FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Gentoo > Gentoo Hardened

 
 
LinkBack Thread Tools
 
Old 08-21-2012, 07:14 AM
"f.p.barile@gmail.com2"
 
Default Can't get fully functional (kde) desktop with SELinux

Hello to all the list. I need your help to understand what's wrong here.
I tried to convert my laptop to a selinux profile (targeted) several
times following the documentation step by step.
Now, the last time I tried, I'm using 2.20120725-r3 policies from the
hardened-dev overlay, but I found the same problems with every version
of policies I try.. The system is mainly amd64 (not ~amd64).
The problems I find are:
1) it seems like some part of hardware can't be revealed in enforcing
mode: Pulseaudio can't see the soundcard, powerdevil can't see power
statistics, newly atttached usb drives are ingored. Obviously
selinux-consolekit, selinux-policykit and selinux-dbus are installed.
2) I use partitions encryption (with cryptsetup) and if booting in
enforcing mode it complains about a temporary file that is already
there, but then it goes straight.
3) Logging in root with su or kdesu (in X environment) takes too long:
if the password I write is ok, it takes even some minute to give me the
root shell.

Thank you in advance for your help.


This is my emerge --info:

Portage 2.1.11.9 (default/linux/amd64/10.0/selinux, gcc-4.5.3,
glibc-2.15-r2, 3.3.8-gentoo x86_64)
================================================== ===============
System uname:
Linux-3.3.8-gentoo-x86_64-Intel-R-_Core-TM-2_Duo_CPU_P8600_@_2.40GHz-with-gentoo-2.1
Timestamp of tree: Sun, 19 Aug 2012 12:45:01 +0000
app-shells/bash: 4.2_p37
dev-java/java-config: 2.1.11-r3
dev-lang/python: 2.7.3-r2, 3.2.3
dev-util/cmake: 2.8.8-r3
dev-util/pkgconfig: 0.27
sys-apps/baselayout: 2.1-r1
sys-apps/openrc: 0.9.8.4
sys-apps/sandbox: 2.5
sys-devel/autoconf: 2.13, 2.68
sys-devel/automake: 1.11.6
sys-devel/binutils: 2.22-r1
sys-devel/gcc: 4.5.3-r2
sys-devel/gcc-config: 1.7.3
sys-devel/libtool: 2.4-r1
sys-devel/make: 3.82-r3
sys-kernel/linux-headers: 3.4-r2 (virtual/os-headers)
sys-libs/glibc: 2.15-r2
Repositories: gentoo mozilla hardened-dev lcd-filtering
ACCEPT_KEYWORDS="amd64"
ACCEPT_LICENSE="*"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-O2 -pipe -march=core2 -msse4.1 --param l1-cache-size=32 --param
l1-cache-line-size=64 --param l2-cache-size=3072 -mtune=generic"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/config /usr/share/gnupg/qualified.txt
/usr/share/themes/oxygen-gtk/gtk-2.0"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d
/etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release
/etc/revdep-rebuild /etc/sandbox.d /etc/terminfo"
CXXFLAGS="-O2 -pipe -march=core2 -msse4.1 --param l1-cache-size=32
--param l1-cache-line-size=64 --param l2-cache-size=3072 -mtune=generic"
DISTDIR="/home/portage/distfiles"
FCFLAGS="-O2 -pipe"
FEATURES="assume-digests binpkg-logs config-protect-if-modified
distlocks ebuild-locks fixlafiles news parallel-fetch
parse-eapi-ebuild-head protect-owned sandbox selinux sesandbox sfperms
strict unknown-features-warn unmerge-logs unmerge-orphans userfetch"
FFLAGS="-O2 -pipe"
GENTOO_MIRRORS="ftp://de-mirror.org/gentoo/"
LANG="it_IT.UTF-8"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
LINGUAS="it"
MAKEOPTS="-j3"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times
--compress --force --whole-file --delete --stats --human-readable
--timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/var/lib/layman/mozilla
/var/lib/layman/hardened-development /var/lib/layman/lcd-filtering"
SYNC="rsync://rsync.de.gentoo.org/gentoo-portage"
USE="X a52 aac aac+ acl acpi alsa amd64 audit auto-hinter berkdb bzip2
cairo cdda cdio cdr cli consolekit corefonts cracklib crypt cups
custom-cflags custom-optimization cxx dbus dirac dri dts dvd encode exif
extras faac fam flac fortran g3dvl gdbm gif gles2 gpm gudev hwdb iconv
jit jpeg kde keymap lcdfilter lcms libnotify lzma mad mmx mng modules
mp3 mpeg mudflap multilib multimedia ncurses nls nptl ogg open_perms
opengl openmp pam pcre pdf phonon pic png policykit pppd pulseaudio
python qt3support qt4 readline schroedinger sdl selinux session sse sse2
sse3 sse4_1 ssl ssse3 startup-notification svg tcpd theora threads
thumbnail tiff truetype type1 udev unicode usb v4l vorbis wavpack x264
xa xft xml xv xvid xvmc zlib" ALSA_CARDS="ali5451 als4000 atiixp
atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968
fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx
via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare
dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter
mmap_emul mulaw multi null plug rate route share shm softvol"
APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon
authn_dbm authn_default authn_file authz_dbm authz_default
authz_groupfile authz_host authz_owner authz_user autoindex cache cgi
cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter
file_cache filter headers include info log_config logio mem_cache mime
mime_magic negotiation rewrite setenvif speling status unique_id userdir
usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets
stage tables krita karbon braindump" CAMERAS="ptp2" COLLECTD_PLUGINS="df
interface irq load memory rrdtool swap syslog" ELIBC="glibc"
GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt
gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore
rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx"
INPUT_DEVICES="evdev synaptics" KERNEL="linux" LCD_DEVICES="bayrad
cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text"
LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer"
LINGUAS="it" PHP_TARGETS="php5-3" PYTHON_TARGETS="python3_2 python2_7"
RUBY_TARGETS="ruby18 ruby19" USERLAND="GNU" VIDEO_CARDS="radeon"
XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p
iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark
dhcpmac delude chaos account"
Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL,
PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS,
PORTAGE_RSYNC_EXTRA_OPTS, USE_PYTHON



