FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 02-02-2012, 12:13 PM
Klaus Lichtenwalder
 
Default playing with unconfined domains and users on Fedora 16

Hi,

after reading Dan's Blog post about upping the security with SE Linux I
thought I'd give it another try. So I did the following on my Netbook,
wich is a Fedora 16 XFCE Spin:

(I'm playing in Permissive mode right now ;-)

semodule -d unconfined

Which was relatively painless after a reboot (only Networkmananager
seems to have problems (re)starting sendmail, but I did not want to use
this anyway)

So I went further:
# semanage login -m -s staff_u root
# semanage login -m -s staff_u __default__
# semanage user -d unconfined_u
# semanage user -m -R "staff_r system_r sysadm_r" staff_u

I did not remove the unconfineduser for the moment.

The following happens, which I guess is a bug in gpg-agents policy?

Output of audit2allow
#============= gpg_agent_t ==============
#!!!! The source type 'gpg_agent_t' can write to a 'dir' of
the following types:
# tmp_t, gpg_agent_tmp_t, gpg_secret_t

allow gpg_agent_t cache_home_t:dir { write add_name };
#!!!! The source type 'gpg_agent_t' can write to a 'file' of
the following types:
# gpg_agent_tmp_t, gpg_secret_t

allow gpg_agent_t cache_home_t:file { write create open getattr };
allow gpg_agent_t gpg_secret_t:sock_file { write create };

which would render gpg-agent probably useless...


Then I'm coming on shaky ground. If I understand correctly, I have to
have sudo rules for getting administrative work done. This is my sudoers
rule, which seems to work:

klaus ALL = TYPE=unconfined_t ROLE=system_r ALL

But I get the following avcs:
#============= staff_sudo_t ==============
allow staff_sudo_t unconfined_trocess transition;

#============= staff_t ==============
allow staff_t etc_t:file entrypoint;
allow staff_t xauth_exec_t:file entrypoint;

I did not try this with enforcing.
Any recommendations?
Full AVC Log is in the attachment

