FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 01-10-2008, 05:52 PM
"Tom London"
 
Default AVC generated from virtual terminal switch ('Ctl-Alt-F1/Ctl-Alt-F7')

Sorry, missed this one:

type=AVC msg=audit(1199980182.688:53): avc: denied { search } for
pid=3671 comm="login"
scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023
tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=key
type=SYSCALL msg=audit(1199980182.688:53): arch=40000003 syscall=288
success=yes exit=0 a0=3 a1=f315af4 a2=0 a3=1f4 items=0 ppid=1 pid=3671
auid=500 uid=0 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500
fsgid=500 tty=(none) comm="login" exe="/bin/login"
subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null)

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 01-14-2008, 02:43 PM
Daniel J Walsh
 
Default AVC generated from virtual terminal switch ('Ctl-Alt-F1/Ctl-Alt-F7')

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Tom London wrote:
> Running Rawhide, targeted enforcing.
>
> Booting into gdm/gnome, entering 'Ctl-Alt-F1' and logging in as the
> same user generates the following audit messages:
>
> type=USER_AUTH msg=audit(1199979217.226:28): user pid=2602 uid=0
> auid=4294967295 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023
> msg='op=PAM:authentication acct=tbl exe="/bin/login" (hostname=?,
> addr=?, terminal=tty1 res=failed)'
> type=USER_LOGIN msg=audit(1199979217.266:29): user pid=2602 uid=0
> auid=4294967295 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023
> msg='uid=500: exe="/bin/login" (hostname=?, addr=?, terminal=tty1
> res=failed)'
> type=USER_AUTH msg=audit(1199979226.383:30): user pid=2602 uid=0
> auid=4294967295 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023
> msg='op=PAM:authentication acct=tbl exe="/bin/login" (hostname=?,
> addr=?, terminal=tty1 res=failed)'
> type=USER_LOGIN msg=audit(1199979226.384:31): user pid=2602 uid=0
> auid=4294967295 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023
> msg='uid=500: exe="/bin/login" (hostname=?, addr=?, terminal=tty1
> res=failed)'
> type=USER_AUTH msg=audit(1199979234.098:32): user pid=2602 uid=0
> auid=4294967295 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023
> msg='op=PAM:authentication acct=tbl exe="/bin/login" (hostname=?,
> addr=?, terminal=tty1 res=success)'
> type=USER_ACCT msg=audit(1199979234.106:33): user pid=2602 uid=0
> auid=4294967295 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023
> msg='op=PAM:accounting acct=tbl exe="/bin/login" (hostname=?, addr=?,
> terminal=tty1 res=success)'
> type=LOGIN msg=audit(1199979234.108:34): login pid=2602 uid=0 old
> auid=4294967295 new auid=500
> type=USER_ROLE_CHANGE msg=audit(1199979234.130:35): user pid=2602
> uid=0 auid=500 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023
> msg='pam: default-context=unconfined_u:unconfined_r:unconfined_t:s0
> selected-context=unconfined_u:unconfined_r:unconfined_t:s0:
> exe="/bin/login" (hostname=?, addr=?, terminal=tty1 res=success)'
> type=AVC msg=audit(1199979234.132:36): avc: denied { link } for
> pid=2602 comm="login"
> scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023
> tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=key
> type=SYSCALL msg=audit(1199979234.132:36): arch=40000003 syscall=288
> success=no exit=-13 a0=8 a1=fffffffc a2=fffffffd a3=1f4 items=0 ppid=1
> pid=2602 auid=500 uid=500 gid=500 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> fsgid=0 tty=tty1 comm="login" exe="/bin/login"
> subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null)
> type=USER_START msg=audit(1199979234.142:37): user pid=2602 uid=0
> auid=500 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023
> msg='op=PAM:session_open acct=tbl exe="/bin/login" (hostname=?,
> addr=?, terminal=tty1 res=success)'
> type=CRED_ACQ msg=audit(1199979234.142:38): user pid=2602 uid=0
> auid=500 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023
> msg='op=PAM:setcred acct=tbl exe="/bin/login" (hostname=?, addr=?,
> terminal=tty1 res=success)'
> type=USER_LOGIN msg=audit(1199979234.145:39): user pid=2602 uid=0
> auid=500 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023
> msg='uid=500: exe="/bin/login" (hostname=?, addr=?, terminal=tty1
> res=success)'
>
> Putting system into permissive mode and retrying appears to generate
> no new AVCs.
>
> Does
>
> #============= local_login_t ==============
> allow local_login_t xdm_t:key link;
>
> make sense?
>
> tom

This is caused by a bad gdm pam file. You pam file should look
something like.

#%PAM-1.0
auth [success=done ignore=ignore default=bad] pam_selinux_permit.so
auth required pam_env.so
auth substack system-auth
auth optional pam_gnome_keyring.so
account required pam_nologin.so
account include system-auth
password include system-auth
session required pam_selinux.so close
session required pam_loginuid.so
session optional pam_console.so
session required pam_selinux.so open
session optional pam_keyinit.so force revoke
session required pam_namespace.so
session optional pam_gnome_keyring.so auto_start
session include system-auth

pam_keyinit.so has to happen after pam_selinux. This will create a
keyring labeled unconfined_t or xguest_t which other domains would have
access to. A keyring labeled after a login program makes no sense.

I just updated gdm in rawhide to have this pam file.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkeLgy0ACgkQrlYvE4MpobM2mACeKqtd04BdHE aD8276ZBJAfBYg
nkYAn3pYgd42m198kVQdvhzUs7WUpuh1
=ECHH
-----END PGP SIGNATURE-----

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 

Thread Tools




All times are GMT. The time now is 10:20 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org