This is my avc.log of the last boot up:

Aug 21 08:45:49 dell-studio kernel: [ 7.848157] type=1400
audit(1345538717.847:3): avc: denied { search } for pid=1452
comm="alsactl" name="root" dev="sda5" ino=1308163
scontext=system_u:system_r:alsa_t tcontext=system_ubject_r:default_t
tclass=dir
Aug 21 08:45:49 dell-studio kernel: [ 8.588561] type=1400
audit(1345538718.587:4): avc: denied { read } for pid=1450
comm="alsactl" name="urandom" dev="tmpfs" ino=3255
scontext=system_u:system_r:alsa_t
tcontext=system_ubject_r:urandom_device_t tclass=chr_file
Aug 21 08:45:49 dell-studio kernel: [ 8.588576] type=1400
audit(1345538718.587:6): avc: denied { open } for pid=1450
comm="alsactl" name="urandom" dev="tmpfs" ino=3255
scontext=system_u:system_r:alsa_t
tcontext=system_ubject_r:urandom_device_t tclass=chr_file
Aug 21 08:45:49 dell-studio kernel: [ 8.588579] type=1400
audit(1345538718.587:7): avc: denied { open } for pid=1452
comm="alsactl" name="urandom" dev="tmpfs" ino=3255
scontext=system_u:system_r:alsa_t
tcontext=system_ubject_r:urandom_device_t tclass=chr_file
Aug 21 08:45:49 dell-studio kernel: [ 8.588621] type=1400
audit(1345538718.587:8): avc: denied { getattr } for pid=1450
comm="alsactl" name="/" dev="tmpfs" ino=2980
scontext=system_u:system_r:alsa_t tcontext=system_ubject_r:tmpfs_t
tclass=filesystem
Aug 21 08:45:49 dell-studio kernel: [ 8.588625] type=1400
audit(1345538718.587:9): avc: denied { getattr } for pid=1452
comm="alsactl" name="/" dev="tmpfs" ino=2980
scontext=system_u:system_r:alsa_t tcontext=system_ubject_r:tmpfs_t
tclass=filesystem
Aug 21 08:45:49 dell-studio kernel: [ 8.588644] type=1400
audit(1345538718.587:10): avc: denied { write } for pid=1452
comm="alsactl" name="shm" dev="tmpfs" ino=2984
scontext=system_u:system_r:alsa_t tcontext=system_ubject_r:device_t
tclass=dir
Aug 21 08:45:49 dell-studio kernel: [ 8.588652] type=1400
audit(1345538718.587:11): avc: denied { add_name } for pid=1452
comm="alsactl" name="pulse-shm-1979112542"
scontext=system_u:system_r:alsa_t tcontext=system_ubject_r:device_t
tclass=dir
Aug 21 08:45:49 dell-studio kernel: [ 28.881908] type=1400
audit(1345531540.026:21): avc: denied { module_request } for pid=1524
comm="cryptsetup" kmod="cbc(aes)" scontext=system_u:system_r:lvm_t
tcontext=system_u:system_r:kernel_t tclass=system
Aug 21 08:45:49 dell-studio kernel: [ 38.142682] type=1400
audit(1345531549.287:22): avc: denied { setrlimit } for pid=1983
comm="dbus-daemon" scontext=system_u:system_r:system_dbusd_t
tcontext=system_u:system_r:system_dbusd_t tclass=process
Aug 21 08:45:49 dell-studio kernel: [ 38.743819] type=1400
audit(1345531549.888:23): avc: denied { getattr } for pid=2013
comm="console-kit-dae" path="/run/ConsoleKit" dev="tmpfs" ino=5240
scontext=system_u:system_r:consolekit_t
tcontext=system_ubject_r:initrc_var_run_t tclass=dir
Aug 21 08:45:49 dell-studio kernel: [ 38.743833] type=1400
audit(1345531549.888:24): avc: denied { search } for pid=2013
comm="console-kit-dae" name="ConsoleKit" dev="tmpfs" ino=5240
scontext=system_u:system_r:consolekit_t
tcontext=system_ubject_r:initrc_var_run_t tclass=dir
Aug 21 08:45:49 dell-studio kernel: [ 38.743845] type=1400
audit(1345531549.888:25): avc: denied { write } for pid=2013
comm="console-kit-dae" name="ConsoleKit" dev="tmpfs" ino=5240
scontext=system_u:system_r:consolekit_t
tcontext=system_ubject_r:initrc_var_run_t tclass=dir
Aug 21 08:45:49 dell-studio kernel: [ 38.743854] type=1400
audit(1345531549.888:26): avc: denied { add_name } for pid=2013
comm="console-kit-dae" name="database~"
scontext=system_u:system_r:consolekit_t
tcontext=system_ubject_r:initrc_var_run_t tclass=dir
