Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Fedora SELinux Support (http://www.linux-archive.org/fedora-selinux-support/)
-   -   usbfs, updpwd_t, gdm (xdm_t) avcs with today's rawhide (http://www.linux-archive.org/fedora-selinux-support/10254-usbfs-updpwd_t-gdm-xdm_t-avcs-todays-rawhide.html)

"Tom London" 12-01-2007 11:19 PM

usbfs, updpwd_t, gdm (xdm_t) avcs with today's rawhide
 
Today's gdm is finally runnable for me, and with gcc-4.1.2-33, I can
compile newest kernel (2.6.24-0.61.rc3.git5.local.fc9).

However, a bunch of AVCs:

#============= mount_t ==============
allow mount_t usbfs_t:dir { read ioctl };

#============= updpwd_t ==============
allow updpwd_t tty_device_t:chr_file { read write };

#============= xdm_t ==============
allow xdm_t gconfd_exec_t:file { read execute execute_no_trans };
allow xdm_t inotifyfs_t:dir getattr;
allow xdm_t self:netlink_selinux_socket { read bind create };
allow xdm_t system_dbusd_exec_t:file { read execute execute_no_trans };
allow xdm_t system_dbusd_t:dbus acquire_svc;
allow xdm_t var_lib_t:file { rename unlink append };
allow xdm_t var_log_t:file write;

The mount_t/usbfs_t ones come early in boot.

Without adding rules for the xdm_t ones (at least some of them),
graphical login fails with 'X respawn too fast' messages.

