AVC messages at boot and kdm login (latest Rawhide)
Aleksey Nogin
aleksey at nogin.org
Thu Mar 11 15:12:13 UTC 2004
On 11.03.2004 05:41, Russell Coker wrote:
>>Mar 11 04:19:53 dell kernel: audit(1079007592.976:0): avc: denied {
>>read write } for pid=1665 exe=/usr/sbin/gpm name=event0 dev=hda2
>>ino=4219044 scontext=system_u:system_r:gpm_t
>>tcontext=system_u:object_r:device_t tclass=chr_file
>>Mar 11 04:19:53 dell kernel: audit(1079007592.976:0): avc: denied {
>>ioctl } for pid=1665 exe=/usr/sbin/gpm path=/dev/input/event0 dev=hda2
>>ino=4219044 scontext=system_u:system_r:gpm_t
>>tcontext=system_u:object_r:device_t tclass=chr_file
>
>
> How does /dev/input really work? As I understand it event0 could be a
> keyboard or a mouse. So maybe we want a separate type for this so that when
> using gpm it can access it, but when the user is granted direct mouse access
> they can't read the keyboard directly.
>
> Does this make sense?
May be. This is already reported -
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=117369
>>Mar 11 04:20:29 dell kernel: audit(1079007629.554:0): avc: denied {
>>read } for pid=2098 exe=/usr/bin/kdm name=mem dev=hda2 ino=2683359
>>scontext=system_u:system_r:xdm_t
>>tcontext=system_u:object_r:memory_device_t tclass=chr_file
>
>
> That's a bug in kdm. It should use /dev/random instead. Reading arbitary
> kernel memory as a source of random numbers is bogus anyway.
OK, entered in Bugzilla -
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=118051
>>Mar 11 04:20:42 dell kernel: audit(1079007642.899:0): avc: denied {
>>write } for pid=2121 exe=/usr/bin/kdm_greet name=.qtrc.lock dev=hda2
>>ino=670527 scontext=system_u:system_r:xdm_t
>>tcontext=system_u:object_r:lib_t tclass=file
>
>
> What directory is this in?
/usr/lib/qt-3.3/etc/settings/qtrc
> We just need to get the directory in question
> labeled as var_lib_xdm_t.
Well, should it be writing to it, or just reading? I do not see why it
would be reasonable for kdm_greet to touch it...
>>Mar 11 04:20:52 dell kernel: audit(1079007652.672:0): avc: denied {
>>setattr } for pid=2113 exe=/usr/bin/kdm name=sg0 dev=hda2 ino=2688146
>>scontext=system_u:system_r:xdm_t
>>tcontext=system_u:object_r:scsi_generic_device_t tclass=chr_file
>
>
> dontaudit or allow? What should we do?
>
> It probably doesn't matter much as the default policy does not permit the user
> to access the SCSI generic device.
Well, I have a symlink /dev/cdwriter -> /dev/sg0. Not sure if it is
still meaningful or whether it is left from the "hdc=ide_scsi" times.
--
Aleksey Nogin
Home Page: http://nogin.org/
E-Mail: nogin at cs.caltech.edu (office), aleksey at nogin.org (personal)
Office: Jorgensen 70, tel: (626) 395-2907
More information about the selinux
mailing list