Aug 21 08:45:49 dell-studio kernel: [ 38.743875] type=1400
audit(1345531549.888:27): avc: denied { create } for pid=2013
comm="console-kit-dae" name="database~"
scontext=system_u:system_r:consolekit_t
tcontext=system_ubject_r:initrc_var_run_t tclass=file
Aug 21 08:45:49 dell-studio kernel: [ 38.743939] type=1400
audit(1345531549.888:28): avc: denied { remove_name } for pid=2013
comm="console-kit-dae" name="database~" dev="tmpfs" ino=5251
scontext=system_u:system_r:consolekit_t
tcontext=system_ubject_r:initrc_var_run_t tclass=dir
Aug 21 08:45:49 dell-studio kernel: [ 38.743948] type=1400
audit(1345531549.888:29): avc: denied { rename } for pid=2013
comm="console-kit-dae" name="database~" dev="tmpfs" ino=5251
scontext=system_u:system_r:consolekit_t
tcontext=system_ubject_r:initrc_var_run_t tclass=file
Aug 21 08:45:50 dell-studio kernel: [ 39.000295] type=1400
audit(1345531550.145:30): avc: denied { read } for pid=2089
comm="crond" name="root" dev="sda7" ino=12796
scontext=system_u:system_r:crond_t tcontext=system_ubject_r:file_t
tclass=file
Aug 21 08:45:55 dell-studio kernel: [ 44.775964] type=1400
audit(1345531555.920:51): avc: denied { read } for pid=2912 comm="sh"
name="meminfo" dev="proc" ino=4026532031
scontext=system_u:system_r:wpa_cli_t tcontext=system_ubject_rroc_t
tclass=file
Aug 21 08:45:55 dell-studio kernel: [ 44.775974] type=1400
audit(1345531555.920:52): avc: denied { open } for pid=2912 comm="sh"
name="meminfo" dev="proc" ino=4026532031
scontext=system_u:system_r:wpa_cli_t tcontext=system_ubject_rroc_t
tclass=file
Aug 21 08:45:55 dell-studio kernel: [ 44.775991] type=1400
audit(1345531555.920:53): avc: denied { getattr } for pid=2912
comm="sh" path="/proc/meminfo" dev="proc" ino=4026532031
scontext=system_u:system_r:wpa_cli_t tcontext=system_ubject_rroc_t
tclass=file
Aug 21 08:45:56 dell-studio kernel: [ 44.975326] type=1400
audit(1345531556.120:54): avc: denied { read write } for pid=2956
comm="ifconfig" path="socket:[5638]" dev="sockfs" ino=5638
scontext=system_u:system_r:ifconfig_t
tcontext=system_u:system_r:wpa_cli_t tclass=unix_dgram_socket
Aug 21 08:45:56 dell-studio kernel: [ 45.229495] type=1400
audit(1345531556.374:55): avc: denied { use } for pid=3088
comm="mount" path="/dev/null" dev="tmpfs" ino=2982
scontext=system_u:system_r:mount_t tcontext=system_u:system_r:wpa_cli_t
tclass=fd
Aug 21 08:45:56 dell-studio kernel: [ 45.229516] type=1400
audit(1345531556.374:56): avc: denied { read write } for pid=3088
comm="mount" path="socket:[5638]" dev="sockfs" ino=5638
scontext=system_u:system_r:mount_t tcontext=system_u:system_r:wpa_cli_t
tclass=unix_dgram_socket
Aug 21 08:46:05 dell-studio kernel: [ 54.833228] type=1400
audit(1345531565.978:57): avc: denied { read } for pid=2013
comm="console-kit-dae" name="machine-id" dev="sda7" ino=184383
scontext=system_u:system_r:consolekit_t
tcontext=system_ubject_r:system_dbusd_var_lib_t tclass=lnk_file
Aug 21 08:46:06 dell-studio kernel: [ 54.866726] type=1400
audit(1345531566.011:58): avc: denied { create } for pid=2013
comm="console-kit-dae" name="database~"
scontext=system_u:system_r:consolekit_t
tcontext=system_ubject_r:initrc_var_run_t tclass=file
Aug 21 08:46:06 dell-studio kernel: [ 54.866889] type=1400
audit(1345531566.011:59): avc: denied { remove_name } for pid=2013
comm="console-kit-dae" name="database~" dev="tmpfs" ino=6008
scontext=system_u:system_r:consolekit_t
tcontext=system_ubject_r:initrc_var_run_t tclass=dir
Aug 21 08:46:06 dell-studio kernel: [ 54.866898] type=1400
audit(1345531566.011:60): avc: denied { rename } for pid=2013
comm="console-kit-dae" name="database~" dev="tmpfs" ino=6008