I attach the AVCs from /var/log/messages and /var/log/audit/audit.log

tom
--
Tom London
type=DAEMON_START msg=audit(1196520595.901:9732): auditd start, ver=1.6.2, format=raw, auid=4294967295 pid=2161 res=success, auditd pid=2161
type=CONFIG_CHANGE msg=audit(1196520596.002:6): audit_enabled=1 old=0 by auid=4294967295 subj=system_u:system_r:auditd_t:s0 res=1
type=CONFIG_CHANGE msg=audit(1196520596.002:7): audit_enabled=1 old=0 by auid=4294967295 res=1
type=CONFIG_CHANGE msg=audit(1196520596.058:8): audit_backlog_limit=320 old=64 by auid=4294967295 subj=system_u:system_r:auditctl_t:s0 res=1
type=CONFIG_CHANGE msg=audit(1196520596.058:9): audit_backlog_limit=320 old=64 by auid=4294967295 res=1
type=LABEL_LEVEL_CHANGE msg=audit(1196520604.955:10): user pid=2256 uid=0 auid=4294967295 subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 msg='printer=Cups-PDF uri=cups-pdf:/ banners=none,none range=unknown: exe="/usr/sbin/cupsd" (hostname=localhost.localdomain, addr=127.0.0.1, terminal=? res=success)'
type=LABEL_LEVEL_CHANGE msg=audit(1196520605.537:11): user pid=2256 uid=0 auid=4294967295 subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 msg='printer=HP4250 uri=hp:/net/hp_LaserJet_4250?ip=10.10.2.42 banners=none,none range=unknown: exe="/usr/sbin/cupsd" (hostname=localhost.localdomain, addr=127.0.0.1, terminal=? res=success)'
type=LABEL_LEVEL_CHANGE msg=audit(1196520605.845:12): user pid=2256 uid=0 auid=4294967295 subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 msg='printer=HP5MP uri=hp:/par/HP_LaserJet_5MP?device=/dev/parport0 banners=none,none range=unknown: exe="/usr/sbin/cupsd" (hostname=localhost.localdomain, addr=127.0.0.1, terminal=? res=success)'
type=LABEL_LEVEL_CHANGE msg=audit(1196520606.056:13): user pid=2256 uid=0 auid=4294967295 subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 msg='printer=hp_laserjet_1300 uri=hp:/usb/hp_LaserJet_1300?serial=00CNCB954325 banners=none,none range=unknown: exe="/usr/sbin/cupsd" (hostname=localhost.localdomain, addr=127.0.0.1, terminal=? res=success)'
type=LABEL_LEVEL_CHANGE msg=audit(1196520606.407:14): user pid=2256 uid=0 auid=4294967295 subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 msg='printer=hp_LaserJet_1300_USB_1 uri=usb://HP/LaserJet%201300 banners=none,none range=unknown: exe="/usr/sbin/cupsd" (hostname=localhost.localdomain, addr=127.0.0.1, terminal=? res=success)'
type=LABEL_LEVEL_CHANGE msg=audit(1196520606.849:15): user pid=2256 uid=0 auid=4294967295 subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 msg='printer=Kyocera_FS-C5030N_on_dc1 uri=socket://10.10.3.49:9100 banners=none,none range=unknown: exe="/usr/sbin/cupsd" (hostname=localhost.localdomain, addr=127.0.0.1, terminal=? res=success)'
type=LABEL_LEVEL_CHANGE msg=audit(1196520606.890:16): user pid=2256 uid=0 auid=4294967295 subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 msg='printer=SavinColor uri=ipp://10.10.3.47/ipp/ banners=none,none range=unknown: exe="/usr/sbin/cupsd" (hostname=localhost.localdomain, addr=127.0.0.1, terminal=? res=success)'
type=LABEL_LEVEL_CHANGE msg=audit(1196520607.029:17): user pid=2256 uid=0 auid=4294967295 subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 msg='printer=Innopath uri=file:/dev/null banners=none,none range=unknown: exe="/usr/sbin/cupsd" (hostname=localhost.localdomain, addr=127.0.0.1, terminal=? res=success)'
type=LABEL_LEVEL_CHANGE msg=audit(1196520607.031:18): user pid=2256 uid=0 auid=4294967295 subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 msg='printer=Local uri=file:/dev/null banners=none,none range=unknown: exe="/usr/sbin/cupsd" (hostname=localhost.localdomain, addr=127.0.0.1, terminal=? res=success)'
type=USER_AVC msg=audit(1196520619.829:19): user pid=2217 uid=81 auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc: denied { acquire_svc } for service=org.gnome.DisplayManager spid=2527 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:system_dbusd_t:s0 tclass=dbus : exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