Thanks,
Klaus

--
------------------------------------------------------------------------
Klaus Lichtenwalder, Dipl. Inform., http://www.lichtenwalder.name
PGP Key fingerprint: FEDE 1D2A EE70 FB60 9CA2 669D 2F59 3F34 6E81 5A89
----
time->Thu Feb 2 14:01:40 2012
type=SYSCALL msg=audit(1328187700.889:51): arch=40000003 syscall=11 success=yes exit=0 a0=a055398 a1=a04ff88 a2=a05b2b0 a3=a04ff88 items=0 ppid=1002 pid=1003 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="PreLogin" exe="/bin/bash" subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1328187700.889:51): avc: denied { entrypoint } for pid=1003 comm="lxdm-binary" path="/etc/lxdm/PreLogin" dev=sda3 ino=393588 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_ubject_r:etc_t:s0 tclass=file
----
time->Thu Feb 2 14:01:40 2012
type=SYSCALL msg=audit(1328187700.930:52): arch=40000003 syscall=11 success=yes exit=0 a0=a05b85d a1=a057a38 a2=a05b2b0 a3=bfe1ff76 items=0 ppid=1 pid=1007 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=1 comm="xauth" exe="/usr/bin/xauth" subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1328187700.930:52): avc: denied { entrypoint } for pid=1007 comm="lxdm-binary" path="/usr/bin/xauth" dev=sda3 ino=61761 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_ubject_r:xauth_exec_t:s0 tclass=file
----
time->Thu Feb 2 14:01:45 2012
type=SYSCALL msg=audit(1328187705.676:54): arch=40000003 syscall=5 success=yes exit=3 a0=bf869ab2 a1=8241 a2=1b6 a3=0 items=0 ppid=1002 pid=1172 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=1 comm="gpg-agent" exe="/usr/bin/gpg-agent" subj=staff_u:staff_r:gpg_agent_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1328187705.676:54): avc: denied { write open } for pid=1172 comm="gpg-agent" name="gpg-agent-info" dev=sda2 ino=2098378 scontext=staff_u:staff_r:gpg_agent_t:s0-s0:c0.c1023 tcontext=staff_ubject_r:cache_home_t:s0 tclass=file
type=AVC msg=audit(1328187705.676:54): avc: denied { create } for pid=1172 comm="gpg-agent" name="gpg-agent-info" scontext=staff_u:staff_r:gpg_agent_t:s0-s0:c0.c1023 tcontext=staff_ubject_r:cache_home_t:s0 tclass=file
type=AVC msg=audit(1328187705.676:54): avc: denied { add_name } for pid=1172 comm="gpg-agent" name="gpg-agent-info" scontext=staff_u:staff_r:gpg_agent_t:s0-s0:c0.c1023 tcontext=unconfined_ubject_r:cache_home_t:s0 tclass=dir
type=AVC msg=audit(1328187705.676:54): avc: denied { write } for pid=1172 comm="gpg-agent" name=".cache" dev=sda2 ino=2097189 scontext=staff_u:staff_r:gpg_agent_t:s0-s0:c0.c1023 tcontext=unconfined_ubject_r:cache_home_t:s0 tclass=dir
----
time->Thu Feb 2 14:01:45 2012
type=SYSCALL msg=audit(1328187705.684:55): arch=40000003 syscall=197 success=yes exit=0 a0=3 a1=bf868970 a2=4f221ff4 a3=8b33b50 items=0 ppid=1002 pid=1172 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=1 comm="gpg-agent" exe="/usr/bin/gpg-agent" subj=staff_u:staff_r:gpg_agent_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1328187705.684:55): avc: denied { getattr } for pid=1172 comm="gpg-agent" path="/home/klaus/.cache/gpg-agent-info" dev=sda2 ino=2098378 scontext=staff_u:staff_r:gpg_agent_t:s0-s0:c0.c1023 tcontext=staff_ubject_r:cache_home_t:s0 tclass=file
----
time->Thu Feb 2 14:01:45 2012
type=SYSCALL msg=audit(1328187705.675:53): arch=40000003 syscall=102 success=yes exit=0 a0=2 a1=bf868a50 a2=41594ff4 a3=20 items=0 ppid=1002 pid=1172 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=1 comm="gpg-agent" exe="/usr/bin/gpg-agent" subj=staff_u:staff_r:gpg_agent_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1328187705.675:53): avc: denied { create } for pid=1172 comm="gpg-agent" name="S.gpg-agent" scontext=staff_u:staff_r:gpg_agent_t:s0-s0:c0.c1023 tcontext=staff_ubject_r:gpg_secret_t:s0 tclass=sock_file
----
time->Thu Feb 2 14:02:13 2012
type=SYSCALL msg=audit(1328187733.740:62): arch=40000003 syscall=11 success=yes exit=0 a0=70db77 a1=2130e408 a2=2130e9c8 a3=21309e08 items=0 ppid=1581 pid=1585 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="sesh" exe="/usr/libexec/sesh" subj=staff_u:system_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1328187733.740:62): avc: denied { transition } for pid=1585 comm="sudo" path="/usr/libexec/sesh" dev=sda3 ino=66403 scontext=staff_u:staff_r:staff_sudo_t:s0-s0:c0.c1023 tcontext=staff_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=process
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 02-02-2012, 01:01 PM
Dominick Grift
 
Default playing with unconfined domains and users on Fedora 16

On Thu, 2012-02-02 at 14:13 +0100, Klaus Lichtenwalder wrote:
> Hi,
>
> after reading Dan's Blog post about upping the security with SE Linux I
> thought I'd give it another try. So I did the following on my Netbook,
> wich is a Fedora 16 XFCE Spin:
>
> (I'm playing in Permissive mode right now ;-)
>
> semodule -d unconfined
>
> Which was relatively painless after a reboot (only Networkmananager
> seems to have problems (re)starting sendmail, but I did not want to use
> this anyway)
>
> So I went further:
> # semanage login -m -s staff_u root
> # semanage login -m -s staff_u __default__
> # semanage user -d unconfined_u
> # semanage user -m -R "staff_r system_r sysadm_r" staff_u
>
> I did not remove the unconfineduser for the moment.
>
> The following happens, which I guess is a bug in gpg-agents policy?
>
> Output of audit2allow
> #============= gpg_agent_t ==============
> #!!!! The source type 'gpg_agent_t' can write to a 'dir' of
> the following types:
> # tmp_t, gpg_agent_tmp_t, gpg_secret_t
>
> allow gpg_agent_t cache_home_t:dir { write add_name };
> #!!!! The source type 'gpg_agent_t' can write to a 'file' of
> the following types:
> # gpg_agent_tmp_t, gpg_secret_t
>
> allow gpg_agent_t cache_home_t:file { write create open getattr };
> allow gpg_agent_t gpg_secret_t:sock_file { write create };
>
> which would render gpg-agent probably useless...

