gnome-settings-daemon fails in strict policy at version 2301
Ken YANG
spng.yang at gmail.com
Fri Jun 1 06:40:37 UTC 2007
i check out policy from svn at version 2301, and build at
FC7 Rawhide.
after switching from target to strict, i can not make my
gnome-settings-daemon work well:
###
the detail contexts is in thread:
http://marc.info/?l=selinux&m=118050940823692&w=2
###
i login as normal user through X window, but i got another
errors:
"Fails to execute program: /usr/libexec/gnome-settings-daemon"
corresponding avc were:
type=AVC msg=audit(1180319582.421:32): avc: denied { execute } for
pid=1855 comm="dbus-daemon" name="gnome-settings-daemon" dev=sda1
ino=215756 scontext=user_u:user_r:user_dbusd_t:s0
tcontext=system_u:object_r:bin_t:s0 tclass=file
type=AVC msg=audit(1180319582.421:32): avc: denied { execute_no_trans
} for pid=1855 comm="dbus-daemon" name="gnome-settings-daemon" dev=sda1
ino=215756 scontext=user_u:user_r:user_dbusd_t:s0
tcontext=system_u:object_r:bin_t:s0 tclass=file
i add two template call in dbus_per_role_template() to remove these tow
errors:
corecmd_exec_bin($1_dbusd_t)
additionally, there are still another erros about gnome-settings-daemon:
type=AVC msg=audit(1180319581.037:31): avc: denied { search } for
pid=1844 comm="dbus-daemon" name="yangshao" dev=sda1 ino=1407785
scontext=user_u:user_r:user_dbusd_t:s0
tcontext=system_u:object_r:user_home_dir_t:s0 tclass=dir
i user a interface to remove this denied error:
userdom_search_user_home_dirs($1,$1_dbusd_t)
(also in dbus_per_role_template())
after re-make and reboot, i got another errors:
"... /usr/libexec/gnome-settings-daemon received singal 6..."
it seemed that gnome-settings-daemon received SIGABRT signal, and i found
an avc denied messages:
type=AVC msg=audit(1180493663.406:31): avc: denied { getsched } for
pid=1856 comm="gnome-settings-" scontext=user_u:user_r:user_dbusd_t:s0
tcontext=user_u:user_r:user_dbusd_t:s0 tclass=process
so i permit getsched of user_dbusd_t to try to fix this "signal 6" errors:
allow $1_dbusd_t self:process { getattr sigkill signal getsched };
but after adding this, gnome-settings-daemon exit with status 1 after
rebooting, and some avc denied messages came out:
type=AVC msg=audit(1180494884.832:87): avc: denied { search } for
pid=2112 comm="gnome-settings-" name=".X11-unix" dev=sda1 ino=327976
scontext=user_u:user_r:user_dbusd_t:s0
tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=dir
type=AVC msg=audit(1180494884.840:88): avc: denied { create } for
pid=2112 comm="gnome-settings-" scontext=user_u:user_r:user_dbusd_t:s0
tcontext=user_u:user_r:user_dbusd_t:s0 tclass=netlink_route_socket
type=AVC msg=audit(1180494884.840:89): avc: denied { name_connect }
for pid=2112 comm="gnome-settings-" dest=6000
scontext=user_u:user_r:user_dbusd_t:s0
tcontext=system_u:object_r:xserver_port_t:s0 tclass=tcp_socket
i wonder are these errors caused by my modification, and how to make the
gnome-settings-daemon work???
thanks in advance
More information about the selinux
mailing list