Can't get fully functional (kde) desktop with SELinux
Hello to all the list. I need your help to understand what's wrong here.
I tried to convert my laptop to a selinux profile (targeted) several times following the documentation step by step. Now, the last time I tried, I'm using 2.20120725-r3 policies from the hardened-dev overlay, but I found the same problems with every version of policies I try.. The system is mainly amd64 (not ~amd64). The problems I find are: 1) it seems like some part of hardware can't be revealed in enforcing mode: Pulseaudio can't see the soundcard, powerdevil can't see power statistics, newly atttached usb drives are ingored. Obviously selinux-consolekit, selinux-policykit and selinux-dbus are installed. 2) I use partitions encryption (with cryptsetup) and if booting in enforcing mode it complains about a temporary file that is already there, but then it goes straight. 3) Logging in root with su or kdesu (in X environment) takes too long: if the password I write is ok, it takes even some minute to give me the root shell. Thank you in advance for your help. This is my emerge --info: Portage 2.1.11.9 (default/linux/amd64/10.0/selinux, gcc-4.5.3, glibc-2.15-r2, 3.3.8-gentoo x86_64) ================================================== =============== System uname: Linux-3.3.8-gentoo-x86_64-Intel-R-_Core-TM-2_Duo_CPU_P8600_@_2.40GHz-with-gentoo-2.1 Timestamp of tree: Sun, 19 Aug 2012 12:45:01 +0000 app-shells/bash: 4.2_p37 dev-java/java-config: 2.1.11-r3 dev-lang/python: 2.7.3-r2, 3.2.3 dev-util/cmake: 2.8.8-r3 dev-util/pkgconfig: 0.27 sys-apps/baselayout: 2.1-r1 sys-apps/openrc: 0.9.8.4 sys-apps/sandbox: 2.5 sys-devel/autoconf: 2.13, 2.68 sys-devel/automake: 1.11.6 sys-devel/binutils: 2.22-r1 sys-devel/gcc: 4.5.3-r2 sys-devel/gcc-config: 1.7.3 sys-devel/libtool: 2.4-r1 sys-devel/make: 3.82-r3 sys-kernel/linux-headers: 3.4-r2 (virtual/os-headers) sys-libs/glibc: 2.15-r2 Repositories: gentoo mozilla hardened-dev lcd-filtering ACCEPT_KEYWORDS="amd64" ACCEPT_LICENSE="*" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-O2 -pipe -march=core2 -msse4.1 --param l1-cache-size=32 --param l1-cache-line-size=64 --param l2-cache-size=3072 -mtune=generic" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/config /usr/share/gnupg/qualified.txt /usr/share/themes/oxygen-gtk/gtk-2.0" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo" CXXFLAGS="-O2 -pipe -march=core2 -msse4.1 --param l1-cache-size=32 --param l1-cache-line-size=64 --param l2-cache-size=3072 -mtune=generic" DISTDIR="/home/portage/distfiles" FCFLAGS="-O2 -pipe" FEATURES="assume-digests binpkg-logs config-protect-if-modified distlocks ebuild-locks fixlafiles news parallel-fetch parse-eapi-ebuild-head protect-owned sandbox selinux sesandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch" FFLAGS="-O2 -pipe" GENTOO_MIRRORS="ftp://de-mirror.org/gentoo/" LANG="it_IT.UTF-8" LDFLAGS="-Wl,-O1 -Wl,--as-needed" LINGUAS="it" MAKEOPTS="-j3" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/var/lib/layman/mozilla /var/lib/layman/hardened-development /var/lib/layman/lcd-filtering" SYNC="rsync://rsync.de.gentoo.org/gentoo-portage" USE="X a52 aac aac+ acl acpi alsa amd64 audit auto-hinter berkdb bzip2 cairo cdda cdio cdr cli consolekit corefonts cracklib crypt cups custom-cflags custom-optimization cxx dbus dirac dri dts dvd encode exif extras faac fam flac fortran g3dvl gdbm gif gles2 gpm gudev hwdb iconv jit jpeg kde keymap lcdfilter lcms libnotify lzma mad mmx mng modules mp3 mpeg mudflap multilib multimedia ncurses nls nptl ogg open_perms opengl openmp pam pcre pdf phonon pic png policykit pppd pulseaudio python qt3support qt4 readline schroedinger sdl selinux session sse sse2 sse3 sse4_1 ssl ssse3 startup-notification svg tcpd theora threads thumbnail tiff truetype type1 udev unicode usb v4l vorbis wavpack x264 xa xft xml xv xvid xvmc zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="evdev synaptics" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" LINGUAS="it" PHP_TARGETS="php5-3" PYTHON_TARGETS="python3_2 python2_7" RUBY_TARGETS="ruby18 ruby19" USERLAND="GNU" VIDEO_CARDS="radeon" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, USE_PYTHON This is my avc.log of the last boot up: Aug 21 08:45:49 dell-studio kernel: [ 7.848157] type=1400 audit(1345538717.847:3): avc: denied { search } for pid=1452 comm="alsactl" name="root" dev="sda5" ino=1308163 scontext=system_u:system_r:alsa_t tcontext=system_u:object_r:default_t tclass=dir Aug 21 08:45:49 dell-studio kernel: [ 8.588561] type=1400 audit(1345538718.587:4): avc: denied { read } for pid=1450 comm="alsactl" name="urandom" dev="tmpfs" ino=3255 scontext=system_u:system_r:alsa_t tcontext=system_u:object_r:urandom_device_t tclass=chr_file Aug 21 08:45:49 dell-studio kernel: [ 8.588576] type=1400 audit(1345538718.587:6): avc: denied { open } for pid=1450 comm="alsactl" name="urandom" dev="tmpfs" ino=3255 scontext=system_u:system_r:alsa_t tcontext=system_u:object_r:urandom_device_t tclass=chr_file Aug 21 08:45:49 dell-studio kernel: [ 8.588579] type=1400 audit(1345538718.587:7): avc: denied { open } for pid=1452 comm="alsactl" name="urandom" dev="tmpfs" ino=3255 scontext=system_u:system_r:alsa_t tcontext=system_u:object_r:urandom_device_t tclass=chr_file Aug 21 08:45:49 dell-studio kernel: [ 8.588621] type=1400 audit(1345538718.587:8): avc: denied { getattr } for pid=1450 comm="alsactl" name="/" dev="tmpfs" ino=2980 scontext=system_u:system_r:alsa_t tcontext=system_u:object_r:tmpfs_t tclass=filesystem Aug 21 08:45:49 dell-studio kernel: [ 8.588625] type=1400 audit(1345538718.587:9): avc: denied { getattr } for pid=1452 comm="alsactl" name="/" dev="tmpfs" ino=2980 scontext=system_u:system_r:alsa_t tcontext=system_u:object_r:tmpfs_t tclass=filesystem Aug 21 08:45:49 dell-studio kernel: [ 8.588644] type=1400 audit(1345538718.587:10): avc: denied { write } for pid=1452 comm="alsactl" name="shm" dev="tmpfs" ino=2984 scontext=system_u:system_r:alsa_t tcontext=system_u:object_r:device_t tclass=dir Aug 21 08:45:49 dell-studio kernel: [ 8.588652] type=1400 audit(1345538718.587:11): avc: denied { add_name } for pid=1452 comm="alsactl" name="pulse-shm-1979112542" scontext=system_u:system_r:alsa_t tcontext=system_u:object_r:device_t tclass=dir Aug 21 08:45:49 dell-studio kernel: [ 28.881908] type=1400 audit(1345531540.026:21): avc: denied { module_request } for pid=1524 comm="cryptsetup" kmod="cbc(aes)" scontext=system_u:system_r:lvm_t tcontext=system_u:system_r:kernel_t tclass=system Aug 21 08:45:49 dell-studio kernel: [ 38.142682] type=1400 audit(1345531549.287:22): avc: denied { setrlimit } for pid=1983 comm="dbus-daemon" scontext=system_u:system_r:system_dbusd_t tcontext=system_u:system_r:system_dbusd_t tclass=process Aug 21 08:45:49 dell-studio kernel: [ 38.743819] type=1400 audit(1345531549.888:23): avc: denied { getattr } for pid=2013 comm="console-kit-dae" path="/run/ConsoleKit" dev="tmpfs" ino=5240 scontext=system_u:system_r:consolekit_t tcontext=system_u:object_r:initrc_var_run_t tclass=dir Aug 21 08:45:49 dell-studio kernel: [ 38.743833] type=1400 audit(1345531549.888:24): avc: denied { search } for pid=2013 comm="console-kit-dae" name="ConsoleKit" dev="tmpfs" ino=5240 scontext=system_u:system_r:consolekit_t tcontext=system_u:object_r:initrc_var_run_t tclass=dir Aug 21 08:45:49 dell-studio kernel: [ 38.743845] type=1400 audit(1345531549.888:25): avc: denied { write } for pid=2013 comm="console-kit-dae" name="ConsoleKit" dev="tmpfs" ino=5240 scontext=system_u:system_r:consolekit_t tcontext=system_u:object_r:initrc_var_run_t tclass=dir Aug 21 08:45:49 dell-studio kernel: [ 38.743854] type=1400 audit(1345531549.888:26): avc: denied { add_name } for pid=2013 comm="console-kit-dae" name="database~" scontext=system_u:system_r:consolekit_t tcontext=system_u:object_r:initrc_var_run_t tclass=dir Aug 21 08:45:49 dell-studio kernel: [ 38.743875] type=1400 audit(1345531549.888:27): avc: denied { create } for pid=2013 comm="console-kit-dae" name="database~" scontext=system_u:system_r:consolekit_t tcontext=system_u:object_r:initrc_var_run_t tclass=file Aug 21 08:45:49 dell-studio kernel: [ 38.743939] type=1400 audit(1345531549.888:28): avc: denied { remove_name } for pid=2013 comm="console-kit-dae" name="database~" dev="tmpfs" ino=5251 scontext=system_u:system_r:consolekit_t tcontext=system_u:object_r:initrc_var_run_t tclass=dir Aug 21 08:45:49 dell-studio kernel: [ 38.743948] type=1400 audit(1345531549.888:29): avc: denied { rename } for pid=2013 comm="console-kit-dae" name="database~" dev="tmpfs" ino=5251 scontext=system_u:system_r:consolekit_t tcontext=system_u:object_r:initrc_var_run_t tclass=file Aug 21 08:45:50 dell-studio kernel: [ 39.000295] type=1400 audit(1345531550.145:30): avc: denied { read } for pid=2089 comm="crond" name="root" dev="sda7" ino=12796 scontext=system_u:system_r:crond_t tcontext=system_u:object_r:file_t tclass=file Aug 21 08:45:55 dell-studio kernel: [ 44.775964] type=1400 audit(1345531555.920:51): avc: denied { read } for pid=2912 comm="sh" name="meminfo" dev="proc" ino=4026532031 scontext=system_u:system_r:wpa_cli_t tcontext=system_u:object_r:proc_t tclass=file Aug 21 08:45:55 dell-studio kernel: [ 44.775974] type=1400 audit(1345531555.920:52): avc: denied { open } for pid=2912 comm="sh" name="meminfo" dev="proc" ino=4026532031 scontext=system_u:system_r:wpa_cli_t tcontext=system_u:object_r:proc_t tclass=file Aug 21 08:45:55 dell-studio kernel: [ 44.775991] type=1400 audit(1345531555.920:53): avc: denied { getattr } for pid=2912 comm="sh" path="/proc/meminfo" dev="proc" ino=4026532031 scontext=system_u:system_r:wpa_cli_t tcontext=system_u:object_r:proc_t tclass=file Aug 21 08:45:56 dell-studio kernel: [ 44.975326] type=1400 audit(1345531556.120:54): avc: denied { read write } for pid=2956 comm="ifconfig" path="socket:[5638]" dev="sockfs" ino=5638 scontext=system_u:system_r:ifconfig_t tcontext=system_u:system_r:wpa_cli_t tclass=unix_dgram_socket Aug 21 08:45:56 dell-studio kernel: [ 45.229495] type=1400 audit(1345531556.374:55): avc: denied { use } for pid=3088 comm="mount" path="/dev/null" dev="tmpfs" ino=2982 scontext=system_u:system_r:mount_t tcontext=system_u:system_r:wpa_cli_t tclass=fd Aug 21 08:45:56 dell-studio kernel: [ 45.229516] type=1400 audit(1345531556.374:56): avc: denied { read write } for pid=3088 comm="mount" path="socket:[5638]" dev="sockfs" ino=5638 scontext=system_u:system_r:mount_t tcontext=system_u:system_r:wpa_cli_t tclass=unix_dgram_socket Aug 21 08:46:05 dell-studio kernel: [ 54.833228] type=1400 audit(1345531565.978:57): avc: denied { read } for pid=2013 comm="console-kit-dae" name="machine-id" dev="sda7" ino=184383 scontext=system_u:system_r:consolekit_t tcontext=system_u:object_r:system_dbusd_var_lib_t tclass=lnk_file Aug 21 08:46:06 dell-studio kernel: [ 54.866726] type=1400 audit(1345531566.011:58): avc: denied { create } for pid=2013 comm="console-kit-dae" name="database~" scontext=system_u:system_r:consolekit_t tcontext=system_u:object_r:initrc_var_run_t tclass=file Aug 21 08:46:06 dell-studio kernel: [ 54.866889] type=1400 audit(1345531566.011:59): avc: denied { remove_name } for pid=2013 comm="console-kit-dae" name="database~" dev="tmpfs" ino=6008 scontext=system_u:system_r:consolekit_t tcontext=system_u:object_r:initrc_var_run_t tclass=dir Aug 21 08:46:06 dell-studio kernel: [ 54.866898] type=1400 audit(1345531566.011:60): avc: denied { rename } for pid=2013 comm="console-kit-dae" name="database~" dev="tmpfs" ino=6008 scontext=system_u:system_r:consolekit_t tcontext=system_u:object_r:initrc_var_run_t tclass=file Aug 21 08:46:06 dell-studio kernel: [ 54.866907] type=1400 audit(1345531566.011:61): avc: denied { unlink } for pid=2013 comm="console-kit-dae" name="database" dev="tmpfs" ino=5251 