scontext=system_u:system_r:consolekit_t
tcontext=system_ubject_r:initrc_var_run_t tclass=file
Aug 21 08:46:06 dell-studio kernel: [ 54.866907] type=1400
audit(1345531566.011:61): avc: denied { unlink } for pid=2013
comm="console-kit-dae" name="database" dev="tmpfs" ino=5251
scontext=system_u:system_r:consolekit_t
tcontext=system_ubject_r:initrc_var_run_t tclass=file
Aug 21 08:46:06 dell-studio kernel: [ 54.939435] type=1400
audit(1345531566.084:62): avc: denied { read } for pid=3111
comm="udev-acl.ck" name="udev-acl" dev="tmpfs" ino=3056
scontext=system_u:system_r:consolekit_t
tcontext=system_ubject_r:udev_var_run_t tclass=dir
Aug 21 08:46:06 dell-studio kernel: [ 54.939920] type=1400
audit(1345531566.084:63): avc: denied { getattr } for pid=3111
comm="udev-acl.ck" name="card0" dev="tmpfs" ino=3051
scontext=system_u:system_r:consolekit_t
tcontext=system_ubject_r:dri_device_t tclass=chr_file
Aug 21 08:46:06 dell-studio kernel: [ 54.939945] type=1400
audit(1345531566.084:64): avc: denied { setattr } for pid=3111
comm="udev-acl.ck" name="card0" dev="tmpfs" ino=3051
scontext=system_u:system_r:consolekit_t
tcontext=system_ubject_r:dri_device_t tclass=chr_file
Aug 21 08:46:06 dell-studio kernel: [ 54.940052] type=1400
audit(1345531566.085:65): avc: denied { getattr } for pid=3111
comm="udev-acl.ck" name="hwC1D0" dev="tmpfs" ino=3733
scontext=system_u:system_r:consolekit_t
tcontext=system_ubject_r:sound_device_t tclass=chr_file
Aug 21 08:46:06 dell-studio kernel: [ 54.940067] type=1400
audit(1345531566.085:66): avc: denied { setattr } for pid=3111
comm="udev-acl.ck" name="hwC1D0" dev="tmpfs" ino=3733
scontext=system_u:system_r:consolekit_t
tcontext=system_ubject_r:sound_device_t tclass=chr_file
Aug 21 08:46:11 dell-studio kernel: [ 60.117720] type=1400
audit(1345531571.262:74): avc: denied { execute } for pid=3184
comm="dbus-daemon-lau" name="upowerd" dev="sda5" ino=939375
scontext=system_u:system_r:system_dbusd_t
tcontext=system_ubject_r:bin_t tclass=file
Aug 21 08:46:11 dell-studio kernel: [ 60.117729] type=1400
audit(1345531571.262:75): avc: denied { read open } for pid=3184
comm="dbus-daemon-lau" name="upowerd" dev="sda5" ino=939375
scontext=system_u:system_r:system_dbusd_t
tcontext=system_ubject_r:bin_t tclass=file
Aug 21 08:46:11 dell-studio kernel: [ 60.117750] type=1400
audit(1345531571.262:76): avc: denied { execute_no_trans } for
pid=3184 comm="dbus-daemon-lau" path="/usr/libexec/upowerd" dev="sda5"
ino=939375 scontext=system_u:system_r:system_dbusd_t
tcontext=system_ubject_r:bin_t tclass=file
Aug 21 08:46:11 dell-studio kernel: [ 60.184184] type=1400
audit(1345531571.329:77): avc: denied { write } for pid=3184
comm="upowerd" name="cpu_dma_latency" dev="tmpfs" ino=3263
scontext=system_u:system_r:system_dbusd_t
tcontext=system_ubject_r:netcontrol_device_t tclass=chr_file
Aug 21 08:46:11 dell-studio kernel: [ 60.184195] type=1400
audit(1345531571.329:78): avc: denied { open } for pid=3184
comm="upowerd" name="cpu_dma_latency" dev="tmpfs" ino=3263
scontext=system_u:system_r:system_dbusd_t
tcontext=system_ubject_r:netcontrol_device_t tclass=chr_file
Aug 21 08:46:11 dell-studio kernel: [ 60.223810] type=1400
audit(1345531571.368:79): avc: denied { read } for pid=3188
comm="upowerd" name="sh" dev="sda5" ino=1706629
scontext=system_u:system_r:system_dbusd_t
tcontext=system_ubject_r:bin_t tclass=lnk_file
Aug 21 08:46:11 dell-studio kernel: [ 60.223838] type=1400
audit(1345531571.368:80): avc: denied { execute } for pid=3188
comm="upowerd" name="bash" dev="sda5" ino=1700702
scontext=system_u:system_r:system_dbusd_t
tcontext=system_ubject_r:shell_exec_t tclass=file