type=AVC msg=audit(1196520627.841:20): avc: denied { execute } for pid=2615 comm="dbus-launch" name="dbus-daemon" dev=dm-0 ino=262269 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:system_dbusd_exec_t:s0 tclass=file
type=AVC msg=audit(1196520627.841:20): avc: denied { read } for pid=2615 comm="dbus-launch" name="dbus-daemon" dev=dm-0 ino=262269 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:system_dbusd_exec_t:s0 tclass=file
type=AVC msg=audit(1196520627.841:20): avc: denied { execute_no_trans } for pid=2615 comm="dbus-launch" path="/bin/dbus-daemon" dev=dm-0 ino=262269 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:system_dbusd_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1196520627.841:20): arch=40000003 syscall=11 success=yes exit=0 a0=804c614 a1=bfad2768 a2=bfad3d90 a3=400 items=0 ppid=2614 pid=2615 auid=4294967295 uid=42 gid=42 euid=42 suid=42 fsuid=42 egid=42 sgid=42 fsgid=42 tty=(none) comm="dbus-daemon" exe="/bin/dbus-daemon" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1196520628.364:21): avc: denied { create } for pid=2617 comm="dbus-daemon" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=netlink_selinux_socket
type=SYSCALL msg=audit(1196520628.364:21): arch=40000003 syscall=102 success=yes exit=6 a0=1 a1=bff87f50 a2=168ff4 a3=19a items=0 ppid=2615 pid=2617 auid=4294967295 uid=42 gid=42 euid=42 suid=42 fsuid=42 egid=42 sgid=42 fsgid=42 tty=(none) comm="dbus-daemon" exe="/bin/dbus-daemon" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1196520628.364:22): avc: denied { bind } for pid=2617 comm="dbus-daemon" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=netlink_selinux_socket
type=SYSCALL msg=audit(1196520628.364:22): arch=40000003 syscall=102 success=yes exit=0 a0=2 a1=bff87f50 a2=168ff4 a3=19a items=0 ppid=2615 pid=2617 auid=4294967295 uid=42 gid=42 euid=42 suid=42 fsuid=42 egid=42 sgid=42 fsgid=42 tty=(none) comm="dbus-daemon" exe="/bin/dbus-daemon" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1196520628.365:23): avc: denied { read } for pid=2618 comm="dbus-daemon" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=netlink_selinux_socket
type=AVC msg=audit(1196520629.870:24): avc: denied { execute } for pid=2628 comm="gdm-simple-gree" name="gconfd-2" dev=dm-0 ino=5485523 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:gconfd_exec_t:s0 tclass=file
type=AVC msg=audit(1196520629.870:24): avc: denied { read } for pid=2628 comm="gdm-simple-gree" name="gconfd-2" dev=dm-0 ino=5485523 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:gconfd_exec_t:s0 tclass=file
type=AVC msg=audit(1196520629.870:24): avc: denied { execute_no_trans } for pid=2628 comm="gdm-simple-gree" path="/usr/libexec/gconfd-2" dev=dm-0 ino=5485523 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:gconfd_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1196520629.870:24): arch=40000003 syscall=11 success=yes exit=0 a0=8f3d2d8 a1=bfc79490 a2=8f25320 a3=0 items=0 ppid=1 pid=2628 auid=4294967295 uid=42 gid=42 euid=42 suid=42 fsuid=42 egid=42 sgid=42 fsgid=42 tty=(none) comm="gconfd-2" exe="/usr/libexec/gconfd-2" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1196520630.108:25): avc: denied { append } for pid=2628 comm="gconfd-2" name="saved_state" dev=dm-0 ino=65549 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
type=SYSCALL msg=audit(1196520630.108:25): arch=40000003 syscall=5 success=yes exit=14 a0=8c6de00 a1=441 a2=1b6 a3=8c6de48 items=0 ppid=1 pid=2628 auid=4294967295 uid=42 gid=42 euid=42 suid=42 fsuid=42 egid=42 sgid=42 fsgid=42 tty=(none) comm="gconfd-2" exe="/usr/libexec/gconfd-2" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1196520632.341:26): avc: denied { getattr } for pid=2619 comm="gdm-simple-gree" path="inotify" dev=inotifyfs ino=1 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:inotifyfs_t:s0 tclass=dir
