I thought it'd be prudent to ask the list's opinion before opening a bug report. I'm not experiencing any visible issues, but can repeatedly generate this AVC, one that only seems to be generated since I've enabled pam_yubico on my laptop. I'm fine adding a dontaudit rule to my local policy but should I send a bug report for this? If so, is this an SELinux report or one to Yubico?
SELinux is preventing gdm-session-wor from using the wake_alarm capability.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that gdm-session-wor should have the wake_alarm capability by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'gdm-session-wor' --raw | audit2allow -M my-gdmsessionwor # semodule -X 300 -i my-gdmsessionwor.pp
Additional Information: Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023 Target Context system_u:system_r:xdm_t:s0-s0:c0.c1023 Target Objects Unknown [ capability2 ] Source gdm-session-wor Source Path gdm-session-wor Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-225.6.fc25.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux HOSTNAME 4.9.8-201.fc25.x86_64 #1 SMP Tue Feb 7 11:28:07 UTC 2017 x86_64 x86_64 Alert Count 1228 First Seen 2017-02-13 07:43:45 CST Last Seen 2017-02-14 08:36:50 CST Local ID 55722700-2042-427e-911c-5ed8fe9aaf8b
Raw Audit Messages type=AVC msg=audit(1487083010.410:7611): avc: denied { wake_alarm } for pid=699 comm="gdm-session-wor" capability=35 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=capability2 permissive=0
Hash: gdm-session-wor,xdm_t,xdm_t,capability2,wake_alarm
On Tue, 2017-02-14 at 17:13 +0000, Jeremy Young wrote:
I thought it'd be prudent to ask the list's opinion before opening a bug report. I'm not experiencing any visible issues, but can repeatedly generate this AVC, one that only seems to be generated since I've enabled pam_yubico on my laptop. I'm fine adding a dontaudit rule to my local policy but should I send a bug report for this? If so, is this an SELinux report or one to Yubico?
Looks like the kernel checks CAP_WAKE_ALARM prematurely in timerfd_create() and timerfd_settime(); it is only truly required for CLOCK_REALTIME_ALARM and CLOCK_BOOTTIME_ALARM. So we'll likely see lots of false denials there. Should flip the order of the tests in the kernel. dontaudit should be fine in the interim.
SELinux is preventing gdm-session-wor from using the wake_alarm capability.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that gdm-session-wor should have the wake_alarm capability by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'gdm-session-wor' --raw | audit2allow -M my- gdmsessionwor # semodule -X 300 -i my-gdmsessionwor.pp
Additional Information: Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023 Target Context system_u:system_r:xdm_t:s0-s0:c0.c1023 Target Objects Unknown [ capability2 ] Source gdm-session-wor Source Path gdm-session-wor Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-225.6.fc25.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux HOSTNAME 4.9.8-201.fc25.x86_64 #1 SMP Tue Feb 7 11:28:07 UTC 2017 x86_64 x86_64 Alert Count 1228 First Seen 2017-02-13 07:43:45 CST Last Seen 2017-02-14 08:36:50 CST Local ID 55722700-2042-427e-911c-5ed8fe9aaf8b
Raw Audit Messages type=AVC msg=audit(1487083010.410:7611): avc: denied { wake_alarm } for pid=699 comm="gdm-session-wor" capability=35 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=capability2 permissive=0
Hash: gdm-session-wor,xdm_t,xdm_t,capability2,wake_alarm _______________________________________________ selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org
Agree with Stephen.
Fixed: https://github.com/fedora-selinux/selinux-policy/commit/adf9ead984c36a9b0436...
On 02/14/2017 10:21 PM, Stephen Smalley wrote:
On Tue, 2017-02-14 at 17:13 +0000, Jeremy Young wrote:
I thought it'd be prudent to ask the list's opinion before opening a bug report. I'm not experiencing any visible issues, but can repeatedly generate this AVC, one that only seems to be generated since I've enabled pam_yubico on my laptop. I'm fine adding a dontaudit rule to my local policy but should I send a bug report for this? If so, is this an SELinux report or one to Yubico?
Looks like the kernel checks CAP_WAKE_ALARM prematurely in timerfd_create() and timerfd_settime(); it is only truly required for CLOCK_REALTIME_ALARM and CLOCK_BOOTTIME_ALARM. So we'll likely see lots of false denials there. Should flip the order of the tests in the kernel. dontaudit should be fine in the interim.
SELinux is preventing gdm-session-wor from using the wake_alarm capability.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that gdm-session-wor should have the wake_alarm capability by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'gdm-session-wor' --raw | audit2allow -M my- gdmsessionwor # semodule -X 300 -i my-gdmsessionwor.pp
Additional Information: Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023 Target Context system_u:system_r:xdm_t:s0-s0:c0.c1023 Target Objects Unknown [ capability2 ] Source gdm-session-wor Source Path gdm-session-wor Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-225.6.fc25.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux HOSTNAME 4.9.8-201.fc25.x86_64 #1 SMP Tue Feb 7 11:28:07 UTC 2017 x86_64 x86_64 Alert Count 1228 First Seen 2017-02-13 07:43:45 CST Last Seen 2017-02-14 08:36:50 CST Local ID 55722700-2042-427e-911c-5ed8fe9aaf8b
Raw Audit Messages type=AVC msg=audit(1487083010.410:7611): avc: denied { wake_alarm } for pid=699 comm="gdm-session-wor" capability=35 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=capability2 permissive=0
Hash: gdm-session-wor,xdm_t,xdm_t,capability2,wake_alarm _______________________________________________ selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org
selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org
selinux@lists.fedoraproject.org