I have not encountered similar avc denials here. I wonder what i am
doing differently.

I you are sure you have configured gpg agent properly , then this may
indeed be bug in policy.

The SELinux framework aims to make it easy for one to make adjustments
to policy.

>
>
> Then I'm coming on shaky ground. If I understand correctly, I have to
> have sudo rules for getting administrative work done. This is my sudoers
> rule, which seems to work:
>
> klaus ALL = TYPE=unconfined_t ROLE=system_r ALL
>

Thats wrong:

klaus ALL=(ALL) TYPE=unconfined_t ROLE=unconfined_r ALL

if you want to use unconfined_r as you have specified above than you
need to map the unconfined_r to the staff_u SELinux user:

semanage user -m -R "staff_r system_r sysadm_r unconfined_r" staff_u

> But I get the following avcs:
> #============= staff_sudo_t ==============
> allow staff_sudo_t unconfined_trocess transition;
>
> #============= staff_t ==============
> allow staff_t etc_t:file entrypoint;
> allow staff_t xauth_exec_t:file entrypoint;
>
> I did not try this with enforcing.
> Any recommendations?
> Full AVC Log is in the attachment
>
> Thanks,
> Klaus
>
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux


--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 02-02-2012, 02:06 PM
Klaus Lichtenwalder
 
Default playing with unconfined domains and users on Fedora 16

On 02.02.2012 15:01, Dominick Grift wrote:
> On Thu, 2012-02-02 at 14:13 +0100, Klaus Lichtenwalder wrote:
>>[...]
>> which would render gpg-agent probably useless...
>
> I have not encountered similar avc denials here. I wonder what i am
> doing differently.
>
> I you are sure you have configured gpg agent properly , then this may
> indeed be bug in policy.
>
> The SELinux framework aims to make it easy for one to make adjustments
> to policy.

Well, gpg-agent "just" is installed and started by the login process,
with gpg-agent --daemon. The only configuration I was doing was settint
the ttl time and giving "use-agent" to gnupg2. One avc was indeed gone
after enabling the bool gpg_agent_env_file. But it still stumbles over
the socket, which it wants to create in $HOME/.gnupg. Guess I'll have a
look over the policy, in case I can detect something

> [...]
> klaus ALL=(ALL) TYPE=unconfined_t ROLE=unconfined_r ALL
>
> if you want to use unconfined_r as you have specified above than you
> need to map the unconfined_r to the staff_u SELinux user:
>
> semanage user -m -R "staff_r system_r sysadm_r unconfined_r" staff_u

Thanks, unconfined_r was missing in the semanage command above.

Still, logging in leaves me with the following denials:

time->Thu Feb 2 15:40:06 2012
type=SYSCALL msg=audit(1328193606.453:145): arch=40000003 syscall=11
success=yes exit=0 a0=a064888 a1=a0593d8 a2=a06e958 a3=a0593d8 items=0
ppid=3288 pid=3289 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) ses=3 comm="PreLogin" exe="/bin/bash"
subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1328193606.453:145): avc: denied { entrypoint } for
pid=3289 comm="lxdm-binary" path="/etc/lxdm/PreLogin" dev=sda3
ino=393588 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023
tcontext=system_ubject_r:etc_t:s0 tclass=file
----
time->Thu Feb 2 15:40:06 2012
type=SYSCALL msg=audit(1328193606.472:146): arch=40000003 syscall=11
success=yes exit=0 a0=a060525 a1=a057838 a2=a06e958 a3=bfe1ff76 items=0
ppid=1 pid=3291 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000
fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=3 comm="xauth"
exe="/usr/bin/xauth" subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1328193606.472:146): avc: denied { entrypoint } for
pid=3291 comm="lxdm-binary" path="/usr/bin/xauth" dev=sda3 ino=61761
scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023
tcontext=system_ubject_r:xauth_exec_t:s0 tclass=file
----
time->Thu Feb 2 15:40:06 2012
type=SYSCALL msg=audit(1328193606.484:147): arch=40000003 syscall=11
success=yes exit=0 a0=a056058 a1=a05a568 a2=a06e958 a3=a05a568 items=0
ppid=1 pid=3294 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000
fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=3
comm="PostLogin" exe="/bin/bash"
subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1328193606.484:147): avc: denied { entrypoint } for
pid=3294 comm="lxdm-binary" path="/etc/lxdm/PostLogin" dev=sda3
ino=393585 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023
tcontext=system_ubject_r:etc_t:s0 tclass=file

