AVC messages at boot and kdm login (latest Rawhide)

Thu Mar 11 15:12:13 UTC 2004

On 11.03.2004 05:41, Russell Coker wrote:

>>Mar 11 04:19:53 dell kernel: audit(1079007592.976:0): avc:  denied  {
>>read write } for  pid=1665 exe=/usr/sbin/gpm name=event0 dev=hda2
>>ino=4219044 scontext=system_u:system_r:gpm_t
>>tcontext=system_u:object_r:device_t tclass=chr_file
>>Mar 11 04:19:53 dell kernel: audit(1079007592.976:0): avc:  denied  {
>>ioctl } for  pid=1665 exe=/usr/sbin/gpm path=/dev/input/event0 dev=hda2
>>ino=4219044 scontext=system_u:system_r:gpm_t
>>tcontext=system_u:object_r:device_t tclass=chr_file
> 
> 
> How does /dev/input really work?  As I understand it event0 could be a 
> keyboard or a mouse.  So maybe we want a separate type for this so that when 
> using gpm it can access it, but when the user is granted direct mouse access 
> they can't read the keyboard directly.
> 
> Does this make sense?

May be. This is already reported - 
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=117369

>>Mar 11 04:20:29 dell kernel: audit(1079007629.554:0): avc:  denied  {
>>read } for  pid=2098 exe=/usr/bin/kdm name=mem dev=hda2 ino=2683359
>>scontext=system_u:system_r:xdm_t
>>tcontext=system_u:object_r:memory_device_t tclass=chr_file
> 
> 
> That's a bug in kdm.  It should use /dev/random instead.  Reading arbitary 
> kernel memory as a source of random numbers is bogus anyway.

OK, entered in Bugzilla - 
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=118051

>>Mar 11 04:20:42 dell kernel: audit(1079007642.899:0): avc:  denied  {
>>write } for  pid=2121 exe=/usr/bin/kdm_greet name=.qtrc.lock dev=hda2
>>ino=670527 scontext=system_u:system_r:xdm_t
>>tcontext=system_u:object_r:lib_t tclass=file
> 
> 
> What directory is this in?

/usr/lib/qt-3.3/etc/settings/qtrc

> We just need to get the directory in question 
> labeled as var_lib_xdm_t.

Well, should it be writing to it, or just reading? I do not see why it 
would be reasonable for kdm_greet to touch it...

>>Mar 11 04:20:52 dell kernel: audit(1079007652.672:0): avc:  denied  {
>>setattr } for  pid=2113 exe=/usr/bin/kdm name=sg0 dev=hda2 ino=2688146
>>scontext=system_u:system_r:xdm_t
>>tcontext=system_u:object_r:scsi_generic_device_t tclass=chr_file
> 
> 
> dontaudit or allow?  What should we do?
> 
> It probably doesn't matter much as the default policy does not permit the user 
> to access the SCSI generic device.

Well, I have a symlink /dev/cdwriter -> /dev/sg0. Not sure if it is 
still meaningful or whether it is left from the "hdc=ide_scsi" times.

-- 
Aleksey Nogin

Home Page: http://nogin.org/
E-Mail: nogin at cs.caltech.edu (office), aleksey at nogin.org (personal)
Office: Jorgensen 70, tel: (626) 395-2907