Aug 21 08:46:11 dell-studio kernel: [ 60.223848] type=1400
audit(1345531571.368:81): avc: denied { read open } for pid=3188
comm="upowerd" name="bash" dev="sda5" ino=1700702
scontext=system_u:system_r:system_dbusd_t
tcontext=system_ubject_r:shell_exec_t tclass=file
Aug 21 08:46:11 dell-studio kernel: [ 60.225529] type=1400
audit(1345531571.370:82): avc: denied { ioctl } for pid=3188
comm="pm-is-supported" path="/usr/bin/pm-is-supported" dev="sda5"
ino=815434 scontext=system_u:system_r:system_dbusd_t
tcontext=system_ubject_r:bin_t tclass=file
Aug 21 08:46:11 dell-studio kernel: [ 60.225555] type=1400
audit(1345531571.370:83): avc: denied { getattr } for pid=3188
comm="pm-is-supported" path="/usr/bin/pm-is-supported" dev="sda5"
ino=815434 scontext=system_u:system_r:system_dbusd_t
tcontext=system_ubject_r:bin_t tclass=file
Aug 21 08:46:16 dell-studio kernel: [ 65.194471] type=1400
audit(1345531576.339:148): avc: denied { write } for pid=3260
comm="mount" name="/" dev="dm-1" ino=2
scontext=system_u:system_r:system_dbusd_t
tcontext=system_ubject_r:home_root_t tclass=dir
Aug 21 08:46:16 dell-studio kernel: [ 65.449862] type=1400
audit(1345531576.594:149): avc: denied { search } for pid=3268
comm="laptop-mode" name="vm" dev="proc" ino=5312
scontext=system_u:system_r:system_dbusd_t
tcontext=system_ubject_r:sysctl_vm_t tclass=dir
Aug 21 08:46:16 dell-studio kernel: [ 65.449879] type=1400
audit(1345531576.594:150): avc: denied { write } for pid=3268
comm="laptop-mode" name="laptop_mode" dev="proc" ino=5313
scontext=system_u:system_r:system_dbusd_t
tcontext=system_ubject_r:sysctl_vm_t tclass=file
Aug 21 08:46:16 dell-studio kernel: [ 65.450458] type=1400
audit(1345531576.595:151): avc: denied { read } for pid=3269
comm="laptop-mode" name="laptop_mode" dev="proc" ino=5313
scontext=system_u:system_r:system_dbusd_t
tcontext=system_ubject_r:sysctl_vm_t tclass=file
Aug 21 08:46:16 dell-studio kernel: [ 65.451314] type=1400
audit(1345531576.596:152): avc: denied { open } for pid=3271
comm="cat" name="laptop_mode" dev="proc" ino=5313
scontext=system_u:system_r:system_dbusd_t
tcontext=system_ubject_r:sysctl_vm_t tclass=file
Aug 21 08:46:16 dell-studio kernel: [ 65.451327] type=1400
audit(1345531576.596:153): avc: denied { getattr } for pid=3271
comm="cat" path="/proc/sys/vm/laptop_mode" dev="proc" ino=5313
scontext=system_u:system_r:system_dbusd_t
tcontext=system_ubject_r:sysctl_vm_t tclass=file
Aug 21 08:46:16 dell-studio kernel: [ 65.460034] type=1400
audit(1345531576.604:154): avc: denied { execute } for pid=3277
comm="readahead" name="blockdev" dev="sda5" ino=416349
scontext=system_u:system_r:system_dbusd_t
tcontext=system_ubject_r:fsadm_exec_t tclass=file
Aug 21 08:46:16 dell-studio kernel: [ 65.462069] type=1400
audit(1345531576.607:155): avc: denied { read open } for pid=3280
comm="readahead" name="blockdev" dev="sda5" ino=416349
scontext=system_u:system_r:system_dbusd_t
tcontext=system_ubject_r:fsadm_exec_t tclass=file
Aug 21 08:46:16 dell-studio kernel: [ 65.462103] type=1400
audit(1345531576.607:156): avc: denied { execute_no_trans } for
pid=3280 comm="readahead" path="/sbin/blockdev" dev="sda5" ino=416349
scontext=system_u:system_r:system_dbusd_t
tcontext=system_ubject_r:fsadm_exec_t tclass=file
Aug 21 08:46:16 dell-studio kernel: [ 65.494153] type=1400
audit(1345531576.639:157): avc: denied { getattr } for pid=3287
comm="which" path="/sbin/iwconfig" dev="sda5" ino=416869
scontext=system_u:system_r:system_dbusd_t
tcontext=system_ubject_r:ifconfig_exec_t tclass=file
Aug 21 08:46:24 dell-studio kernel: [ 73.269671] type=1400