Which also seems to point to something missing. I checked all labels,
but everything seems fine according to policy. Am I correct in saying
that staff_u:staff_r:staff_t is missing an entrypoint rule for etc_t
files and xauth_exec_t? The former somehow seems mislabeled, as an
entrypoint is associated with a _exec_t?

Thanks,
Klaus
--
------------------------------------------------------------------------
Klaus Lichtenwalder, Dipl. Inform., http://www.lichtenwalder.name
PGP Key fingerprint: FEDE 1D2A EE70 FB60 9CA2 669D 2F59 3F34 6E81 5A89

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 02-02-2012, 02:23 PM
Dominick Grift
 
Default playing with unconfined domains and users on Fedora 16

On Thu, 2012-02-02 at 16:06 +0100, Klaus Lichtenwalder wrote:
> On 02.02.2012 15:01, Dominick Grift wrote:
> > On Thu, 2012-02-02 at 14:13 +0100, Klaus Lichtenwalder wrote:
> >>[...]
> >> which would render gpg-agent probably useless...
> >
> > I have not encountered similar avc denials here. I wonder what i am
> > doing differently.
> >
> > I you are sure you have configured gpg agent properly , then this may
> > indeed be bug in policy.
> >
> > The SELinux framework aims to make it easy for one to make adjustments
> > to policy.
>
> Well, gpg-agent "just" is installed and started by the login process,
> with gpg-agent --daemon. The only configuration I was doing was settint
> the ttl time and giving "use-agent" to gnupg2. One avc was indeed gone
> after enabling the bool gpg_agent_env_file. But it still stumbles over
> the socket, which it wants to create in $HOME/.gnupg. Guess I'll have a
> look over the policy, in case I can detect something

I think this should fix it:

mkdir ~/mygpg; cd ~/mygpg; echo "policy_module(mygpg, 1.0.0)
optional_policy(` gen_require(` type gpg_agent_t, gpg_secret_t; ')
manage_sock_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)')" >
mygpg.te;

make -f /usr/share/selinux/devel/Makefile mygpg.pp
sudo semodule -i mygpg.pp

> > [...]
> > klaus ALL=(ALL) TYPE=unconfined_t ROLE=unconfined_r ALL
> >
> > if you want to use unconfined_r as you have specified above than you
> > need to map the unconfined_r to the staff_u SELinux user:
> >
> > semanage user -m -R "staff_r system_r sysadm_r unconfined_r" staff_u
>
> Thanks, unconfined_r was missing in the semanage command above.
>
> Still, logging in leaves me with the following denials:
>
> time->Thu Feb 2 15:40:06 2012
> type=SYSCALL msg=audit(1328193606.453:145): arch=40000003 syscall=11
> success=yes exit=0 a0=a064888 a1=a0593d8 a2=a06e958 a3=a0593d8 items=0
> ppid=3288 pid=3289 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> sgid=0 fsgid=0 tty=(none) ses=3 comm="PreLogin" exe="/bin/bash"
> subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null)
> type=AVC msg=audit(1328193606.453:145): avc: denied { entrypoint } for
> pid=3289 comm="lxdm-binary" path="/etc/lxdm/PreLogin" dev=sda3
> ino=393588 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023
> tcontext=system_ubject_r:etc_t:s0 tclass=file
> ----

I think this should fix it:

label /etc/lxdm/PreLogin type bin_t

semanage fcontext -a -t bin_t "/etc/lxdm/PreLogin"
restorecon -R -v /etc/lxdm/PreLogin