type=SYSCALL msg=audit(1196520632.341:26): arch=40000003 syscall=197 success=yes exit=0 a0=10 a1=bfc7898c a2=bdcff4 a3=10 items=0 ppid=2584 pid=2619 auid=4294967295 uid=42 gid=42 euid=42 suid=42 fsuid=42 egid=42 sgid=42 fsgid=42 tty=(none) comm="gdm-simple-gree" exe="/usr/libexec/gdm-simple-greeter" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
type=USER_AUTH msg=audit(1196520655.415:27): user pid=2629 uid=0 auid=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:authentication acct=tbl exe="/usr/libexec/gdm-session-worker" (hostname=?, addr=?, terminal=:0 res=success)'
type=USER_ACCT msg=audit(1196520655.452:28): user pid=2629 uid=0 auid=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:accounting acct=tbl exe="/usr/libexec/gdm-session-worker" (hostname=?, addr=?, terminal=:0 res=success)'
type=CRED_ACQ msg=audit(1196520655.469:29): user pid=2629 uid=500 auid=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct=tbl exe="/usr/libexec/gdm-session-worker" (hostname=?, addr=?, terminal=:0 res=success)'
type=AVC msg=audit(1196520655.477:30): avc: denied { rename } for pid=2628 comm="gconfd-2" name="saved_state" dev=dm-0 ino=65549 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
type=SYSCALL msg=audit(1196520655.477:30): arch=40000003 syscall=38 success=yes exit=0 a0=8c6de00 a1=8ede590 a2=0 a3=6 items=0 ppid=1 pid=2628 auid=4294967295 uid=42 gid=42 euid=42 suid=42 fsuid=42 egid=42 sgid=42 fsgid=42 tty=(none) comm="gconfd-2" exe="/usr/libexec/gconfd-2" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1196520655.478:31): avc: denied { unlink } for pid=2628 comm="gconfd-2" name="saved_state.orig" dev=dm-0 ino=65549 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
type=SYSCALL msg=audit(1196520655.478:31): arch=40000003 syscall=10 success=yes exit=0 a0=8ede590 a1=8c6de00 a2=844218 a3=ffffffff items=0 ppid=1 pid=2628 auid=4294967295 uid=42 gid=42 euid=42 suid=42 fsuid=42 egid=42 sgid=42 fsgid=42 tty=(none) comm="gconfd-2" exe="/usr/libexec/gconfd-2" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
type=SYSCALL msg=audit(1196520628.365:23): arch=40000003 syscall=102 success=no exit=-512 a0=c a1=b7eb9f00 a2=168ff4 a3=0 items=0 ppid=1 pid=2618 auid=4294967295 uid=42 gid=42 euid=42 suid=42 fsuid=42 egid=42 sgid=42 fsgid=42 tty=(none) comm="dbus-daemon" exe="/bin/dbus-daemon" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
type=LOGIN msg=audit(1196520655.622:32): login pid=2629 uid=500 old auid=4294967295 new auid=500
type=USER_ROLE_CHANGE msg=audit(1196520655.664:33): user pid=2629 uid=500 auid=500 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='pam: default-context=system_u:system_r:unconfined_t:s0 selected-context=system_u:system_r:unconfined_t:s0: exe="/usr/libexec/gdm-session-worker" (hostname=?, addr=?, terminal=? res=success)'
type=USER_START msg=audit(1196520655.847:34): user pid=2629 uid=500 auid=500 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:session_open acct=tbl exe="/usr/libexec/gdm-session-worker" (hostname=?, addr=?, terminal=:0 res=success)'
type=USER_AUTH msg=audit(1196520727.471:35): user pid=3097 uid=500 auid=500 subj=system_u:system_r:unconfined_t:s0 msg='op=PAM:authentication acct=root exe="/bin/su" (hostname=?, addr=?, terminal=pts/0 res=success)'
type=USER_ACCT msg=audit(1196520727.476:36): user pid=3097 uid=500 auid=500 subj=system_u:system_r:unconfined_t:s0 msg='op=PAM:accounting acct=root exe="/bin/su" (hostname=?, addr=?, terminal=pts/0 res=success)'
type=USER_START msg=audit(1196520727.915:37): user pid=3097 uid=500 auid=500 subj=system_u:system_r:unconfined_t:s0 msg='op=PAM:session_open acct=root exe="/bin/su" (hostname=?, addr=?, terminal=pts/0 res=success)'
type=CRED_ACQ msg=audit(1196520727.915:38): user pid=3097 uid=500 auid=500 subj=system_u:system_r:unconfined_t:s0 msg='op=PAM:setcred acct=root exe="/bin/su" (hostname=?, addr=?, terminal=pts/0 res=success)'