audit(1345531584.414:159): avc: denied { search } for pid=1983
comm="dbus-daemon" name="console" dev="tmpfs" ino=6011
scontext=system_u:system_r:system_dbusd_t
tcontext=system_ubject_r:consolekit_var_run_t tclass=dir
Aug 21 08:46:26 dell-studio kernel: [ 75.002090] type=1400
audit(1345531586.147:160): avc: denied { read } for pid=3238
comm="udisks-daemon" name="sr0" dev="tmpfs" ino=3539
scontext=system_u:system_r:system_dbusd_t
tcontext=system_ubject_r:removable_device_t tclass=blk_file
Aug 21 08:46:26 dell-studio kernel: [ 75.002101] type=1400
audit(1345531586.147:161): avc: denied { open } for pid=3238
comm="udisks-daemon" name="sr0" dev="tmpfs" ino=3539
scontext=system_u:system_r:system_dbusd_t
tcontext=system_ubject_r:removable_device_t tclass=blk_file
Aug 21 08:46:48 dell-studio kernel: [ 97.234376] type=1400
audit(1345531608.230:162): avc: denied { execstack } for pid=3659
comm="chrome" scontext=unconfined_u:unconfined_r:unconfined_t
tcontext=unconfined_u:unconfined_r:unconfined_t tclass=process
Aug 21 08:50:01 dell-studio kernel: [ 290.083336] type=1400
audit(1345531801.079:163): avc: denied { execute } for pid=4630
comm="sh" name="run-crons" dev="sda5" ino=922129
scontext=system_u:system_r:crond_t tcontext=system_ubject_r:bin_t
tclass=file
Aug 21 08:50:01 dell-studio kernel: [ 290.083888] type=1400
audit(1345531801.079:164): avc: denied { read open } for pid=4631
comm="sh" name="run-crons" dev="sda5" ino=922129
scontext=system_u:system_r:crond_t tcontext=system_ubject_r:bin_t
tclass=file
Aug 21 08:50:01 dell-studio kernel: [ 290.083965] type=1400
audit(1345531801.079:165): avc: denied { execute_no_trans } for
pid=4631 comm="sh" path="/usr/sbin/run-crons" dev="sda5" ino=922129
scontext=system_u:system_r:crond_t tcontext=system_ubject_r:bin_t
tclass=file
Aug 21 08:50:01 dell-studio kernel: [ 290.110392] type=1400
audit(1345531801.106:166): avc: denied { ioctl } for pid=4631
comm="run-crons" path="/usr/sbin/run-crons" dev="sda5" ino=922129
scontext=system_u:system_r:crond_t tcontext=system_ubject_r:bin_t
tclass=file
Aug 21 08:50:01 dell-studio kernel: [ 290.110414] type=1400
audit(1345531801.106:167): avc: denied { getattr } for pid=4631
comm="run-crons" path="/usr/sbin/run-crons" dev="sda5" ino=922129
scontext=system_u:system_r:crond_t tcontext=system_ubject_r:bin_t
tclass=file
Aug 21 08:50:01 dell-studio kernel: [ 290.161144] type=1400
audit(1345531801.157:168): avc: denied { create } for pid=4633
comm="ln" name="lock" scontext=system_u:system_r:crond_t
tcontext=system_ubject_r:crond_tmp_t tclass=lnk_file
Aug 21 08:50:01 dell-studio kernel: [ 290.168642] type=1400
audit(1345531801.164:169): avc: denied { getattr } for pid=4631
comm="run-crons" path="/var/spool/cron/lastrun/lock" dev="sda7"
ino=12547 scontext=system_u:system_r:crond_t
tcontext=system_ubject_r:crond_tmp_t tclass=lnk_file
Aug 21 08:50:01 dell-studio kernel: [ 290.170178] type=1400
audit(1345531801.166:170): avc: denied { read } for pid=4634
comm="find" name="root" dev="sda5" ino=1308163
scontext=system_u:system_r:crond_t tcontext=system_ubject_r:default_t
tclass=dir
Aug 21 08:50:01 dell-studio kernel: [ 290.180507] type=1400
audit(1345531801.176:171): avc: denied { getattr } for pid=4634
comm="find" path="/var/spool/cron/lastrun/.keep_sys-process_cronbase-0"
dev="sda7" ino=45164 scontext=system_u:system_r:crond_t
tcontext=system_ubject_r:file_t tclass=file
Aug 21 08:50:09 dell-studio kernel: [ 298.361777] type=1400
audit(1345531809.356:173): avc: denied { unlink } for pid=4704
comm="rm" name="lock" dev="sda7" ino=12547
scontext=system_u:system_r:crond_t
tcontext=system_ubject_r:crond_tmp_t tclass=lnk_file