scontext=system_u:system_r:consolekit_t tcontext=system_u:object_r:initrc_var_run_t tclass=file Aug 21 08:46:06 dell-studio kernel: [ 54.939435] type=1400 audit(1345531566.084:62): avc: denied { read } for pid=3111 comm="udev-acl.ck" name="udev-acl" dev="tmpfs" ino=3056 scontext=system_u:system_r:consolekit_t tcontext=system_u:object_r:udev_var_run_t tclass=dir Aug 21 08:46:06 dell-studio kernel: [ 54.939920] type=1400 audit(1345531566.084:63): avc: denied { getattr } for pid=3111 comm="udev-acl.ck" name="card0" dev="tmpfs" ino=3051 scontext=system_u:system_r:consolekit_t tcontext=system_u:object_r:dri_device_t tclass=chr_file Aug 21 08:46:06 dell-studio kernel: [ 54.939945] type=1400 audit(1345531566.084:64): avc: denied { setattr } for pid=3111 comm="udev-acl.ck" name="card0" dev="tmpfs" ino=3051 scontext=system_u:system_r:consolekit_t tcontext=system_u:object_r:dri_device_t tclass=chr_file Aug 21 08:46:06 dell-studio kernel: [ 54.940052] type=1400 audit(1345531566.085:65): avc: denied { getattr } for pid=3111 comm="udev-acl.ck" name="hwC1D0" dev="tmpfs" ino=3733 scontext=system_u:system_r:consolekit_t tcontext=system_u:object_r:sound_device_t tclass=chr_file Aug 21 08:46:06 dell-studio kernel: [ 54.940067] type=1400 audit(1345531566.085:66): avc: denied { setattr } for pid=3111 comm="udev-acl.ck" name="hwC1D0" dev="tmpfs" ino=3733 scontext=system_u:system_r:consolekit_t tcontext=system_u:object_r:sound_device_t tclass=chr_file Aug 21 08:46:11 dell-studio kernel: [ 60.117720] type=1400 audit(1345531571.262:74): avc: denied { execute } for pid=3184 comm="dbus-daemon-lau" name="upowerd" dev="sda5" ino=939375 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:bin_t tclass=file Aug 21 08:46:11 dell-studio kernel: [ 60.117729] type=1400 audit(1345531571.262:75): avc: denied { read open } for pid=3184 comm="dbus-daemon-lau" name="upowerd" dev="sda5" ino=939375 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:bin_t tclass=file Aug 21 08:46:11 dell-studio kernel: [ 60.117750] type=1400 audit(1345531571.262:76): avc: denied { execute_no_trans } for pid=3184 comm="dbus-daemon-lau" path="/usr/libexec/upowerd" dev="sda5" ino=939375 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:bin_t tclass=file Aug 21 08:46:11 dell-studio kernel: [ 60.184184] type=1400 audit(1345531571.329:77): avc: denied { write } for pid=3184 comm="upowerd" name="cpu_dma_latency" dev="tmpfs" ino=3263 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:netcontrol_device_t tclass=chr_file Aug 21 08:46:11 dell-studio kernel: [ 60.184195] type=1400 audit(1345531571.329:78): avc: denied { open } for pid=3184 comm="upowerd" name="cpu_dma_latency" dev="tmpfs" ino=3263 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:netcontrol_device_t tclass=chr_file Aug 21 08:46:11 dell-studio kernel: [ 60.223810] type=1400 audit(1345531571.368:79): avc: denied { read } for pid=3188 comm="upowerd" name="sh" dev="sda5" ino=1706629 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:bin_t tclass=lnk_file Aug 21 08:46:11 dell-studio kernel: [ 60.223838] type=1400 audit(1345531571.368:80): avc: denied { execute } for pid=3188 comm="upowerd" name="bash" dev="sda5" ino=1700702 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:shell_exec_t tclass=file Aug 21 08:46:11 dell-studio kernel: [ 60.223848] type=1400 audit(1345531571.368:81): avc: denied { read open } for pid=3188 comm="upowerd" name="bash" dev="sda5" ino=1700702 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:shell_exec_t tclass=file Aug 21 08:46:11 dell-studio kernel: [ 60.225529] type=1400 audit(1345531571.370:82): avc: denied { ioctl } for pid=3188 comm="pm-is-supported" path="/usr/bin/pm-is-supported" dev="sda5" ino=815434 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:bin_t tclass=file Aug 21 08:46:11 dell-studio kernel: [ 60.225555] type=1400 audit(1345531571.370:83): avc: denied { getattr } for pid=3188 comm="pm-is-supported" path="/usr/bin/pm-is-supported" dev="sda5" ino=815434 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:bin_t tclass=file Aug 21 08:46:16 dell-studio kernel: [ 65.194471] type=1400 audit(1345531576.339:148): avc: denied { write } for pid=3260 comm="mount" name="/" dev="dm-1" ino=2 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:home_root_t tclass=dir Aug 21 08:46:16 dell-studio kernel: [ 65.449862] type=1400 audit(1345531576.594:149): avc: denied { search } for pid=3268 comm="laptop-mode" name="vm" dev="proc" ino=5312 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:sysctl_vm_t tclass=dir Aug 21 08:46:16 dell-studio kernel: [ 65.449879] type=1400 audit(1345531576.594:150): avc: denied { write } for pid=3268 comm="laptop-mode" name="laptop_mode" dev="proc" ino=5313 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:sysctl_vm_t tclass=file Aug 21 08:46:16 dell-studio kernel: [ 65.450458] type=1400 audit(1345531576.595:151): avc: denied { read } for pid=3269 comm="laptop-mode" name="laptop_mode" dev="proc" ino=5313 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:sysctl_vm_t tclass=file Aug 21 08:46:16 dell-studio kernel: [ 65.451314] type=1400 audit(1345531576.596:152): avc: denied { open } for pid=3271 comm="cat" name="laptop_mode" dev="proc" ino=5313 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:sysctl_vm_t tclass=file Aug 21 08:46:16 dell-studio kernel: [ 65.451327] type=1400 audit(1345531576.596:153): avc: denied { getattr } for pid=3271 comm="cat" path="/proc/sys/vm/laptop_mode" dev="proc" ino=5313 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:sysctl_vm_t tclass=file Aug 21 08:46:16 dell-studio kernel: [ 65.460034] type=1400 audit(1345531576.604:154): avc: denied { execute } for pid=3277 comm="readahead" name="blockdev" dev="sda5" ino=416349 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:fsadm_exec_t tclass=file Aug 21 08:46:16 dell-studio kernel: [ 65.462069] type=1400 audit(1345531576.607:155): avc: denied { read open } for pid=3280 comm="readahead" name="blockdev" dev="sda5" ino=416349 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:fsadm_exec_t tclass=file Aug 21 08:46:16 dell-studio kernel: [ 65.462103] type=1400 audit(1345531576.607:156): avc: denied { execute_no_trans } for pid=3280 comm="readahead" path="/sbin/blockdev" dev="sda5" ino=416349 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:fsadm_exec_t tclass=file Aug 21 08:46:16 dell-studio kernel: [ 65.494153] type=1400 audit(1345531576.639:157): avc: denied { getattr } for pid=3287 comm="which" path="/sbin/iwconfig" dev="sda5" ino=416869 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:ifconfig_exec_t tclass=file Aug 21 08:46:24 dell-studio kernel: [ 73.269671] type=1400 audit(1345531584.414:159): avc: denied { search } for pid=1983 comm="dbus-daemon" name="console" dev="tmpfs" ino=6011 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:consolekit_var_run_t tclass=dir Aug 21 08:46:26 dell-studio kernel: [ 75.002090] type=1400 audit(1345531586.147:160): avc: denied { read } for pid=3238 comm="udisks-daemon" name="sr0" dev="tmpfs" ino=3539 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:removable_device_t tclass=blk_file Aug 21 08:46:26 dell-studio kernel: [ 75.002101] type=1400 audit(1345531586.147:161): avc: denied { open } for pid=3238 comm="udisks-daemon" name="sr0" dev="tmpfs" ino=3539 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:removable_device_t tclass=blk_file Aug 21 08:46:48 dell-studio kernel: [ 97.234376] type=1400 audit(1345531608.230:162): avc: denied { execstack } for pid=3659 comm="chrome" scontext=unconfined_u:unconfined_r:unconfined_t tcontext=unconfined_u:unconfined_r:unconfined_t tclass=process Aug 21 08:50:01 dell-studio kernel: [ 290.083336] type=1400 audit(1345531801.079:163): avc: denied { execute } for pid=4630 comm="sh" name="run-crons" dev="sda5" ino=922129 scontext=system_u:system_r:crond_t tcontext=system_u:object_r:bin_t tclass=file Aug 21 08:50:01 dell-studio kernel: [ 290.083888] type=1400 audit(1345531801.079:164): avc: denied { read open } for pid=4631 comm="sh" name="run-crons" dev="sda5" ino=922129 scontext=system_u:system_r:crond_t tcontext=system_u:object_r:bin_t tclass=file Aug 21 08:50:01 dell-studio kernel: [ 290.083965] type=1400 audit(1345531801.079:165): avc: denied { execute_no_trans } for pid=4631 comm="sh" path="/usr/sbin/run-crons" dev="sda5" ino=922129 scontext=system_u:system_r:crond_t tcontext=system_u:object_r:bin_t tclass=file Aug 21 08:50:01 dell-studio kernel: [ 290.110392] type=1400 audit(1345531801.106:166): avc: denied { ioctl } for pid=4631 comm="run-crons" path="/usr/sbin/run-crons" dev="sda5" ino=922129 scontext=system_u:system_r:crond_t tcontext=system_u:object_r:bin_t tclass=file Aug 21 08:50:01 dell-studio kernel: [ 290.110414] type=1400 audit(1345531801.106:167): avc: denied { getattr } for pid=4631 comm="run-crons" path="/usr/sbin/run-crons" dev="sda5" ino=922129 scontext=system_u:system_r:crond_t tcontext=system_u:object_r:bin_t tclass=file Aug 21 08:50:01 dell-studio kernel: [ 290.161144] type=1400 audit(1345531801.157:168): avc: denied { create } for pid=4633 comm="ln" name="lock" scontext=system_u:system_r:crond_t tcontext=system_u:object_r:crond_tmp_t tclass=lnk_file Aug 21 08:50:01 dell-studio kernel: [ 290.168642] type=1400 audit(1345531801.164:169): avc: denied { getattr } for pid=4631 comm="run-crons" path="/var/spool/cron/lastrun/lock" dev="sda7" ino=12547 scontext=system_u:system_r:crond_t tcontext=system_u:object_r:crond_tmp_t tclass=lnk_file Aug 21 08:50:01 dell-studio kernel: [ 290.170178] type=1400 audit(1345531801.166:170): avc: denied { read } for pid=4634 comm="find" name="root" dev="sda5" ino=1308163 scontext=system_u:system_r:crond_t tcontext=system_u:object_r:default_t tclass=dir Aug 21 08:50:01 dell-studio kernel: [ 290.180507] type=1400 audit(1345531801.176:171): avc: denied { getattr } for pid=4634 comm="find" path="/var/spool/cron/lastrun/.keep_sys-process_cronbase-0" dev="sda7" ino=45164 scontext=system_u:system_r:crond_t tcontext=system_u:object_r:file_t tclass=file Aug 21 08:50:09 dell-studio kernel: [ 298.361777] type=1400 audit(1345531809.356:173): avc: denied { unlink } for pid=4704 comm="rm" name="lock" dev="sda7" ino=12547 scontext=system_u:system_r:crond_t tcontext=system_u:object_r:crond_tmp_t tclass=lnk_file This is my /etc/fstab (I found that the /selinux mountpoint is no more needed): /dev/sda1 /boot ext2 noauto,noatime 1 2 /dev/sda5 / ext4 noatime 0 1 /dev/mapper/swap none swap sw 0 0 /dev/sda7 /var jfs defaults,rootcontext=system_u:object_r:var_t 0 1 /dev/mapper/home /home ext4 noatime 0 1 /dev/cdrom /mnt/cdrom auto noauto,ro 0 0 tmpfs /run tmpfs mode=0755,nosuid,nodev,rootcontext=system_u:object _r:var_run_t 0 0 Lastly this is my sestatus -v: Password: SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: permissive Mode from config file: permissive Policy MLS status: disabled Policy deny_unknown status: denied Max kernel policy version: 26 Process contexts: Current context: unconfined_u:unconfined_r:unconfined_t Init context: system_u:system_r:init_t /sbin/agetty system_u:system_r:getty_t File contexts: Controlling terminal: unconfined_u:object_r:user_devpts_t /sbin/init system_u:object_r:init_exec_t /sbin/agetty system_u:object_r:getty_exec_t /bin/login system_u:object_r:login_exec_t /sbin/rc system_u:object_r:rc_exec_t /usr/sbin/sshd system_u:object_r:sshd_exec_t /sbin/unix_chkpwd system_u:object_r:chkpwd_exec_t /etc/passwd system_u:object_r:etc_t /etc/shadow system_u:object_r:shadow_t /bin/sh system_u:object_r:bin_t -> system_u:object_r:shell_exec_t /bin/bash system_u:object_r:shell_exec_t /usr/bin/newrole system_u:object_r:newrole_exec_t /lib/libc.so.6 system_u:object_r:lib_t -> system_u:object_r:lib_t /lib/ld-linux.so.2 system_u:object_r:lib_t -> system_u:object_r:ld_so_t |