Dec 1 09:57:13 localhost kernel: audit(1196531825.909:4): avc: denied { read } for pid=1777 comm="mount" name="/" dev=usbfs ino=253 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:usbfs_t:s0 tclass=dir
Dec 1 09:57:13 localhost kernel: audit(1196531825.909:5): avc: denied { read } for pid=1777 comm="mount" name="/" dev=usbfs ino=253 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:usbfs_t:s0 tclass=dir
type=DAEMON_START msg=audit(1196531832.356:6341): auditd start, ver=1.6.2, format=raw, auid=4294967295 pid=2167 res=success, auditd pid=2167
type=CONFIG_CHANGE msg=audit(1196531832.457:7): audit_enabled=1 old=0 by auid=4294967295 subj=system_u:system_r:auditd_t:s0 res=1
type=CONFIG_CHANGE msg=audit(1196531832.457:8): audit_enabled=1 old=0 by auid=4294967295 res=1
type=CONFIG_CHANGE msg=audit(1196531832.501:9): audit_backlog_limit=320 old=64 by auid=4294967295 subj=system_u:system_r:auditctl_t:s0 res=1
type=CONFIG_CHANGE msg=audit(1196531832.501:10): audit_backlog_limit=320 old=64 by auid=4294967295 res=1
type=LABEL_LEVEL_CHANGE msg=audit(1196531841.055:11): user pid=2262 uid=0 auid=4294967295 subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 msg='printer=Cups-PDF uri=cups-pdf:/ banners=none,none range=unknown: exe="/usr/sbin/cupsd" (hostname=localhost.localdomain, addr=127.0.0.1, terminal=? res=success)'
type=LABEL_LEVEL_CHANGE msg=audit(1196531841.143:12): user pid=2262 uid=0 auid=4294967295 subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 msg='printer=HP4250 uri=hp:/net/hp_LaserJet_4250?ip=10.10.2.42 banners=none,none range=unknown: exe="/usr/sbin/cupsd" (hostname=localhost.localdomain, addr=127.0.0.1, terminal=? res=success)'
type=LABEL_LEVEL_CHANGE msg=audit(1196531841.233:13): user pid=2262 uid=0 auid=4294967295 subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 msg='printer=HP5MP uri=hp:/par/HP_LaserJet_5MP?device=/dev/parport0 banners=none,none range=unknown: exe="/usr/sbin/cupsd" (hostname=localhost.localdomain, addr=127.0.0.1, terminal=? res=success)'
type=LABEL_LEVEL_CHANGE msg=audit(1196531841.401:14): user pid=2262 uid=0 auid=4294967295 subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 msg='printer=hp_laserjet_1300 uri=hp:/usb/hp_LaserJet_1300?serial=00CNCB954325 banners=none,none range=unknown: exe="/usr/sbin/cupsd" (hostname=localhost.localdomain, addr=127.0.0.1, terminal=? res=success)'
type=LABEL_LEVEL_CHANGE msg=audit(1196531841.473:15): user pid=2262 uid=0 auid=4294967295 subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 msg='printer=hp_LaserJet_1300_USB_1 uri=usb://HP/LaserJet%201300 banners=none,none range=unknown: exe="/usr/sbin/cupsd" (hostname=localhost.localdomain, addr=127.0.0.1, terminal=? res=success)'
type=LABEL_LEVEL_CHANGE msg=audit(1196531841.572:16): user pid=2262 uid=0 auid=4294967295 subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 msg='printer=Kyocera_FS-C5030N_on_dc1 uri=socket://10.10.3.49:9100 banners=none,none range=unknown: exe="/usr/sbin/cupsd" (hostname=localhost.localdomain, addr=127.0.0.1, terminal=? res=success)'
type=LABEL_LEVEL_CHANGE msg=audit(1196531841.612:17): user pid=2262 uid=0 auid=4294967295 subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 msg='printer=SavinColor uri=ipp://10.10.3.47/ipp/ banners=none,none range=unknown: exe="/usr/sbin/cupsd" (hostname=localhost.localdomain, addr=127.0.0.1, terminal=? res=success)'
type=LABEL_LEVEL_CHANGE msg=audit(1196531841.996:18): user pid=2262 uid=0 auid=4294967295 subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 msg='printer=Innopath uri=file:/dev/null banners=none,none range=unknown: exe="/usr/sbin/cupsd" (hostname=localhost.localdomain, addr=127.0.0.1, terminal=? res=success)'
type=LABEL_LEVEL_CHANGE msg=audit(1196531841.997:19): user pid=2262 uid=0 auid=4294967295 subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 msg='printer=Local uri=file:/dev/null banners=none,none range=unknown: exe="/usr/sbin/cupsd" (hostname=localhost.localdomain, addr=127.0.0.1, terminal=? res=success)'
type=USER_AVC msg=audit(1196531853.396:20): user pid=2223 uid=81 auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc: denied { acquire_svc } for service=org.gnome.DisplayManager spid=2529 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:system_dbusd_t:s0 tclass=dbus : exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