> time->Thu Feb 2 15:40:06 2012
> type=SYSCALL msg=audit(1328193606.472:146): arch=40000003 syscall=11
> success=yes exit=0 a0=a060525 a1=a057838 a2=a06e958 a3=bfe1ff76 items=0
> ppid=1 pid=3291 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000
> fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=3 comm="xauth"
> exe="/usr/bin/xauth" subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null)
> type=AVC msg=audit(1328193606.472:146): avc: denied { entrypoint } for
> pid=3291 comm="lxdm-binary" path="/usr/bin/xauth" dev=sda3 ino=61761
> scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023
> tcontext=system_ubject_r:xauth_exec_t:s0 tclass=file

Not sure about this one but try this:

mkdir ~/myxserver; cd ~/myxserver; echo "policy_module(myxserver, 1.0.0)
optional_policy(` gen_require(` type staff_t, xaut_exec_t; ')
can_exec(staff_t, xauth_exec_t)')" > myxserver.te;

make -f /usr/share/selinux/devel/Makefile myxserver.pp
sudo semodule -i myxserver.pp

> ----
> time->Thu Feb 2 15:40:06 2012
> type=SYSCALL msg=audit(1328193606.484:147): arch=40000003 syscall=11
> success=yes exit=0 a0=a056058 a1=a05a568 a2=a06e958 a3=a05a568 items=0
> ppid=1 pid=3294 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000
> fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=3
> comm="PostLogin" exe="/bin/bash"
> subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null)
> type=AVC msg=audit(1328193606.484:147): avc: denied { entrypoint } for
> pid=3294 comm="lxdm-binary" path="/etc/lxdm/PostLogin" dev=sda3
> ino=393585 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023
> tcontext=system_ubject_r:etc_t:s0 tclass=file
>

I think this should fix it:

label /etc/lxdm/PostLogin type bin_t

semanage fcontext -a -t bin_t "/etc/lxdm/PostLogin"
restorecon -R -v /etc/lxdm/PostLogin

> Which also seems to point to something missing. I checked all labels,
> but everything seems fine according to policy. Am I correct in saying
> that staff_u:staff_r:staff_t is missing an entrypoint rule for etc_t
> files and xauth_exec_t? The former somehow seems mislabeled, as an
> entrypoint is associated with a _exec_t?
>
> Thanks,
> Klaus
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux


--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 02-02-2012, 02:34 PM
Daniel J Walsh
 