This is my /etc/fstab (I found that the /selinux mountpoint is no more
needed):

/dev/sda1 /boot ext2 noauto,noatime 1 2
/dev/sda5 / ext4 noatime 0 1
/dev/mapper/swap none swap sw 0 0
/dev/sda7 /var jfs
defaults,rootcontext=system_ubject_r:var_t 0 1
/dev/mapper/home /home ext4 noatime 0 1
/dev/cdrom /mnt/cdrom auto noauto,ro 0 0

tmpfs /run tmpfs
mode=0755,nosuid,nodev,rootcontext=system_ubject _r:var_run_t 0 0

Lastly this is my sestatus -v:

Password:
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: permissive
Mode from config file: permissive
Policy MLS status: disabled
Policy deny_unknown status: denied
Max kernel policy version: 26

Process contexts:
Current context: unconfined_u:unconfined_r:unconfined_t
Init context: system_u:system_r:init_t
/sbin/agetty system_u:system_r:getty_t

File contexts:
Controlling terminal: unconfined_ubject_r:user_devpts_t
/sbin/init system_ubject_r:init_exec_t
/sbin/agetty system_ubject_r:getty_exec_t
/bin/login system_ubject_r:login_exec_t
/sbin/rc system_ubject_r:rc_exec_t
/usr/sbin/sshd system_ubject_r:sshd_exec_t
/sbin/unix_chkpwd system_ubject_r:chkpwd_exec_t
/etc/passwd system_ubject_r:etc_t
/etc/shadow system_ubject_r:shadow_t
/bin/sh system_ubject_r:bin_t ->
system_ubject_r:shell_exec_t
/bin/bash system_ubject_r:shell_exec_t
/usr/bin/newrole system_ubject_r:newrole_exec_t
/lib/libc.so.6 system_ubject_r:lib_t ->
system_ubject_r:lib_t
/lib/ld-linux.so.2 system_ubject_r:lib_t ->
system_ubject_r:ld_so_t
 