Can't get fully functional (kde) desktop with SELinux
On Tue, Aug 21, 2012 at 09:14:39AM +0200, f.p.barile@gmail.com2 wrote:
> Hello to all the list. I need your help to understand what's wrong here. > I tried to convert my laptop to a selinux profile (targeted) several > times following the documentation step by step. Hi F.P. First of all, thanks for trying the SELinux stuff out. I'm pretty sure we can help you further and fix things so that others don't get the same problems. > 1) it seems like some part of hardware can't be revealed in enforcing > mode: Pulseaudio can't see the soundcard, powerdevil can't see power > statistics, newly atttached usb drives are ingored. Obviously > selinux-consolekit, selinux-policykit and selinux-dbus are installed. It is best to look at the AVC denials that come up when you launch pulseaudio, powerdevel etc. one by one. Providing all possible denials will make it much more difficult to fine-tune the problems. What I usually do to debug issues is to do: ~# tail -f /var/log/avc.log Then perform one activity (1) that doesn't work. For instance, try to play an MP3/OGG file which fails. Then look at the denials that came up right when you did that action. > 3) Logging in root with su or kdesu (in X environment) takes too long: > if the password I write is ok, it takes even some minute to give me the > root shell. Here too looking at the AVC denials that come up right then would be interesting. However, in this case it is best to also provide the output of "id -Z" right before you switch root, and right after. Wkr, Sven Vermeulen Tue Aug 21 20:30:02 2012 Return-Path: <devel-bounces@lists.fedoraproject.org> X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eagle542.startdedicated.com X-Spam-Level: X-Spam-Status: No, score=-2.4 required=5.0 tests=DKIM_ADSP_CUSTOM_MED, DKIM_SIGNED,FREEMAIL_FROM,HTML_MESSAGE,RCVD_IN_DNS WL_MED,RP_MATCHES_RCVD, SPF_PASS,T_DKIM_INVALID autolearn=ham version=3.3.2 X-Original-To: tom@linux-archive.org Delivered-To: tom-linux-archive.org@eagle542.startdedicated.com Received: from bastion.fedoraproject.org (bastion01.fedoraproject.org [209.132.181.2]) by eagle542.startdedicated.com (Postfix) with ESMTP id 62D7320E0766 for <tom@linux-archive.org>; Tue, 21 Aug 2012 20:10:56 +0200 (CEST) Received: from lists.fedoraproject.org (collab03.vpn.fedoraproject.org [192.168.1.70]) by bastion01.phx2.fedoraproject.org (Postfix) with ESMTP id C181621397; Tue, 21 Aug 2012 18:10:52 +0000 (UTC) Received: from collab03.fedoraproject.org (localhost [127.0.0.1]) by lists.fedoraproject.org (Postfix) with ESMTP id 58DD040A17; Tue, 21 Aug 2012 18:10:52 +0000 (UTC) X-Original-To: devel@lists.fedoraproject.org Delivered-To: devel@lists.fedoraproject.org Received: from smtp-mm02.fedoraproject.org (smtp-mm02.fedoraproject.org [66.35.62.164]) by lists.fedoraproject.org (Postfix) with ESMTP id 6058A40726 for <devel@lists.fedoraproject.org>; Tue, 21 Aug 2012 18:10:50 +0000 (UTC) Received: from mail-ey0-f173.google.com (mail-ey0-f173.google.com [209.85.215.173]) by smtp-mm02.fedoraproject.org (Postfix) with ESMTP id E94153FC33 for <devel@lists.fedoraproject.org>; Tue, 21 Aug 2012 18:10:49 +0000 (UTC) Received: by eaac13 with SMTP id c13so33149eaa.32 for <devel@lists.fedoraproject.org>; Tue, 21 Aug 2012 11:10:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type; bh=rqjQ5bK/N/CP6B1gj24WpOD2icL7PfTLDnpcOLiPhBU=; b=sJ0Ka7W5OFb8yfxaPf0AnI87a96s+K73bHU9rARp5/WqCL6p7uuLHKJuRU7sJnrKk5 IOE1nJMBmc+UT6pPZPYidCu5D+mcu0qDrBP259pF1ONY7786zU eV6WsSKuY+EdKE/NA5 +oMB+ODitxJUNprEhR5c7d4bt4gKREqxXGfovVIv6oM8Zd6OKj zJv+G7v4BI+MNppA6r +hhlwf46+nGDjdUkbHlZ9o87FdNgcGbNn/Fvlx2Kvdvtev5WNI1frZM3mrq1DQ09VlWc deqJo1TsWn/Qg6GPqdfhu/bPvyrkwTe1y46mzf9MWQgmugAikQQbPfNu/OQBZEcGe6S4 9Owg== Received: by 10.14.203.69 with SMTP id e45mr14550771eeo.23.1345572649093; Tue, 21 Aug 2012 11:10:49 -0700 (PDT) Received: from localhost.localdomain (noc.skyggnir.is. [217.28.190.150]) by mx.google.com with ESMTPS id u47sm6405282eeo.9.2012.08.21.11.10.47 (version=TLSv1/SSLv3 cipher=OTHER); Tue, 21 Aug 2012 11:10:48 -0700 (PDT) Message-ID: <5033CEE2.2000305@gmail.com> Date: Tue, 21 Aug 2012 18:09:38 +0000 From: =?UTF-8?B?IkrDs2hhbm4gQi4gR3XDsG11bmRzc29uIg==?= <johannbg@gmail.com> User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:14.0) Gecko/20120717 Thunderbird/14.0 MIME-Version: 1.0 To: devel@lists.fedoraproject.org Subject: Re: Mass changes to packaging References: <bug-850364-123769@bugzilla.redhat.com> <20120821145215.GQ1448@rhmail.home.annexia.org> <5033BCC8.3070008@gmail.com> <20120821170835.GA2811@tango.0pointer.de> In-Reply-To: <20120821170835.GA2811@tango.0pointer.de> X-BeenThere: devel@lists.fedoraproject.org X-Mailman-Version: 2.1.12 Precedence: list Reply-To: Development discussions related to Fedora <devel@lists.fedoraproject.org> List-Id: Development discussions related to Fedora <devel.lists.fedoraproject.org> List-Unsubscribe: <https://admin.fedoraproject.org/mailman/options/devel>, <mailto:devel-request@lists.fedoraproject.org?subject=unsubscrib e> List-Archive: <http://lists.fedoraproject.org/pipermail/devel/> List-Post: <mailto:devel@lists.fedoraproject.org> List-Help: <mailto:devel-request@lists.fedoraproject.org?subject=help> List-Subscribe: <https://admin.fedoraproject.org/mailman/listinfo/devel>, <mailto:devel-request@lists.fedoraproject.org?subject=subscribe> Content-Type: multipart/mixed; boundary="===============6202879569694410565==" Sender: devel-bounces@lists.fedoraproject.org Errors-To: devel-bounces@lists.fedoraproject.org This is a multi-part message in MIME format. --===============6202879569694410565== Content-Type: multipart/alternative; boundary="------------030704040907010008090909" This is a multi-part message in MIME format. --------------030704040907010008090909 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit On 08/21/2012 05:08 PM, Lennart Poettering wrote: > On Tue, 21.08.12 16:52, "Jóhann B. Guðmundsson" (johannbg@gmail.com) wrote: > >> >On 08/21/2012 02:52 PM, Richard W.M. Jones wrote: >>> > >However, the person who is sending these bugs reports is >>> > >(a) in a much better position to change the packages because they >>> > >understand the problem and the solution, and (b) ought to take on this >>> > >work because that's part of whatever feature/cleanup/etc they are >>> > >proposing, instead of pushing part of that work off to everyone else. >> > >> >That's how I*initially* though the feature process worked as in the >> >feature owner always has to do all the work. >> > >> >Then again I suspect not many maintainers will do this change since >> >if I'm not mistaken it a) means they have to have separated spec >> >files for <F18 and b) will break everybody's upgrade path since if >> >I'm not mistaken preset*resets* units enable/disablement*again* ( >> >it happens when the legacy sysv to systemd migration takes place >> >)... > No, presets don't reset existing enablement/disablement status. > > Presets only matter with the initial installation of a package and when > a package is converted from sysv to systemd, but do not matter if a > package already uses systemd unit files, or just converts non-macro > scriptlets to macro scriptlets. But it's still necessary to keep two separate spec files ( <F18 & F18> ) + given the time of the packaging guideline changes and the branching happening the *day after* I tempted to put on my QA hat and argue this should only apply to F19 not F18 and from the looks of it the Red Hat's systemd *Team* is behind this which constitutes of what 5 - 10 people now so there should be sufficient manpower for those that requested this to actually make those changes themselves before F19 get's released... JBG --------------030704040907010008090909 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: 8bit <html> <head> <meta content="text/html; charset=UTF-8" http-equiv="Content-Type"> </head> <body bgcolor="#FFFFFF" text="#000000"> <div class="moz-cite-prefix">On 08/21/2012 05:08 PM, Lennart Poettering wrote:<br> </div> <blockquote cite="mid:20120821170835.GA2811@tango.0pointer.de" type="cite"> <pre wrap="">On Tue, 21.08.12 16:52, "Jóhann B. Guðmundsson" (<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:johannbg@gmail.com">johannbg@gmail.co m</a>) wrote: </pre> <blockquote type="cite" style="color: #000000;"> <pre wrap=""><span class="moz-txt-citetags">> </span>On 08/21/2012 02:52 PM, Richard W.M. Jones wrote: </pre> <blockquote type="cite" style="color: #000000;"> <pre wrap=""><span class="moz-txt-citetags">> ></span>However, the person who is sending these bugs reports is <span class="moz-txt-citetags">> ></span>(a) in a much better position to change the packages because they <span class="moz-txt-citetags">> ></span>understand the problem and the solution, and (b) ought to take on this <span class="moz-txt-citetags">> ></span>work because that's part of whatever feature/cleanup/etc they are <span class="moz-txt-citetags">> ></span>proposing, instead of pushing part of that work off to everyone else. </pre> </blockquote> <pre wrap=""><span class="moz-txt-citetags">> </span> <span class="moz-txt-citetags">> </span>That's how I <b class="moz-txt-star"><span class="moz-txt-tag">*</span>initially<span class="moz-txt-tag">*</span></b> though the feature process worked as in the <span class="moz-txt-citetags">> </span>feature owner always has to do all the work. <span class="moz-txt-citetags">> </span> <span class="moz-txt-citetags">> </span>Then again I suspect not many maintainers will do this change since <span class="moz-txt-citetags">> </span>if I'm not mistaken it a) means they have to have separated spec <span class="moz-txt-citetags">> </span>files for <F18 and b) will break everybody's upgrade path since if <span class="moz-txt-citetags">> </span>I'm not mistaken preset <b class="moz-txt-star"><span class="moz-txt-tag">*</span>resets<span class="moz-txt-tag">*</span></b> units enable/disablement <b class="moz-txt-star"><span class="moz-txt-tag">*</span>again<span class="moz-txt-tag">*</span></b> ( <span class="moz-txt-citetags">> </span>it happens when the legacy sysv to systemd migration takes place <span class="moz-txt-citetags">> </span>)... </pre> </blockquote> <pre wrap="">No, presets don't reset existing enablement/disablement status. Presets only matter with the initial installation of a package and when a package is converted from sysv to systemd, but do not matter if a package already uses systemd unit files, or just converts non-macro scriptlets to macro scriptlets. </pre> </blockquote> <br> But it's still necessary to keep two separate spec files ( <F18 & F18> ) + given the time of the packaging guideline changes and the branching happening the *day after* I tempted to put on my QA hat and argue this should only apply to F19 not F18 and from the looks of it the Red Hat's systemd *Team* is behind this which constitutes of what 5 - 10 people now so there should be sufficient manpower for those that requested this to actually make those changes themselves before F19 get's released... <br> <br> JBG<br> </body> </html> --------------030704040907010008090909-- --===============6202879569694410565== Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Content-Disposition: inline LS0gCmRldmVsIG1haWxpbmcgbGlzdApkZXZlbEBsaXN0cy5mZW RvcmFwcm9qZWN0Lm9yZwpodHRw czovL2FkbWluLmZlZG9yYXByb2plY3Qub3JnL21haWxtYW4vbG lzdGluZm8vZGV2ZWw= --===============6202879569694410565==-- |
Can't get fully functional (kde) desktop with SELinux
Hi Sven, nice to meet you again and thank you for your work in SELinux