Default playing with unconfined domains and users on Fedora 16

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/02/2012 10:06 AM, Klaus Lichtenwalder wrote:
> On 02.02.2012 15:01, Dominick Grift wrote:
>> On Thu, 2012-02-02 at 14:13 +0100, Klaus Lichtenwalder wrote:
>>> [...] which would render gpg-agent probably useless...
>>
>> I have not encountered similar avc denials here. I wonder what i
>> am doing differently.
>>
>> I you are sure you have configured gpg agent properly , then this
>> may indeed be bug in policy.
>>
>> The SELinux framework aims to make it easy for one to make
>> adjustments to policy.
>
> Well, gpg-agent "just" is installed and started by the login
> process, with gpg-agent --daemon. The only configuration I was
> doing was settint the ttl time and giving "use-agent" to gnupg2.
> One avc was indeed gone after enabling the bool gpg_agent_env_file.
> But it still stumbles over the socket, which it wants to create in
> $HOME/.gnupg. Guess I'll have a look over the policy, in case I can
> detect something
>
>> [...] klaus ALL=(ALL) TYPE=unconfined_t ROLE=unconfined_r ALL
>>
>> if you want to use unconfined_r as you have specified above than
>> you need to map the unconfined_r to the staff_u SELinux user:
>>
>> semanage user -m -R "staff_r system_r sysadm_r unconfined_r"
>> staff_u
>
> Thanks, unconfined_r was missing in the semanage command above.
>
> Still, logging in leaves me with the following denials:
>
> time->Thu Feb 2 15:40:06 2012 type=SYSCALL
> msg=audit(1328193606.453:145): arch=40000003 syscall=11 success=yes
> exit=0 a0=a064888 a1=a0593d8 a2=a06e958 a3=a0593d8 items=0
> ppid=3288 pid=3289 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0
> egid=0 sgid=0 fsgid=0 tty=(none) ses=3 comm="PreLogin"
> exe="/bin/bash" subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023
> key=(null) type=AVC msg=audit(1328193606.453:145): avc: denied {
> entrypoint } for pid=3289 comm="lxdm-binary"
> path="/etc/lxdm/PreLogin" dev=sda3 ino=393588
> scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023
> tcontext=system_ubject_r:etc_t:s0 tclass=file ---- time->Thu Feb
> 2 15:40:06 2012 type=SYSCALL msg=audit(1328193606.472:146):
> arch=40000003 syscall=11 success=yes exit=0 a0=a060525 a1=a057838
> a2=a06e958 a3=bfe1ff76 items=0 ppid=1 pid=3291 auid=1000 uid=1000
> gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000
> fsgid=1000 tty=(none) ses=3 comm="xauth" exe="/usr/bin/xauth"
> subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null) type=AVC
> msg=audit(1328193606.472:146): avc: denied { entrypoint } for
> pid=3291 comm="lxdm-binary" path="/usr/bin/xauth" dev=sda3
> ino=61761 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023
> tcontext=system_ubject_r:xauth_exec_t:s0 tclass=file ----
> time->Thu Feb 2 15:40:06 2012 type=SYSCALL
> msg=audit(1328193606.484:147): arch=40000003 syscall=11 success=yes
> exit=0 a0=a056058 a1=a05a568 a2=a06e958 a3=a05a568 items=0 ppid=1
> pid=3294 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000
> egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=3 comm="PostLogin"
> exe="/bin/bash" subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023
> key=(null) type=AVC msg=audit(1328193606.484:147): avc: denied {
> entrypoint } for pid=3294 comm="lxdm-binary"
> path="/etc/lxdm/PostLogin" dev=sda3 ino=393585
> scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023
> tcontext=system_ubject_r:etc_t:s0 tclass=file
>
> Which also seems to point to something missing. I checked all
> labels, but everything seems fine according to policy. Am I correct
> in saying that staff_u:staff_r:staff_t is missing an entrypoint
> rule for etc_t files and xauth_exec_t? The former somehow seems
> mislabeled, as an entrypoint is associated with a _exec_t?
>
> Thanks, Klaus
>
>
>
> -- selinux mailing list selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux

Those files should be labeled bin_t.

I will change the default labeling, any other binary file in that
directory.


Open a bugzilla on the gpg_agent problems.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk8qrPoACgkQrlYvE4MpobOTcgCfaPx1wTb14f K+h1tfWyo2TFQP
fHkAn1ZDOVHkz52KhvbrZyvvUnC4OEQ1
=ZjJY
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 02-02-2012, 02:52 PM
Klaus Lichtenwalder
 
Default playing with unconfined domains and users on Fedora 16

Dan, Dominick,

thanks for your attention.

>
> Those files should be labeled bin_t.
>
> I will change the default labeling, any other binary file in that
> directory.

These are the files in /etc/lxdm:
-rwxr-xr-x. root root system_ubject_r:etc_t:s0 LoginReady
-rw-r-----. root root system_ubject_r:etc_t:s0 lxdm.conf
-rwxr-xr-x. root root system_ubject_r:etc_t:s0 PostLogin
-rwxr-xr-x. root root system_ubject_r:etc_t:s0 PostLogout
-rwxr-xr-x. root root system_ubject_r:etc_t:s0 PreLogin
-rwxr-xr-x. root root system_ubject_r:etc_t:s0 PreReboot
-rwxr-xr-x. root root system_ubject_r:etc_t:s0 PreShutdown
-rwxr-xr-x. root root system_ubject_r:etc_t:s0 Xsession

The conf file obviously is not an executable, but belongs to the lxdm
package.

>
>
> Open a bugzilla on the gpg_agent problems.
Done: https://bugzilla.redhat.com/show_bug.cgi?id=786868
I also added the action of actually trying to use gpg-agent.

Klaus
--
------------------------------------------------------------------------
Klaus Lichtenwalder, Dipl. Inform., http://www.lichtenwalder.name
PGP Key fingerprint: FEDE 1D2A EE70 FB60 9CA2 669D 2F59 3F34 6E81 5A89

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 

Thread Tools




All times are GMT. The time now is 12:21 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org