type=USER_AVC msg=audit(1196531853.522:21): user pid=2223 uid=81 auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc: denied { acquire_svc } for service=org.gnome.DisplayManager spid=2589 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:system_dbusd_t:s0 tclass=dbus : exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
type=USER_AVC msg=audit(1196531853.644:22): user pid=2223 uid=81 auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc: denied { acquire_svc } for service=org.gnome.DisplayManager spid=2618 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:system_dbusd_t:s0 tclass=dbus : exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
type=USER_AVC msg=audit(1196531853.766:23): user pid=2223 uid=81 auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc: denied { acquire_svc } for service=org.gnome.DisplayManager spid=2647 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:system_dbusd_t:s0 tclass=dbus : exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
type=USER_AVC msg=audit(1196531853.888:24): user pid=2223 uid=81 auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc: denied { acquire_svc } for service=org.gnome.DisplayManager spid=2676 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:system_dbusd_t:s0 tclass=dbus : exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
type=USER_AVC msg=audit(1196531854.010:25): user pid=2223 uid=81 auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc: denied { acquire_svc } for service=org.gnome.DisplayManager spid=2705 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:system_dbusd_t:s0 tclass=dbus : exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
type=USER_AVC msg=audit(1196531854.114:26): user pid=2223 uid=81 auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc: denied { acquire_svc } for service=org.gnome.DisplayManager spid=2734 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:system_dbusd_t:s0 tclass=dbus : exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
type=USER_AVC msg=audit(1196531854.236:27): user pid=2223 uid=81 auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc: denied { acquire_svc } for service=org.gnome.DisplayManager spid=2763 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:system_dbusd_t:s0 tclass=dbus : exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
type=USER_AVC msg=audit(1196531854.359:28): user pid=2223 uid=81 auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc: denied { acquire_svc } for service=org.gnome.DisplayManager spid=2792 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:system_dbusd_t:s0 tclass=dbus : exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
type=USER_AVC msg=audit(1196531854.480:29): user pid=2223 uid=81 auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc: denied { acquire_svc } for service=org.gnome.DisplayManager spid=2821 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:system_dbusd_t:s0 tclass=dbus : exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
type=USER_AUTH msg=audit(1196531861.894:30): user pid=2523 uid=0 auid=4294967295 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='op=PAM:authentication acct=root exe="/bin/login" (hostname=?, addr=?, terminal=tty1 res=success)'
type=AVC msg=audit(1196531861.898:31): avc: denied { read write } for pid=2860 comm="unix_update" name="tty1" dev=tmpfs ino=2041 scontext=system_u:system_r:updpwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file
type=SYSCALL msg=audit(1196531861.898:31): arch=40000003 syscall=11 success=yes exit=0 a0=121ab8 a1=bfb524dc a2=123408 a3=400 items=0 ppid=2523 pid=2860 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="unix_update" exe="/sbin/unix_update" subj=system_u:system_r:updpwd_t:s0-s0:c0.c1023 key=(null)
type=USER_ACCT msg=audit(1196531861.909:32): user pid=2523 uid=0 auid=4294967295 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='op=PAM:accounting acct=root exe="/bin/login" (hostname=?, addr=?, terminal=tty1 res=success)'
type=LOGIN msg=audit(1196531861.953:33): login pid=2523 uid=0 old auid=4294967295 new auid=0
type=USER_ROLE_CHANGE msg=audit(1196531862.024:34): user pid=2523 uid=0 auid=0 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='pam: default-context=root:system_r:unconfined_t:s0-s0:c0.c255 selected-context=root:system_r:unconfined_t:s0-s0:c0.c255: exe="/bin/login" (hostname=?, addr=?, terminal=tty1 res=success)'