and for your help. I did as you suggested reading the denials step by step. Anyway I didn't find a way to start pulseaudio seprately, but I don't think it's really pulseaudio related. I beleave it's hardware revealing related because nor pulsaudio, nor kmix, nor systemsettings can see the audio card, they can only use the "output dummy" card. Now the step by step denials. I firstly removed the xdm initscript from the default runlevel and I started it manually. After starting xdm these were the denials: Aug 22 08:39:03 dell-studio kernel: [ 162.895575] type=1400 audit(1345617543.503:121): avc: denied { getattr } for pid=2010 comm="console-kit-dae" path="/run/ConsoleKit" dev="tmpfs" ino=4632 scontext=system_u:system_r:consolekit_t tcontext=system_u:object_r:initrc_var_run_t tclass=dir Aug 22 08:39:27 dell-studio kernel: [ 187.237204] type=1400 audit(1345617567.845:122): avc: denied { getattr } for pid=2010 comm="console-kit-dae" path="/run/ConsoleKit" dev="tmpfs" ino=4632 scontext=system_u:system_r:consolekit_t tcontext=system_u:object_r:initrc_var_run_t tclass=dir Aug 22 08:39:27 dell-studio kernel: [ 187.239432] type=1400 audit(1345617567.847:123): avc: denied { search } for pid=3086 comm="udev-acl.ck" name="ConsoleKit" dev="tmpfs" ino=4632 scontext=system_u:system_r:consolekit_t tcontext=system_u:object_r:initrc_var_run_t tclass=dir Aug 22 08:39:27 dell-studio kernel: [ 187.239574] type=1400 audit(1345617567.847:124): avc: denied { read } for pid=3086 comm="udev-acl.ck" name="udev-acl" dev="tmpfs" ino=1427 scontext=system_u:system_r:consolekit_t tcontext=system_u:object_r:udev_var_run_t tclass=dir Aug 22 08:39:34 dell-studio kernel: [ 193.781500] type=1400 audit(1345617574.389:125): avc: denied { getattr } for pid=2010 comm="console-kit-dae" path="/run/ConsoleKit" dev="tmpfs" ino=4632 scontext=system_u:system_r:consolekit_t tcontext=system_u:object_r:initrc_var_run_t tclass=dir Aug 22 08:39:34 dell-studio kernel: [ 193.785181] type=1400 audit(1345617574.393:126): avc: denied { read } for pid=3101 comm="udev-acl.ck" name="udev-acl" dev="tmpfs" ino=1427 scontext=system_u:system_r:consolekit_t tcontext=system_u:object_r:udev_var_run_t tclass=dir After logging in kdm I read: Aug 22 08:40:04 dell-studio kernel: [ 223.565209] type=1400 audit(1345617604.173:127): avc: denied { getattr } for pid=2010 comm="console-kit-dae" path="/run/ConsoleKit" dev="tmpfs" ino=4632 scontext=system_u:system_r:consolekit_t tcontext=system_u:object_r:initrc_var_run_t tclass=dir Aug 22 08:40:06 dell-studio kernel: [ 226.166311] type=1400 audit(1345617606.774:128): avc: denied { getattr } for pid=2010 comm="console-kit-dae" path="/run/ConsoleKit" dev="tmpfs" ino=4632 scontext=system_u:system_r:consolekit_t tcontext=system_u:object_r:initrc_var_run_t tclass=dir Aug 22 08:40:06 dell-studio kernel: [ 226.172123] type=1400 audit(1345617606.780:129): avc: denied { search } for pid=3106 comm="udev-acl.ck" name="ConsoleKit" dev="tmpfs" ino=4632 scontext=system_u:system_r:consolekit_t tcontext=system_u:object_r:initrc_var_run_t tclass=dir Aug 22 08:40:06 dell-studio kernel: [ 226.172508] type=1400 audit(1345617606.780:130): avc: denied { read } for pid=3106 comm="udev-acl.ck" name="udev-acl" dev="tmpfs" ino=1427 scontext=system_u:system_r:consolekit_t tcontext=system_u:object_r:udev_var_run_t tclass=dir Aug 22 08:40:15 dell-studio kernel: [ 234.411908] type=1400 audit(1345617615.019:131): avc: denied { getattr } for pid=2010 comm="console-kit-dae" path="/run/ConsoleKit" dev="tmpfs" ino=4632 scontext=system_u:system_r:consolekit_t tcontext=system_u:object_r:initrc_var_run_t tclass=dir Aug 22 08:40:15 dell-studio kernel: [ 234.415286] type=1400 audit(1345617615.023:132): avc: denied { read } for pid=3109 comm="udev-acl.ck" name="udev-acl" dev="tmpfs" ino=1427 scontext=system_u:system_r:consolekit_t tcontext=system_u:object_r:udev_var_run_t tclass=dir Aug 22 08:40:34 dell-studio kernel: [ 253.639780] type=1400 audit(1345617634.247:133): avc: denied { getattr } for pid=2010 comm="console-kit-dae" path="/run/ConsoleKit" dev="tmpfs" ino=4632 scontext=system_u:system_r:consolekit_t tcontext=system_u:object_r:initrc_var_run_t tclass=dir Aug 22 08:40:34 dell-studio kernel: [ 253.645402] type=1400 audit(1345617634.253:134): avc: denied { search } for pid=3111 comm="udev-acl.ck" name="ConsoleKit" dev="tmpfs" ino=4632 scontext=system_u:system_r:consolekit_t tcontext=system_u:object_r:initrc_var_run_t tclass=dir Aug 22 08:40:34 dell-studio kernel: [ 253.645790] type=1400 audit(1345617634.253:135): avc: denied { read } for pid=3111 comm="udev-acl.ck" name="udev-acl" dev="tmpfs" ino=1427 scontext=system_u:system_r:consolekit_t tcontext=system_u:object_r:udev_var_run_t tclass=dir Aug 22 08:40:35 dell-studio kernel: [ 254.527065] type=1400 audit(1345617635.135:136): avc: denied { search } for pid=1980 comm="dbus-daemon" name="console" dev="tmpfs" ino=6314 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:consolekit_var_run_t tclass=dir Aug 22 08:40:35 dell-studio kernel: [ 254.527789] type=1400 audit(1345617635.135:137): avc: denied { read } for pid=2010 comm="console-kit-dae" name="machine-id" dev="sda7" ino=184383 scontext=system_u:system_r:consolekit_t tcontext=system_u:object_r:system_dbusd_var_lib_t tclass=lnk_file Aug 22 08:40:35 dell-studio kernel: [ 254.530276] type=1400 audit(1345617635.138:138): avc: denied { getattr } for pid=2010 comm="console-kit-dae" path="/run/ConsoleKit" dev="tmpfs" ino=4632 scontext=system_u:system_r:consolekit_t tcontext=system_u:object_r:initrc_var_run_t tclass=dir Aug 22 08:40:35 dell-studio kernel: [ 254.535883] type=1400 audit(1345617635.143:139): avc: denied { getattr } for pid=2010 comm="console-kit-dae" path="/run/ConsoleKit" dev="tmpfs" ino=4632 scontext=system_u:system_r:consolekit_t tcontext=system_u:object_r:initrc_var_run_t tclass=dir Aug 22 08:40:35 dell-studio kernel: [ 254.537701] type=1400 audit(1345617635.145:140): avc: denied { read } for pid=3121 comm="udev-acl.ck" name="udev-acl" dev="tmpfs" ino=1427 scontext=system_u:system_r:consolekit_t tcontext=system_u:object_r:udev_var_run_t tclass=dir Aug 22 08:40:36 dell-studio kernel: [ 255.550398] type=1400 audit(1345617636.158:141): avc: denied { search } for pid=1980 comm="dbus-daemon" name="console" dev="tmpfs" ino=6314 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:consolekit_var_run_t tclass=dir Aug 22 08:40:36 dell-studio kernel: [ 255.554058] type=1400 audit(1345617636.162:142): avc: denied { search } for pid=1980 comm="dbus-daemon" name="console" dev="tmpfs" ino=6314 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:consolekit_var_run_t tclass=dir Aug 22 08:40:40 dell-studio kernel: [ 259.566581] type=1400 audit(1345617640.174:143): avc: denied { search } for pid=1980 comm="dbus-daemon" name="console" dev="tmpfs" ino=6314 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:consolekit_var_run_t tclass=dir Aug 22 08:40:40 dell-studio kernel: [ 259.569518] type=1400 audit(1345617640.177:144): avc: denied { execute } for pid=3194 comm="dbus-daemon-lau" name="upowerd" dev="sda5" ino=939375 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:bin_t tclass=file Aug 22 08:40:40 dell-studio kernel: [ 259.572229] type=1400 audit(1345617640.180:145): avc: denied { execute } for pid=3197 comm="dbus-daemon-lau" name="upowerd" dev="sda5" ino=939375 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:bin_t tclass=file Aug 22 08:40:40 dell-studio kernel: [ 259.574665] type=1400 audit(1345617640.182:146): avc: denied { execute } for pid=3199 comm="dbus-daemon-lau" name="udisks-daemon" dev="sda5" ino=939378 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:bin_t tclass=file Aug 22 08:40:40 dell-studio kernel: [ 259.577151] type=1400 audit(1345617640.185:147): avc: denied { execute } for pid=3201 comm="dbus-daemon-lau" name="udisks-daemon" dev="sda5" ino=939378 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:bin_t tclass=file Aug 22 08:40:40 dell-studio kernel: [ 259.579385] type=1400 audit(1345617640.187:148): avc: denied { execute } for pid=3203 comm="dbus-daemon-lau" name="udisks-daemon" dev="sda5" ino=939378 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:bin_t tclass=file Aug 22 08:40:40 dell-studio kernel: [ 259.581693] type=1400 audit(1345617640.189:149): avc: denied { execute } for pid=3205 comm="dbus-daemon-lau" name="udisks-daemon" dev="sda5" ino=939378 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:bin_t tclass=file Aug 22 08:40:40 dell-studio kernel: [ 259.583959] type=1400 audit(1345617640.191:150): avc: denied { execute } for pid=3207 comm="dbus-daemon-lau" name="udisks-daemon" dev="sda5" ino=939378 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:bin_t tclass=file Aug 22 08:40:40 dell-studio kernel: [ 260.191675] type=1400 audit(1345617640.799:151): avc: denied { execmem } for pid=3214 comm="kwin_opengl_tes" scontext=unconfined_u:unconfined_r:unconfined_t tcontext=unconfined_u:unconfined_r:unconfined_t tclass=process Aug 22 08:40:44 dell-studio kernel: [ 263.474683] type=1400 audit(1345617644.082:152): avc: denied { search } for pid=1980 comm="dbus-daemon" name="console" dev="tmpfs" ino=6314 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:consolekit_var_run_t tclass=dir Aug 22 08:40:57 dell-studio kernel: [ 276.731494] type=1400 audit(1345617657.339:162): avc: denied { search } for pid=1980 comm="dbus-daemon" name="console" dev="tmpfs" ino=6314 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:consolekit_var_run_t tclass=dir Aug 22 08:40:57 dell-studio kernel: [ 276.733813] type=1400 audit(1345617657.341:163): avc: denied { execute } for pid=3284 comm="dbus-daemon-lau" name="upowerd" dev="sda5" ino=939375 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:bin_t tclass=file Aug 22 08:40:57 dell-studio kernel: [ 276.736414] type=1400 audit(1345617657.344:164): avc: denied { execute } for pid=3286 comm="dbus-daemon-lau" name="upowerd" dev="sda5" ino=939375 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:bin_t tclass=file Aug 22 08:40:57 dell-studio kernel: [ 276.738821] type=1400 audit(1345617657.346:165): avc: denied { execute } for pid=3288 comm="dbus-daemon-lau" name="udisks-daemon" dev="sda5" ino=939378 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:bin_t tclass=file Aug 22 08:40:57 dell-studio kernel: [ 276.741286] type=1400 audit(1345617657.349:166): avc: denied { execute } for pid=3290 comm="dbus-daemon-lau" name="udisks-daemon" dev="sda5" ino=939378 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:bin_t tclass=file Aug 22 08:40:57 dell-studio kernel: [ 276.743700] type=1400 audit(1345617657.351:167): avc: denied { execute } for pid=3292 comm="dbus-daemon-lau" name="upowerd" dev="sda5" ino=939375 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:bin_t tclass=file Aug 22 08:40:57 dell-studio kernel: [ 276.745985] type=1400 audit(1345617657.353:168): avc: denied { execute } for pid=3294 comm="dbus-daemon-lau" name="upowerd" dev="sda5" ino=939375 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:bin_t tclass=file Aug 22 08:40:58 dell-studio kernel: [ 277.491022] type=1400 audit(1345617658.099:169): avc: denied { execute } for pid=3309 comm="dbus-daemon-lau" name="udisks-daemon" dev="sda5" ino=939378 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:bin_t tclass=file Aug 22 08:40:58 dell-studio kernel: [ 277.493490] type=1400 audit(1345617658.101:170): avc: denied { execute } for pid=3311 comm="dbus-daemon-lau" name="udisks-daemon" dev="sda5" ino=939378 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:bin_t tclass=file Aug 22 08:40:58 dell-studio kernel: [ 277.495741] type=1400 audit(1345617658.103:171): avc: denied { execute } for pid=3313 comm="dbus-daemon-lau" name="udisks-daemon" dev="sda5" ino=939378 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:bin_t tclass=file Aug 22 08:41:03 dell-studio kernel: [ 283.169479] type=1400 audit(1345617663.776:178): avc: denied { search } for pid=1980 