsh -
Tom London