type=USER_START msg=audit(1196531862.041:35): user pid=2523 uid=0 auid=0 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='op=PAM:session_open acct=root exe="/bin/login" (hostname=?, addr=?, terminal=tty1 res=success)'
type=CRED_ACQ msg=audit(1196531862.052:36): user pid=2523 uid=0 auid=0 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct=root exe="/bin/login" (hostname=?, addr=?, terminal=tty1 res=success)'
type=USER_LOGIN msg=audit(1196531862.074:37): user pid=2523 uid=0 auid=0 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='uid=0: exe="/bin/login" (hostname=?, addr=?, terminal=tty1 res=success)'
type=USER_ACCT msg=audit(1196532061.901:38): user pid=3060 uid=0 auid=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:accounting acct=root exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'
type=USER_AVC msg=audit(1196532080.096:39): user pid=2223 uid=81 auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc: received policyload notice (seqno=2) : exe="?" (sauid=81, hostname=?, addr=?, terminal=?)'
type=MAC_POLICY_LOAD msg=audit(1196532078.472:40): policy loaded auid=0
type=SYSCALL msg=audit(1196532078.472:40): arch=40000003 syscall=4 success=yes exit=4303580 a0=4 a1=b7b77000 a2=41aadc a3=bfbd80d8 items=0 ppid=3055 pid=3071 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 comm="load_policy" exe="/usr/sbin/load_policy" subj=root:system_r:load_policy_t:s0-s0:c0.c255 key=(null)
type=USER_AUTH msg=audit(1196532181.942:41): user pid=3199 uid=0 auid=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:authentication acct=tbl exe="/usr/libexec/gdm-session-worker" (hostname=?, addr=?, terminal=:0 res=failed)'
type=AVC msg=audit(1196532181.946:42): avc: denied { write } for pid=3158 comm="gdm-simple-slav" name="btmp" dev=dm-0 ino=65633 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_log_t:s0 tclass=file
type=SYSCALL msg=audit(1196532181.946:42): arch=40000003 syscall=5 success=no exit=-13 a0=8060bc6 a1=8001 a2=bde120 a3=8060bd0 items=0 ppid=3128 pid=3158 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="gdm-simple-slav" exe="/usr/libexec/gdm-simple-slave" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
type=USER_AUTH msg=audit(1196532194.458:43): user pid=3199 uid=0 auid=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:authentication acct=tbl exe="/usr/libexec/gdm-session-worker" (hostname=?, addr=?, terminal=:0 res=success)'
type=USER_ACCT msg=audit(1196532194.467:44): user pid=3199 uid=0 auid=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:accounting acct=tbl exe="/usr/libexec/gdm-session-worker" (hostname=?, addr=?, terminal=:0 res=success)'
type=CRED_ACQ msg=audit(1196532194.470:45): user pid=3199 uid=500 auid=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct=tbl exe="/usr/libexec/gdm-session-worker" (hostname=?, addr=?, terminal=:0 res=success)'
type=LOGIN msg=audit(1196532194.570:46): login pid=3199 uid=500 old auid=4294967295 new auid=500
type=USER_ROLE_CHANGE msg=audit(1196532194.661:47): user pid=3199 uid=500 auid=500 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='pam: default-context=system_u:system_r:unconfined_t:s0 selected-context=system_u:system_r:unconfined_t:s0: exe="/usr/libexec/gdm-session-worker" (hostname=?, addr=?, terminal=? res=success)'
type=USER_START msg=audit(1196532194.723:48): user pid=3199 uid=500 auid=500 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:session_open acct=tbl exe="/usr/libexec/gdm-session-worker" (hostname=?, addr=?, terminal=:0 res=success)'
type=USER_AUTH msg=audit(1196532294.059:49): user pid=3667 uid=500 auid=500 subj=system_u:system_r:unconfined_t:s0 msg='op=PAM:authentication acct=root exe="/bin/su" (hostname=?, addr=?, terminal=pts/0 res=success)'
type=USER_ACCT msg=audit(1196532294.069:50): user pid=3667 uid=500 auid=500 subj=system_u:system_r:unconfined_t:s0 msg='op=PAM:accounting acct=root exe="/bin/su" (hostname=?, addr=?, terminal=pts/0 res=success)'
type=USER_START msg=audit(1196532294.197:51): user pid=3667 uid=500 auid=500 subj=system_u:system_r:unconfined_t:s0 msg='op=PAM:session_open acct=root exe="/bin/su" (hostname=?, addr=?, terminal=pts/0 res=success)'
type=CRED_ACQ msg=audit(1196532294.198:52): user pid=3667 uid=500 auid=500 subj=system_u:system_r:unconfined_t:s0 msg='op=PAM:setcred acct=root exe="/bin/su" (hostname=?, addr=?, terminal=pts/0 res=success)'