comm="dbus-daemon" name="console" dev="tmpfs" ino=6314 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:consolekit_var_run_t tclass=dir Aug 22 08:41:03 dell-studio kernel: [ 283.171841] type=1400 audit(1345617663.778:179): avc: denied { execute } for pid=3343 comm="dbus-daemon-lau" name="upowerd" dev="sda5" ino=939375 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:bin_t tclass=file Aug 22 08:41:03 dell-studio kernel: [ 283.174291] type=1400 audit(1345617663.781:180): avc: denied { execute } for pid=3345 comm="dbus-daemon-lau" name="upowerd" dev="sda5" ino=939375 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:bin_t tclass=file Aug 22 08:41:03 dell-studio kernel: [ 283.176853] type=1400 audit(1345617663.783:181): avc: denied { execute } for pid=3347 comm="dbus-daemon-lau" name="udisks-daemon" dev="sda5" ino=939378 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:bin_t tclass=file Aug 22 08:41:03 dell-studio kernel: [ 283.179307] type=1400 audit(1345617663.786:182): avc: denied { execute } for pid=3349 comm="dbus-daemon-lau" name="udisks-daemon" dev="sda5" ino=939378 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:bin_t tclass=file Aug 22 08:41:04 dell-studio kernel: [ 283.549112] type=1400 audit(1345617664.156:183): avc: denied { search } for pid=1980 comm="dbus-daemon" name="console" dev="tmpfs" ino=6314 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:consolekit_var_run_t tclass=dir Aug 22 08:41:04 dell-studio kernel: [ 283.880610] type=1400 audit(1345617664.487:184): avc: denied { search } for pid=1980 comm="dbus-daemon" name="console" dev="tmpfs" ino=6314 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:consolekit_var_run_t tclass=dir Aug 22 08:41:06 dell-studio kernel: [ 285.409187] type=1400 audit(1345617666.016:185): avc: denied { execute } for pid=3391 comm="dbus-daemon-lau" name="udisks-daemon" dev="sda5" ino=939378 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:bin_t tclass=file Aug 22 08:41:06 dell-studio kernel: [ 285.412221] type=1400 audit(1345617666.019:186): avc: denied { execute } for pid=3393 comm="dbus-daemon-lau" name="udisks-daemon" dev="sda5" ino=939378 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:bin_t tclass=file Aug 22 08:41:06 dell-studio kernel: [ 285.415310] type=1400 audit(1345617666.022:187): avc: denied { execute } for pid=3396 comm="dbus-daemon-lau" name="udisks-daemon" dev="sda5" ino=939378 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:bin_t tclass=file Aug 22 08:41:08 dell-studio kernel: [ 288.179455] type=1400 audit(1345617668.786:219): avc: denied { execute } for pid=3516 comm="dbus-daemon-lau" name="polkitd" dev="sda5" ino=922900 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:policykit_exec_t tclass=file Aug 22 08:41:37 dell-studio kernel: [ 317.293037] type=1400 audit(1345617697.900:220): avc: denied { getattr } for pid=2010 comm="console-kit-dae" path="/run/ConsoleKit" dev="tmpfs" ino=4632 scontext=system_u:system_r:consolekit_t tcontext=system_u:object_r:initrc_var_run_t tclass=dir Aug 22 08:41:37 dell-studio kernel: [ 317.296511] type=1400 audit(1345617697.904:221): avc: denied { search } for pid=3666 comm="udev-acl.ck" name="ConsoleKit" dev="tmpfs" ino=4632 scontext=system_u:system_r:consolekit_t tcontext=system_u:object_r:initrc_var_run_t tclass=dir Aug 22 08:41:37 dell-studio kernel: [ 317.296674] type=1400 audit(1345617697.904:222): avc: denied { read } for pid=3666 comm="udev-acl.ck" name="udev-acl" dev="tmpfs" ino=1427 scontext=system_u:system_r:consolekit_t tcontext=system_u:object_r:udev_var_run_t tclass=dir Aug 22 08:41:37 dell-studio kernel: [ 317.296710] type=1400 audit(1345617697.904:223): avc: denied { read } for pid=3666 comm="udev-acl.ck" name="udev-acl" dev="tmpfs" ino=1427 scontext=system_u:system_r:consolekit_t tcontext=system_u:object_r:udev_var_run_t tclass=dir Then I tried to start powerdevil in kde systemsettings and these were the denials: Aug 22 08:47:14 dell-studio kernel: [ 653.535413] type=1400 audit(1345618034.143:239): avc: denied { execute } for pid=5378 comm="dbus-daemon-lau" name="upowerd" dev="sda5" ino=939375 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:bin_t tclass=file Aug 22 08:47:14 dell-studio kernel: [ 653.538755] type=1400 audit(1345618034.146:240): avc: denied { execute } for pid=5380 comm="dbus-daemon-lau" name="upowerd" dev="sda5" ino=939375 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:bin_t tclass=file Aug 22 08:47:14 dell-studio kernel: [ 653.542123] type=1400 audit(1345618034.150:241): avc: denied { execute } for pid=5382 comm="dbus-daemon-lau" name="upowerd" dev="sda5" ino=939375 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:bin_t tclass=file Aug 22 08:47:14 dell-studio kernel: [ 653.545562] type=1400 audit(1345618034.153:242): avc: denied { execute } for pid=5385 comm="dbus-daemon-lau" name="upowerd" dev="sda5" ino=939375 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:bin_t tclass=file Aug 22 08:47:14 dell-studio kernel: [ 653.550155] type=1400 audit(1345618034.158:243): avc: denied { execute } for pid=5387 comm="dbus-daemon-lau" name="upowerd" dev="sda5" ino=939375 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:bin_t tclass=file Aug 22 08:47:14 dell-studio kernel: [ 653.553430] type=1400 audit(1345618034.161:244): avc: denied { execute } for pid=5389 comm="dbus-daemon-lau" name="upowerd" dev="sda5" ino=939375 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:bin_t tclass=file Aug 22 08:47:14 dell-studio kernel: [ 653.680410] type=1400 audit(1345618034.288:245): avc: denied { search } for pid=1980 comm="dbus-daemon" name="console" dev="tmpfs" ino=6314 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:consolekit_var_run_t tclass=dir Aug 22 08:47:14 dell-studio kernel: [ 653.683357] type=1400 audit(1345618034.291:246): avc: denied { execute } for pid=5393 comm="dbus-daemon-lau" name="polkitd" dev="sda5" ino=922900 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:policykit_exec_t tclass=file Aug 22 08:47:16 dell-studio kernel: [ 655.718026] type=1400 audit(1345618036.325:247): avc: denied { execute } for pid=5407 comm="dbus-daemon-lau" name="upowerd" dev="sda5" ino=939375 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:bin_t tclass=file Aug 22 08:47:16 dell-studio kernel: [ 655.724292] type=1400 audit(1345618036.332:248): avc: denied { execute } for pid=5409 comm="dbus-daemon-lau" name="upowerd" dev="sda5" ino=939375 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:bin_t tclass=file About the su question, before and after logging in su the context is unconfined_u:unconfined_r:unconfined_t, while the denials are: Aug 22 08:43:53 dell-studio kernel: [ 452.789311] type=1400 audit(1345617833.396:228): avc: denied { search } for pid=4358 comm="xauth" name="root" dev="sda5" ino=1308163 scontext=unconfined_u:unconfined_r:xauth_t tcontext=system_u:object_r:default_t tclass=dir Aug 22 08:43:53 dell-studio kernel: [ 452.789325] type=1400 audit(1345617833.396:229): avc: denied { search } for pid=4358 comm="xauth" name="root" dev="sda5" ino=1308163 scontext=unconfined_u:unconfined_r:xauth_t tcontext=system_u:object_r:default_t tclass=dir Aug 22 08:43:55 dell-studio kernel: [ 454.789483] type=1400 audit(1345617835.396:230): avc: denied { search } for pid=4358 comm="xauth" name="root" dev="sda5" ino=1308163 scontext=unconfined_u:unconfined_r:xauth_t tcontext=system_u:object_r:default_t tclass=dir Aug 22 08:43:57 dell-studio kernel: [ 456.789663] type=1400 audit(1345617837.397:231): avc: denied { search } for pid=4358 comm="xauth" name="root" dev="sda5" ino=1308163 scontext=unconfined_u:unconfined_r:xauth_t tcontext=system_u:object_r:default_t tclass=dir Aug 22 08:43:59 dell-studio kernel: [ 458.789842] type=1400 audit(1345617839.397:232): avc: denied { search } for pid=4358 comm="xauth" name="root" dev="sda5" ino=1308163 scontext=unconfined_u:unconfined_r:xauth_t tcontext=system_u:object_r:default_t tclass=dir Aug 22 08:44:01 dell-studio kernel: [ 460.790069] type=1400 audit(1345617841.398:233): avc: denied { search } for pid=4358 comm="xauth" name="root" dev="sda5" ino=1308163 scontext=unconfined_u:unconfined_r:xauth_t tcontext=system_u:object_r:default_t tclass=dir Aug 22 08:44:03 dell-studio kernel: [ 462.790251] type=1400 audit(1345617843.398:234): avc: denied { search } for pid=4358 comm="xauth" name="root" dev="sda5" ino=1308163 scontext=unconfined_u:unconfined_r:xauth_t tcontext=system_u:object_r:default_t tclass=dir Aug 22 08:44:05 dell-studio kernel: [ 464.790430] type=1400 audit(1345617845.398:235): avc: denied { search } for pid=4358 comm="xauth" name="root" dev="sda5" ino=1308163 scontext=unconfined_u:unconfined_r:xauth_t tcontext=system_u:object_r:default_t tclass=dir Aug 22 08:44:07 dell-studio kernel: [ 466.790614] type=1400 audit(1345617847.398:236): avc: denied { search } for pid=4358 comm="xauth" name="root" dev="sda5" ino=1308163 scontext=unconfined_u:unconfined_r:xauth_t tcontext=system_u:object_r:default_t tclass=dir Aug 22 08:44:09 dell-studio kernel: [ 468.790797] type=1400 audit(1345617849.398:237): avc: denied { search } for pid=4358 comm="xauth" name="root" dev="sda5" ino=1308163 scontext=unconfined_u:unconfined_r:xauth_t tcontext=system_u:object_r:default_t tclass=dir Aug 22 08:44:11 dell-studio kernel: [ 470.791079] type=1400 audit(1345617851.399:238): avc: denied { search } for pid=4358 comm="xauth" name="root" dev="sda5" ino=1308163 scontext=unconfined_u:unconfined_r:xauth_t tcontext=system_u:object_r:default_t tclass=dir Of course, as I wrote in the past email the sda5 who the denials are complaining about is my / (ext4) partition. Thank you again. On 21/08/2012 20:03, Sven Vermeulen wrote: > On Tue, Aug 21, 2012 at 09:14:39AM +0200, f.p.barile@gmail.com2 wrote: >> Hello to all the list. I need your help to understand what's wrong here. >> I tried to convert my laptop to a selinux profile (targeted) several >> times following the documentation step by step. > Hi F.P. > > First of all, thanks for trying the SELinux stuff out. I'm pretty sure we > can help you further and fix things so that others don't get the same > problems. > >> 1) it seems like some part of hardware can't be revealed in enforcing >> mode: Pulseaudio can't see the soundcard, powerdevil can't see power >> statistics, newly atttached usb drives are ingored. Obviously >> selinux-consolekit, selinux-policykit and selinux-dbus are installed. > It is best to look at the AVC denials that come up when you launch > pulseaudio, powerdevel etc. one by one. Providing all possible denials will > make it much more difficult to fine-tune the problems. > > What I usually do to debug issues is to do: > > ~# tail -f /var/log/avc.log > > Then perform one activity (1) that doesn't work. For instance, try to play > an MP3/OGG file which fails. Then look at the denials that came up right > when you did that action. > >> 3) Logging in root with su or kdesu (in X environment) takes too long: >> if the password I write is ok, it takes even some minute to give me the >> root shell. > Here too looking at the AVC denials that come up right then would be > interesting. However, in this case it is best to also provide the output of > "id -Z" right before you switch root, and right after. > > Wkr, > Sven Vermeulen > |
Can't get fully functional (kde) desktop with SELinux
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1 On 22.08.2012 09:12, f.p.barile@gmail.com2 wrote: > Hi Sven, nice to meet you again and thank you for your work in > SELinux and for your help. > > I did as you suggested reading the denials step by step. Anyway I > didn't find a way to start pulseaudio seprately, but I don't think > it's really pulseaudio related. I beleave it's hardware revealing > related because nor pulsaudio, nor kmix, nor systemsettings can see > the audio card, they can only use the "output dummy" card. > > Now the step by step denials. I firstly removed the xdm initscript > from the default runlevel and I started it manually. After starting > xdm these were the denials: > <SNIP> >> > > Hi, you could try to kill pulseaudio (open a Konsole and use pulseaudio - -k) and restart it afterwards via pulseaudio. It may change some AVCs, though, because I'm not sure from which user/role/type pulseaudio ist started by default. WKR Hinnerk -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJQNIudAAoJEJwwOFaNFkYcCoIH/04PM0Ps0KwCV/mPk+W4jnVa UTiNrEUrTYro9GhhjGnDZFVrYePuTpwGbjkOplJ55UK96cq9+4 sLPza0TmURWfJb xPUOKcPMs84ULybJl0yJOcuk0n/ClwOWzwTYZCPxEokaloG7/cVaQ9W5rUrxIQ9/ 85XweNEGY3u9v/K45Qlfg3mPl93H5CGnUJHAVauUM93qzQQv5DjmlD4CYIh8gUxQ wZ2tgqa5S2RulOKQECUFzPPjunL+xJX5/nUwx0cbg4rRYpjHDtOKmpUUIpTWuzLV EfWiiH0XPo3vLuygB+VEmX6MAWoBVWVeucHSqmBmDLKMwaR50F xHH3JJLCnQdQE= =W8Aa -----END PGP SIGNATURE----- |
Can't get fully functional (kde) desktop with SELinux
Thank you for your help, but I already tried "pulseaudio -k" and
"pulseaudio --kill", but it didn't stop pulseaudio because ps still showed it. Moreover when restarting pulseaudio with "pulseaudio -vv" I read "E: [pulseaudio] pid.c: Daemon already running.". On 22/08/2012 09:34, Hinnerk van Bruinehsen wrote: On 22.08.2012 09:12, f.p.barile@gmail.com2 wrote: > Hi Sven, nice to meet you again and thank you for your work in > SELinux and for your help. > I did as you suggested reading the denials step by step. Anyway I > didn't find a way to start pulseaudio seprately, but I don't think > it's really pulseaudio related. I beleave it's hardware revealing > related because nor pulsaudio, nor kmix, nor systemsettings can see > the audio card, they can only use the "output dummy" card. > Now the step by step denials. I firstly removed the xdm initscript > from the default runlevel and I started it manually. After starting > xdm these were the denials: <SNIP> >> Hi, you could try to kill pulseaudio (open a Konsole and use pulseaudio -k) and restart it afterwards via pulseaudio. It may change some AVCs, though, because I'm not sure from which user/role/type pulseaudio ist started by default. WKR Hinnerk > |
Can't get fully functional (kde) desktop with SELinux
On Wed, Aug 22, 2012 at 09:12:52AM +0200, f.p.barile@gmail.com2 wrote:
> Now the step by step denials. > I firstly removed the xdm initscript from the default runlevel and I > started it manually. After starting xdm these were the denials: > > Aug 22 08:39:03 dell-studio kernel: [ 162.895575] type=1400 > audit(1345617543.503:121): avc: denied { getattr } for pid=2010 > comm="console-kit-dae" path="/run/ConsoleKit" dev="tmpfs" ino=4632 > scontext=system_u:system_r:consolekit_t > tcontext=system_u:object_r:initrc_var_run_t tclass=dir This first one is an interesting one to immediately look at. It seems that the console-kit-dae(mon?) uses /run/ConsoleKit, and I guess (from the initrc_var_run_t domain) that its init script creates it, not? If that's indeed the case, I'll need to update the policy to reflect this, allowing initrc_t to create /run/ConsoleKit but with a good file transition (in this case, to consolekit_var_run_t). Skipping a few other denials related to this, and then we get: > Aug 22 08:39:34 dell-studio kernel: [ 193.785181] type=1400 > audit(1345617574.393:126): avc: denied { read } for pid=3101 > comm="udev-acl.ck" name="udev-acl" dev="tmpfs" ino=1427 > scontext=system_u:system_r:consolekit_t > tcontext=system_u:object_r:udev_var_run_t tclass=dir I don't know consolekit, but I assume there is some udev rule somewhere that creates a file for consolekit? The consolekit_t domain has the rights to read udev_tbl_t stuff (which I find a stupid name for a domain). Where is this udev-acl.ck file located? You can find it through its inode number (ino=1427) if you haven't rebooted yet (since it is on a tmpfs within a *_var_run_t so very likely to be within /run/udev somewhere). Usually, I ignore the remainder of denials (especially if it is in permissive mode) until I fixed the first ones, because those can be a trigger for other behavior (and I don't want to update the policy for things that aren't needed). > Then I tried to start powerdevil in kde systemsettings and these were > the denials: > > Aug 22 08:47:14 dell-studio kernel: [ 653.535413] type=1400 > audit(1345618034.143:239): avc: denied { execute } for pid=5378 > comm="dbus-daemon-lau" name="upowerd" dev="sda5" ino=939375 > scontext=system_u:system_r:system_dbusd_t > tcontext=system_u:object_r:bin_t tclass=file I had (still have actually) a bug open for udisks which is launched by dbus. From what I can tell, everything dbus launches should be in its own domain (otherwise it'll run in the permissions of system_dbusd_t, which we want to keep as limited as they are). So most of the remainder of the denials I'll have to ignore until we can get a policy for it. It looks like the devicekit policy is a match for it, but I haven't created an ebuild for it yet. I'll do so soon (with the rev4 release) so you can test this out. > About the su question, before and after logging in su the context is > unconfined_u:unconfined_r:unconfined_t, while the denials are: > > Aug 22 08:43:53 dell-studio kernel: [ 452.789311] type=1400 > audit(1345617833.396:228): avc: denied { search } for pid=4358 > comm="xauth" name="root" dev="sda5" ino=1308163 > scontext=unconfined_u:unconfined_r:xauth_t > tcontext=system_u:object_r:default_t tclass=dir That's not good. default_t means that there is a directory not labeled properly (most likely root's home directory). Run "rlpkg -a -r" to relabel the entire system and see if that removes any traces of default_t (you should never encounter default_t iirc). Wkr, Sven Vermeulen |
Can't get fully functional (kde) desktop with SELinux
On 22/08/2012 20:43, Sven Vermeulen wrote:
> On Wed, Aug 22, 2012 at 09:12:52AM +0200, f.p.barile@gmail.com2 wrote: >> Now the step by step denials. >> I firstly removed the xdm initscript from the default runlevel and I >> started it manually. After starting xdm these were the denials: >> >> Aug 22 08:39:03 dell-studio kernel: [ 162.895575] type=1400 >> audit(1345617543.503:121): avc: denied { getattr } for pid=2010 >> comm="console-kit-dae" path="/run/ConsoleKit" dev="tmpfs" ino=4632 >> scontext=system_u:system_r:consolekit_t >> tcontext=system_u:object_r:initrc_var_run_t tclass=dir > This first one is an interesting one to immediately look at. It seems that > the console-kit-dae(mon?) uses /run/ConsoleKit, and I guess (from the > initrc_var_run_t domain) that its init script creates it, not? In /etc/init.d/consolekit I read "checkpath -q -d -m 0755 /var/run/ConsoleKit" and being /var/run symlinked to /run, it seems you're right. > > If that's indeed the case, I'll need to update the policy to reflect this, > allowing initrc_t to create /run/ConsoleKit but with a good file transition > (in this case, to consolekit_var_run_t). Excuse me for the stupid question... In that case, will consolekit_t have rights over consolekit_var_run_t? Will it be in rev4? > > Skipping a few other denials related to this, and then we get: > >> Aug 22 08:39:34 dell-studio kernel: [ 193.785181] type=1400 >> audit(1345617574.393:126): avc: denied { read } for pid=3101 >> comm="udev-acl.ck" name="udev-acl" dev="tmpfs" ino=1427 >> scontext=system_u:system_r:consolekit_t >> tcontext=system_u:object_r:udev_var_run_t tclass=dir > I don't know consolekit, but I assume there is some udev rule somewhere that > creates a file for consolekit? > > The consolekit_t domain has the rights to read udev_tbl_t stuff (which I > find a stupid name for a domain). Where is this udev-acl.ck file located? > You can find it through its inode number (ino=1427) if you haven't rebooted > yet (since it is on a tmpfs within a *_var_run_t so very likely to be within > /run/udev somewhere). Searching from inode I located a folder (/run/udev/tags/udev-acl) containing files called bXXX:X or cXXX:X, but there is no trace of any udev-acl.ck file. > > Usually, I ignore the remainder of denials (especially if it is in > permissive mode) until I fixed the first ones, because those can be a > trigger for other behavior (and I don't want to update the policy for things > that aren't needed). I completely agree with you. > >> Then I tried to start powerdevil in kde systemsettings and these were >> the denials: >> >> Aug 22 08:47:14 dell-studio kernel: [ 653.535413] type=1400 >> audit(1345618034.143:239): avc: denied { execute } for pid=5378 >> comm="dbus-daemon-lau" name="upowerd" dev="sda5" ino=939375 >> scontext=system_u:system_r:system_dbusd_t >> tcontext=system_u:object_r:bin_t tclass=file > I had (still have actually) a bug open for udisks which is launched by dbus. > From what I can tell, everything dbus launches should be in its own domain > (otherwise it'll run in the permissions of system_dbusd_t, which we want to > keep as limited as they are). > > So most of the remainder of the denials I'll have to ignore until we can get > a policy for it. > > It looks like the devicekit policy is a match for it, but I haven't created > an ebuild for it yet. I'll do so soon (with the rev4 release) so you can > test this out. > >> About the su question, before and after logging in su the context is >> unconfined_u:unconfined_r:unconfined_t, while the denials are: >> >> Aug 22 08:43:53 dell-studio kernel: [ 452.789311] type=1400 >> audit(1345617833.396:228): avc: denied { search } for pid=4358 >> comm="xauth" name="root" dev="sda5" ino=1308163 >> scontext=unconfined_u:unconfined_r:xauth_t >> tcontext=system_u:object_r:default_t tclass=dir > That's not good. default_t means that there is a directory not labeled > properly (most likely root's home directory). Run "rlpkg -a -r" to relabel > the entire system and see if that removes any traces of default_t (you > should never encounter default_t iirc). I tried rlpkg but /root still remains in system_u:object_r:default_t context. Moreover in /etc/selinux/targeted/contexts/files/file_contexts the only thing related to that folder is "/root/.default_contexts -- system_u:object_r:default_context_t". > > Wkr, > Sven Vermeulen > Thank you again, Sven. Paolo. |
Can't get fully functional (kde) desktop with SELinux
Hi Sven, thank you for rev4, but it didn't conclusively solve my