Dec 1 10:10:19 localhost kernel: audit(1196532611.765:8): avc: denied { ioctl } for pid=1775 comm="mount" path="/proc/bus/usb" dev=usbfs ino=253 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:usbfs_t:s0 tclass=dir
Dec 1 10:10:19 localhost kernel: audit(1196532611.765:9): avc: denied { ioctl } for pid=1775 comm="mount" path="/proc/bus/usb" dev=usbfs ino=253 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:usbfs_t:s0 tclass=dir
--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

"Tom London" 12-03-2007 03:13 PM

usbfs, updpwd_t, gdm (xdm_t) avcs with today's rawhide
 
On Dec 1, 2007 4:19 PM, Tom London <selinux@gmail.com> wrote:
> Today's gdm is finally runnable for me, and with gcc-4.1.2-33, I can
> compile newest kernel (2.6.24-0.61.rc3.git5.local.fc9).
>
> However, a bunch of AVCs:
>
> #============= mount_t ==============
> allow mount_t usbfs_t:dir { read ioctl };
>
> #============= updpwd_t ==============
> allow updpwd_t tty_device_t:chr_file { read write };
>
> #============= xdm_t ==============
> allow xdm_t gconfd_exec_t:file { read execute execute_no_trans };
> allow xdm_t inotifyfs_t:dir getattr;
> allow xdm_t self:netlink_selinux_socket { read bind create };
> allow xdm_t system_dbusd_exec_t:file { read execute execute_no_trans };
> allow xdm_t system_dbusd_t:dbus acquire_svc;
> allow xdm_t var_lib_t:file { rename unlink append };
> allow xdm_t var_log_t:file write;
>
> The mount_t/usbfs_t ones come early in boot.
>
> Without adding rules for the xdm_t ones (at least some of them),
> graphical login fails with 'X respawn too fast' messages.
>
> I attach the AVCs from /var/log/messages and /var/log/audit/audit.log
>
I found a few more AVCs generated during graphical login:

#============= pam_t ==============
allow pam_t user_home_t:file { read getattr ioctl append };

#============= xdm_dbusd_t ==============
allow xdm_dbusd_t xdm_var_lib_t:dir search;

/var/log/audit/audit.log attached.

tom
--
Tom London
--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list


All times are GMT. The time now is 06:29 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.