problems. Sone denial has gone, but many of them remain. So let's see again all the step by step denial, I'll avoid redundancies. As I boot (whithout starting xdm) I obtain: Aug 25 18:06:05 dell-studio kernel: [ 8.028595] type=1400 audit(1345917944.027:3): avc: denied { search } for pid=1433 comm="alsactl" name="root" dev="sda5" ino=1308163 scontext=system_u:system_r:alsa_t tcontext=system_u:object_r:default_t tclass=dir Aug 25 18:06:05 dell-studio kernel: [ 8.707035] type=1400 audit(1345917944.706:7): avc: denied { read } for pid=1431 comm="alsactl" name="urandom" dev="tmpfs" ino=3356 scontext=system_u:system_r:alsa_t tcontext=system_u:object_r:urandom_device_t tclass=chr_file Aug 25 18:06:05 dell-studio kernel: [ 8.707053] type=1400 audit(1345917944.706:9): avc: denied { read } for pid=1431 comm="alsactl" name="random" dev="tmpfs" ino=1642 scontext=system_u:system_r:alsa_t tcontext=system_u:object_r:random_device_t tclass=chr_file Aug 25 18:06:05 dell-studio kernel: [ 8.707089] type=1400 audit(1345917944.706:11): avc: denied { getattr } for pid=1431 comm="alsactl" name="/" dev="tmpfs" ino=2970 scontext=system_u:system_r:alsa_t tcontext=system_u:object_r:tmpfs_t tclass=filesystem Aug 25 18:06:05 dell-studio kernel: [ 16.930444] type=1400 audit(1345910753.814:32): avc: denied { module_request } for pid=1517 comm="cryptsetup" kmod="cbc(aes)" scontext=system_u:system_r:lvm_t tcontext=system_u:system_r:kernel_t tclass=system Aug 25 18:06:05 dell-studio kernel: [ 16.930452] type=1400 audit(1345910753.814:33): avc: denied { module_request } for pid=1517 comm="cryptsetup" kmod="cbc(aes)-all" scontext=system_u:system_r:lvm_t tcontext=system_u:system_r:kernel_t tclass=system Aug 25 18:06:05 dell-studio kernel: [ 16.930505] type=1400 audit(1345910753.814:34): avc: denied { module_request } for pid=1517 comm="cryptsetup" kmod="cbc(aes-asm)" scontext=system_u:system_r:lvm_t tcontext=system_u:system_r:kernel_t tclass=system Aug 25 18:06:05 dell-studio kernel: [ 16.930512] type=1400 audit(1345910753.814:35): avc: denied { module_request } for pid=1517 comm="cryptsetup" kmod="cbc(aes-asm)-all" scontext=system_u:system_r:lvm_t tcontext=system_u:system_r:kernel_t tclass=system Aug 25 18:06:05 dell-studio kernel: [ 16.936081] type=1400 audit(1345910753.820:36): avc: denied { getattr } for pid=1517 comm="cryptsetup" name="/" dev="tmpfs" ino=2970 scontext=system_u:system_r:lvm_t tcontext=system_u:object_r:tmpfs_t tclass=filesystem Aug 25 18:06:05 dell-studio kernel: [ 17.138342] type=1400 audit(1345910754.022:38): avc: denied { read } for pid=1538 comm="cryptsetup" name="queue.bin" dev="tmpfs" ino=4265 scontext=system_u:system_r:lvm_t tcontext=system_u:object_r:udev_var_run_t tclass=file Aug 25 18:06:05 dell-studio kernel: [ 27.701565] type=1400 audit(1345910764.585:45): avc: denied { setrlimit } for pid=1968 comm="dbus-daemon" scontext=system_u:system_r:system_dbusd_t tcontext=system_u:system_r:system_dbusd_t tclass=process Aug 25 18:06:05 dell-studio kernel: [ 28.235761] type=1400 audit(1345910765.120:46): avc: denied { getattr } for pid=1998 comm="console-kit-dae" path="/run/ConsoleKit" dev="tmpfs" ino=5251 scontext=system_u:system_r:consolekit_t tcontext=system_u:object_r:initrc_var_run_t tclass=dir Aug 25 18:06:05 dell-studio kernel: [ 28.417954] type=1400 audit(1345910765.302:47): avc: denied { read } for pid=2074 comm="crond" name="root" dev="sda7" ino=12796 scontext=system_u:system_r:crond_t tcontext=system_u:object_r:file_t tclass=file Aug 25 18:06:05 dell-studio kernel: [ 28.632129] type=1400 audit(1345910765.516:48): avc: denied { execute } for pid=2089 comm="dbus-daemon-lau" name="polkitd" dev="sda5" ino=922900 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:policykit_exec_t tclass=file Aug 25 18:06:05 dell-studio kernel: [ 28.633786] type=1400 audit(1345910765.517:49): avc: denied { search } for pid=1998 comm="console-kit-dae" name="ConsoleKit" dev="tmpfs" ino=5251 scontext=system_u:system_r:consolekit_t tcontext=system_u:object_r:initrc_var_run_t tclass=dir Aug 25 18:06:05 dell-studio kernel: [ 28.633811] type=1400 audit(1345910765.517:50): avc: denied { getattr } for pid=1998 comm="console-kit-dae" path="/run/ConsoleKit" dev="tmpfs" ino=5251 scontext=system_u:system_r:consolekit_t tcontext=system_u:object_r:initrc_var_run_t tclass=dir Aug 25 18:06:05 dell-studio kernel: [ 28.633842] type=1400 audit(1345910765.517:51): avc: denied { search } for pid=1998 comm="console-kit-dae" name="ConsoleKit" dev="tmpfs" ino=5251 scontext=system_u:system_r:consolekit_t tcontext=system_u:object_r:initrc_var_run_t tclass=dir Aug 25 18:06:06 dell-studio kernel: [ 29.168487] type=1400 audit(1345910766.052:52): avc: denied { write } for pid=2222 comm="mii-tool" path="/run/lock/lmt-req.lock" dev="tmpfs" ino=5314 scontext=system_u:system_r:ifconfig_t tcontext=system_u:object_r:var_lock_t tclass=file Aug 25 18:06:06 dell-studio kernel: [ 29.168499] type=1400 audit(1345910766.052:53): avc: denied { write } for pid=2222 comm="mii-tool" path="/run/lock/lmt-invoc.lock" dev="tmpfs" ino=4776 scontext=system_u:system_r:ifconfig_t tcontext=system_u:object_r:var_lock_t tclass=file Aug 25 18:06:10 dell-studio kernel: [ 33.586645] type=1400 audit(1345910770.470:87): avc: denied { read } for pid=2851 comm="sh" name="meminfo" dev="proc" ino=4026532031 scontext=system_u:system_r:wpa_cli_t tcontext=system_u:object_r:proc_t tclass=file Aug 25 18:06:10 dell-studio kernel: [ 33.613072] type=1400 audit(1345910770.497:88): avc: denied { read } for pid=2851 comm="wpa_cli.sh" name="meminfo" dev="proc" ino=4026532031 scontext=system_u:system_r:wpa_cli_t tcontext=system_u:object_r:proc_t tclass=file Aug 25 18:06:10 dell-studio kernel: [ 33.893591] type=1400 audit(1345910770.777:89): avc: denied { use } for pid=3024 comm="mount" path="/dev/null" dev="tmpfs" ino=1278 scontext=system_u:system_r:mount_t tcontext=system_u:system_r:wpa_cli_t tclass=fd Aug 25 18:06:10 dell-studio kernel: [ 33.893637] type=1400 audit(1345910770.777:92): avc: denied { use } for pid=3024 comm="mount" path="socket:[5617]" dev="sockfs" ino=5617 scontext=system_u:system_r:mount_t tcontext=system_u:system_r:wpa_cli_t tclass=fd Aug 25 18:06:59 dell-studio kernel: [ 83.022406] type=1400 audit(1345910819.922:97): avc: denied { search } for pid=3031 comm="login" name="root" dev="sda5" ino=1308163 scontext=system_u:system_r:local_login_t tcontext=system_u:object_r:default_t tclass=dir Aug 25 18:06:59 dell-studio kernel: [ 83.068589] type=1400 audit(1345910819.969:100): avc: denied { read } for pid=1998 comm="console-kit-dae" name="machine-id" dev="sda7" ino=184383 scontext=system_u:system_r:consolekit_t tcontext=system_u:object_r:system_dbusd_var_lib_t tclass=lnk_file Aug 25 18:07:00 dell-studio kernel: [ 83.165783] type=1400 audit(1345910820.065:103): avc: denied { read } for pid=3046 comm="udev-acl.ck" name="udev-acl" dev="tmpfs" ino=3175 scontext=system_u:system_r:consolekit_t tcontext=system_u:object_r:udev_var_run_t tclass=dir After starting kdm (with xdm initscript): Aug 25 18:08:47 dell-studio kernel: [ 190.122045] type=1400 audit(1345910927.023:107): avc: denied { read } for pid=3054 comm="rc" name="profile.env" dev="sda5" ino=663502 scontext=unconfined_u:unconfined_r:run_init_t tcontext=system_u:object_r:etc_runtime_t tclass=file Aug 25 18:08:55 dell-studio kernel: [ 199.069675] type=1400 audit(1345910935.970:109): avc: denied { search } for pid=3099 comm="udev-acl.ck" name="ConsoleKit" dev="tmpfs" ino=5251 scontext=system_u:system_r:consolekit_t tcontext=system_u:object_r:initrc_var_run_t tclass=dir After logging in, apart all the same mentioned above that repeat themselves, I get a lot of: Aug 25 18:10:25 dell-studio kernel: [ 289.004361] type=1400 audit(1345911025.905:163): avc: denied { search } for pid=1968 comm="dbus-daemon" name="console" dev="tmpfs" ino=5945 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:consolekit_var_run_t tclass=dir I hope I wrote all. Paolo. |
Can't get fully functional (kde) desktop with SELinux
On Sat, Aug 25, 2012 at 07:00:09PM +0200, Paolo Barile wrote:
> Hi Sven, thank you for rev4, but it didn't conclusively solve my > problems. Sone denial has gone, but many of them remain. > > So let's see again all the step by step denial, I'll avoid redundancies. > > As I boot (whithout starting xdm) I obtain: > > Aug 25 18:06:05 dell-studio kernel: [ 8.028595] type=1400 > audit(1345917944.027:3): avc: denied { search } for pid=1433 > comm="alsactl" name="root" dev="sda5" ino=1308163 > scontext=system_u:system_r:alsa_t tcontext=system_u:object_r:default_t > tclass=dir This sais /root is default_t again. Mine sais: ~ # matchpathcon /root /root root:object_r:user_home_dir_t ~ # grep '/root' /etc/selinux/strict/contexts/files/file_contexts* | grep user_home_dir_t /etc/selinux/strict/contexts/files/file_contexts.homedirs:/root -d root:object_r:user_home_dir_t It is because /root is marked as a home directory of a user that a hole set of contexts is generated for it. Perhaps for a targeted system this is different, but I don't think so. Whenever you hit a denial with file_t or default_t in it, it means there is something awry with the contexts on the system. You might be able to fix it by running genhomedircon (without options). It should regenerate the file context as mentioned in my grep result above. > Aug 25 18:06:05 dell-studio kernel: [ 8.707035] type=1400 > audit(1345917944.706:7): avc: denied { read } for pid=1431 > comm="alsactl" name="urandom" dev="tmpfs" ino=3356 > scontext=system_u:system_r:alsa_t > tcontext=system_u:object_r:urandom_device_t tclass=chr_file Did you enable global_ssp (or are you not running a hardened system, just SELinux)? By enabling the global_ssp boolean, all domains get access to the urandom_device_t chr_file: ~ # sesearch -s alsa_t -t urandom_device_t -A -C Found 2 semantic av rules: DT allow nsswitch_domain urandom_device_t : chr_file { ioctl read getattr lock open } ; [ authlogin_nsswitch_use_ldap ] ET allow domain urandom_device_t : chr_file { ioctl read getattr lock open } ; [ global_ssp ] > Aug 25 18:06:05 dell-studio kernel: [ 8.707053] type=1400 > audit(1345917944.706:9): avc: denied { read } for pid=1431 > comm="alsactl" name="random" dev="tmpfs" ino=1642 > scontext=system_u:system_r:alsa_t > tcontext=system_u:object_r:random_device_t tclass=chr_file This one is new for me. If it is prohibiting alsa to work, we'll need to allow this, but I think you're booting in permissive mode, so we can't know for sure if the denial is cosmetic or not. > Aug 25 18:06:05 dell-studio kernel: [ 8.707089] type=1400 > audit(1345917944.706:11): avc: denied { getattr } for pid=1431 > comm="alsactl" name="/" dev="tmpfs" ino=2970 > scontext=system_u:system_r:alsa_t tcontext=system_u:object_r:tmpfs_t > tclass=filesystem Which file system is it trying to get attributes from here? > Aug 25 18:06:05 dell-studio kernel: [ 16.930444] type=1400 > audit(1345910753.814:32): avc: denied { module_request } for pid=1517 > comm="cryptsetup" kmod="cbc(aes)" scontext=system_u:system_r:lvm_t > tcontext=system_u:system_r:kernel_t tclass=system > Aug 25 18:06:05 dell-studio kernel: [ 16.930452] type=1400 > audit(1345910753.814:33): avc: denied { module_request } for pid=1517 > comm="cryptsetup" kmod="cbc(aes)-all" scontext=system_u:system_r:lvm_t > tcontext=system_u:system_r:kernel_t tclass=system > Aug 25 18:06:05 dell-studio kernel: [ 16.930505] type=1400 > audit(1345910753.814:34): avc: denied { module_request } for pid=1517 > comm="cryptsetup" kmod="cbc(aes-asm)" scontext=system_u:system_r:lvm_t > tcontext=system_u:system_r:kernel_t tclass=system > Aug 25 18:06:05 dell-studio kernel: [ 16.930512] type=1400 > audit(1345910753.814:35): avc: denied { module_request } for pid=1517 > comm="cryptsetup" kmod="cbc(aes-asm)-all" > scontext=system_u:system_r:lvm_t tcontext=system_u:system_r:kernel_t > tclass=system > Aug 25 18:06:05 dell-studio kernel: [ 16.936081] type=1400 > audit(1345910753.820:36): avc: denied { getattr } for pid=1517 > comm="cryptsetup" name="/" dev="tmpfs" ino=2970 > scontext=system_u:system_r:lvm_t tcontext=system_u:object_r:tmpfs_t > tclass=filesystem > Aug 25 18:06:05 dell-studio kernel: [ 17.138342] type=1400 > audit(1345910754.022:38): avc: denied { read } for pid=1538 > comm="cryptsetup" name="queue.bin" dev="tmpfs" ino=4265 > scontext=system_u:system_r:lvm_t > tcontext=system_u:object_r:udev_var_run_t tclass=file > Aug 25 18:06:05 dell-studio kernel: [ 27.701565] type=1400 The cryptsetup stuff might need some more updates, I only use cryptsetup for a small encrypted partition (and not a system partition) and I have most of the stuff in-kernel anyway, so no module requests here... We'll need to look at this when you boot in enforcing mode, since I need the error message(s) as well in order to update the policy. Same is true for most of the remaining denials btw. Some of them definitely need to be looked at in advance, like the next set, but most of them will need to be reproduced with enforcing mode... > audit(1345910765.120:46): avc: denied { getattr } for pid=1998 > comm="console-kit-dae" path="/run/ConsoleKit" dev="tmpfs" ino=5251 > scontext=system_u:system_r:consolekit_t > tcontext=system_u:object_r:initrc_var_run_t tclass=dir Need to add in this run directory, haven't done that yet. > Aug 25 18:06:05 dell-studio kernel: [ 28.632129] type=1400 > audit(1345910765.516:48): avc: denied { execute } for pid=2089 > comm="dbus-daemon-lau" name="polkitd" dev="sda5" ino=922900 > scontext=system_u:system_r:system_dbusd_t > tcontext=system_u:object_r:policykit_exec_t tclass=file Probably needs to be made a dbus domain. > Aug 25 18:06:06 dell-studio kernel: [ 29.168487] type=1400 > audit(1345910766.052:52): avc: denied { write } for pid=2222 > comm="mii-tool" path="/run/lock/lmt-req.lock" dev="tmpfs" ino=5314 > scontext=system_u:system_r:ifconfig_t > tcontext=system_u:object_r:var_lock_t tclass=file > Aug 25 18:06:06 dell-studio kernel: [ 29.168499] type=1400 > audit(1345910766.052:53): avc: denied { write } for pid=2222 > comm="mii-tool" path="/run/lock/lmt-invoc.lock" dev="tmpfs" ino=4776 > scontext=system_u:system_r:ifconfig_t > tcontext=system_u:object_r:var_lock_t tclass=file Probably legit, but I'm not sure if I need to create an ifconfig_lock_t type for this, or just grant in var_lock_t access. Probably the former. > After logging in, apart all the same mentioned above that repeat > themselves, I get a lot of: > Aug 25 18:10:25 dell-studio kernel: [ 289.004361] type=1400 > audit(1345911025.905:163): avc: denied { search } for pid=1968 > comm="dbus-daemon" name="console" dev="tmpfs" ino=5945 > scontext=system_u:system_r:system_dbusd_t > tcontext=system_u:object_r:consolekit_var_run_t tclass=dir What does the console dir contain? It's probably in /var/run/ConsoleKit (although from your earlier denials I get the impression /var/run/ConsoleKit is not correctly labeled, whereas in this denial it is - did you relabel the system or some parts of it in between?). I recommend to first work on the default_t and file_t stuff. That shouldn't be broken. Then in the denials, look at any denials for "execute", they almost always need to be fixed (whereas getattr/read's can often be ignored, especially in the beginning). Then, when booted and logged in, clear the denial log and switch to enforcing mode and see what stuff breaks. Then look in the denial log for the denials, and give the error messages for the broken applications. When we fixed that, we should then look at the cryptsetup stuff, since you need that in order to boot succesfully I guess. Only then can we try to boot in enforcing mode (once, until it boots fully). Wkr, Sven Vermeulen |
Can't get fully functional (kde) desktop with SELinux
Hello Sven, first of all, all the denials I wrote here are from
enforcing mode. On 25/08/2012 19:24, Sven Vermeulen wrote: > On Sat, Aug 25, 2012 at 07:00:09PM +0200, Paolo Barile wrote: >> Hi Sven, thank you for rev4, but it didn't conclusively solve my >> problems. Sone denial has gone, but many of them remain. >> >> So let's see again all the step by step denial, I'll avoid redundancies. >> >> As I boot (whithout starting xdm) I obtain: >> >> Aug 25 18:06:05 dell-studio kernel: [ 8.028595] type=1400 >> audit(1345917944.027:3): avc: denied { search } for pid=1433 >> comm="alsactl" name="root" dev="sda5" ino=1308163 >> scontext=system_u:system_r:alsa_t tcontext=system_u:object_r:default_t >> tclass=dir > This sais /root is default_t again. Mine sais: > > ~ # matchpathcon /root > /root root:object_r:user_home_dir_t > > ~ # grep '/root' /etc/selinux/strict/contexts/files/file_contexts* | grep user_home_dir_t > /etc/selinux/strict/contexts/files/file_contexts.homedirs:/root -d root:object_r:user_home_dir_t The same gives me nothing. > > It is because /root is marked as a home directory of a user that a hole set > of contexts is generated for it. Perhaps for a targeted system this is > different, but I don't think so. > > Whenever you hit a denial with file_t or default_t in it, it means there is > something awry with the contexts on the system. > > You might be able to fix it by running genhomedircon (without options). It > should regenerate the file context as mentioned in my grep result above. genhomedircon doesn't change anything. > >> Aug 25 18:06:05 dell-studio kernel: [ 8.707035] type=1400 >> audit(1345917944.706:7): avc: denied { read } for pid=1431 >> comm="alsactl" name="urandom" dev="tmpfs" ino=3356 >> scontext=system_u:system_r:alsa_t >> tcontext=system_u:object_r:urandom_device_t tclass=chr_file > Did you enable global_ssp (or are you not running a hardened system, just > SELinux)? By enabling the global_ssp boolean, all domains get access to the > urandom_device_t chr_file: > > ~ # sesearch -s alsa_t -t urandom_device_t -A -C > Found 2 semantic av rules: > DT allow nsswitch_domain urandom_device_t : chr_file { ioctl read getattr lock open } ; [ authlogin_nsswitch_use_ldap ] > ET allow domain urandom_device_t : chr_file { ioctl read getattr lock open } ; [ global_ssp ] No, it isn't. I did not enabled it because I'm still not in hardened because I'd want let selinux comletely work before the conversion. > >> Aug 25 18:06:05 dell-studio kernel: [ 8.707053] type=1400 >> audit(1345917944.706:9): avc: denied { read } for pid=1431 >> comm="alsactl" name="random" dev="tmpfs" ino=1642 >> scontext=system_u:system_r:alsa_t >> tcontext=system_u:object_r:random_device_t tclass=chr_file > This one is new for me. If it is prohibiting alsa to work, we'll need to > allow this, but I think you're booting in permissive mode, so we can't know > for sure if the denial is cosmetic or not. As I wrote, everything is already in enforcing moe. > >> Aug 25 18:06:05 dell-studio kernel: [ 8.707089] type=1400 >> audit(1345917944.706:11): avc: denied { getattr } for pid=1431 >> comm="alsactl" name="/" dev="tmpfs" ino=2970 >> scontext=system_u:system_r:alsa_t tcontext=system_u:object_r:tmpfs_t >> tclass=filesystem > Which file system is it trying to get attributes from here? > >> Aug 25 18:06:05 dell-studio kernel: [ 16.930444] type=1400 >> audit(1345910753.814:32): avc: denied { module_request } for pid=1517 >> comm="cryptsetup" kmod="cbc(aes)" scontext=system_u:system_r:lvm_t >> tcontext=system_u:system_r:kernel_t tclass=system >> Aug 25 18:06:05 dell-studio kernel: [ 16.930452] type=1400 >> audit(1345910753.814:33): avc: denied { module_request } for pid=1517 >> comm="cryptsetup" kmod="cbc(aes)-all" scontext=system_u:system_r:lvm_t >> tcontext=system_u:system_r:kernel_t tclass=system >> Aug 25 18:06:05 dell-studio kernel: [ 16.930505] type=1400 >> audit(1345910753.814:34): avc: denied { module_request } for pid=1517 >> comm="cryptsetup" kmod="cbc(aes-asm)" scontext=system_u:system_r:lvm_t >> tcontext=system_u:system_r:kernel_t tclass=system >> Aug 25 18:06:05 dell-studio kernel: [ 16.930512] type=1400 >> audit(1345910753.814:35): avc: denied { module_request } for pid=1517 >> comm="cryptsetup" kmod="cbc(aes-asm)-all" >> scontext=system_u:system_r:lvm_t tcontext=system_u:system_r:kernel_t >> tclass=system >> Aug 25 18:06:05 dell-studio kernel: [ 16.936081] type=1400 >> audit(1345910753.820:36): avc: denied { getattr } for pid=1517 >> comm="cryptsetup" name="/" dev="tmpfs" ino=2970 >> scontext=system_u:system_r:lvm_t tcontext=system_u:object_r:tmpfs_t >> tclass=filesystem >> Aug 25 18:06:05 dell-studio kernel: [ 17.138342] type=1400 >> audit(1345910754.022:38): avc: denied { read } for pid=1538 >> comm="cryptsetup" name="queue.bin" dev="tmpfs" ino=4265 >> scontext=system_u:system_r:lvm_t >> tcontext=system_u:object_r:udev_var_run_t tclass=file >> Aug 25 18:06:05 dell-studio kernel: [ 27.701565] type=1400 > The cryptsetup stuff might need some more updates, I only use cryptsetup for > a small encrypted partition (and not a system partition) and I have most of > the stuff in-kernel anyway, so no module requests here... > > We'll need to look at this when you boot in enforcing mode, since I need the > error message(s) as well in order to update the policy. > > Same is true for most of the remaining denials btw. Some of them definitely > need to be looked at in advance, like the next set, but most of them will > need to be reproduced with enforcing mode... > >> audit(1345910765.120:46): avc: denied { getattr } for pid=1998 >> comm="console-kit-dae" path="/run/ConsoleKit" dev="tmpfs" ino=5251 >> scontext=system_u:system_r:consolekit_t >> tcontext=system_u:object_r:initrc_var_run_t tclass=dir > Need to add in this run directory, haven't done that yet. > >> Aug 25 18:06:05 dell-studio kernel: [ 28.632129] type=1400 >> audit(1345910765.516:48): avc: denied { execute } for pid=2089 >> comm="dbus-daemon-lau" name="polkitd" dev="sda5" ino=922900 >> scontext=system_u:system_r:system_dbusd_t >> tcontext=system_u:object_r:policykit_exec_t tclass=file > Probably needs to be made a dbus domain. > >> Aug 25 18:06:06 dell-studio kernel: [ 29.168487] type=1400 >> audit(1345910766.052:52): avc: denied { write } for pid=2222 >> comm="mii-tool" path="/run/lock/lmt-req.lock" dev="tmpfs" ino=5314 >> scontext=system_u:system_r:ifconfig_t >> tcontext=system_u:object_r:var_lock_t tclass=file >> Aug 25 18:06:06 dell-studio kernel: [ 29.168499] type=1400 >> audit(1345910766.052:53): avc: denied { write } for pid=2222 >> comm="mii-tool" path="/run/lock/lmt-invoc.lock" dev="tmpfs" ino=4776 >> scontext=system_u:system_r:ifconfig_t >> tcontext=system_u:object_r:var_lock_t tclass=file > Probably legit, but I'm not sure if I need to create an ifconfig_lock_t type > for this, or just grant in var_lock_t access. Probably the former. > >> After logging in, apart all the same mentioned above that repeat >> themselves, I get a lot of: >> Aug 25 18:10:25 dell-studio kernel: [ 289.004361] type=1400 >> audit(1345911025.905:163): avc: denied { search } for pid=1968 >> comm="dbus-daemon" name="console" dev="tmpfs" ino=5945 >> scontext=system_u:system_r:system_dbusd_t >> tcontext=system_u:object_r:consolekit_var_run_t tclass=dir > What does the console dir contain? It's probably in /var/run/ConsoleKit > (although from your earlier denials I get the impression /var/run/ConsoleKit > is not correctly labeled, whereas in this denial it is - did you relabel the > system or some parts of it in between?). The console dir is outside ConsoleKit: drwxr-xr-x. 2 root root system_u:object_r:initrc_var_run_t 80 26 ago 11.32 ConsoleKit drwxr-xr-x. 2 root root system_u:object_r:consolekit_var_run_t 60 26 ago 11.32 console It contains... nothing! Anyway a restorecon -R /run changed contexts inside it: drwxr-xr-x. 2 root root system_u:object_r:consolekit_var_run_t 80 26 ago 11.32 ConsoleKit drwxr-xr-x. 2 root root system_u:object_r:pam_var_console_t 60 26 ago 11.32 console Of course after the policies upgrade I relabeld all the system (twice!)... But since the /run is a tmpfs dir, and since its contexts are wrong, should I use the initramfs approach (restorecon before switching to enforcing)? > > I recommend to first work on the default_t and file_t stuff. That shouldn't > be broken. Then in the denials, look at any denials for "execute", they > almost always need to be fixed (whereas getattr/read's can often be ignored, > especially in the beginning). > > Then, when booted and logged in, clear the denial log and switch to > enforcing mode and see what stuff breaks. Then look in the denial log for > the denials, and give the error messages for the broken applications. It's exactly what I did in the previous email, after every step I cleared the log file > > When we fixed that, we should then look at the cryptsetup stuff, since you > need that in order to boot succesfully I guess. Only then can we try to boot > in enforcing mode (once, until it boots fully). > > Wkr, > Sven Vermeulen > Thank you again Sven. Paolo. |
| All times are GMT. The time now is 08:15 PM. |
VBulletin, Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.