Old 08-21-2012, 06:03 PM
Sven Vermeulen
 
Default Can't get fully functional (kde) desktop with SELinux

On Tue, Aug 21, 2012 at 09:14:39AM +0200, f.p.barile@gmail.com2 wrote:
> Hello to all the list. I need your help to understand what's wrong here.
> I tried to convert my laptop to a selinux profile (targeted) several
> times following the documentation step by step.

Hi F.P.

First of all, thanks for trying the SELinux stuff out. I'm pretty sure we
can help you further and fix things so that others don't get the same
problems.

> 1) it seems like some part of hardware can't be revealed in enforcing
> mode: Pulseaudio can't see the soundcard, powerdevil can't see power
> statistics, newly atttached usb drives are ingored. Obviously
> selinux-consolekit, selinux-policykit and selinux-dbus are installed.

It is best to look at the AVC denials that come up when you launch
pulseaudio, powerdevel etc. one by one. Providing all possible denials will
make it much more difficult to fine-tune the problems.

What I usually do to debug issues is to do:

~# tail -f /var/log/avc.log

Then perform one activity (1) that doesn't work. For instance, try to play
an MP3/OGG file which fails. Then look at the denials that came up right
when you did that action.

> 3) Logging in root with su or kdesu (in X environment) takes too long:
> if the password I write is ok, it takes even some minute to give me the
> root shell.

Here too looking at the AVC denials that come up right then would be
interesting. However, in this case it is best to also provide the output of
"id -Z" right before you switch root, and right after.

Wkr,
Sven Vermeulen


Tue Aug 21 20:30:02 2012
Return-Path: <devel-bounces@lists.fedoraproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on
eagle542.startdedicated.com
X-Spam-Level:
X-Spam-Status: No, score=-2.4 required=5.0 tests=DKIM_ADSP_CUSTOM_MED,
DKIM_SIGNED,FREEMAIL_FROM,HTML_MESSAGE,RCVD_IN_DNS WL_MED,RP_MATCHES_RCVD,
SPF_PASS,T_DKIM_INVALID autolearn=ham version=3.3.2
X-Original-To: tom@linux-archive.org
Delivered-To: tom-linux-archive.org@eagle542.startdedicated.com
Received: from bastion.fedoraproject.org (bastion01.fedoraproject.org [209.132.181.2])
by eagle542.startdedicated.com (Postfix) with ESMTP id 62D7320E0766
for <tom@linux-archive.org>; Tue, 21 Aug 2012 20:10:56 +0200 (CEST)
Received: from lists.fedoraproject.org (collab03.vpn.fedoraproject.org [192.168.1.70])
by bastion01.phx2.fedoraproject.org (Postfix) with ESMTP id C181621397;
Tue, 21 Aug 2012 18:10:52 +0000 (UTC)
Received: from collab03.fedoraproject.org (localhost [127.0.0.1])
by lists.fedoraproject.org (Postfix) with ESMTP id 58DD040A17;
Tue, 21 Aug 2012 18:10:52 +0000 (UTC)
X-Original-To: devel@lists.fedoraproject.org
Delivered-To: devel@lists.fedoraproject.org
Received: from smtp-mm02.fedoraproject.org (smtp-mm02.fedoraproject.org
[66.35.62.164])
by lists.fedoraproject.org (Postfix) with ESMTP id 6058A40726
for <devel@lists.fedoraproject.org>;
Tue, 21 Aug 2012 18:10:50 +0000 (UTC)
Received: from mail-ey0-f173.google.com (mail-ey0-f173.google.com
[209.85.215.173])
by smtp-mm02.fedoraproject.org (Postfix) with ESMTP id E94153FC33
for <devel@lists.fedoraproject.org>;
Tue, 21 Aug 2012 18:10:49 +0000 (UTC)
Received: by eaac13 with SMTP id c13so33149eaa.32
for <devel@lists.fedoraproject.org>;
Tue, 21 Aug 2012 11:10:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
h=message-id:date:from:user-agent:mime-version:to:subject:references
:in-reply-to:content-type;
bh=rqjQ5bK/N/CP6B1gj24WpOD2icL7PfTLDnpcOLiPhBU=;
b=sJ0Ka7W5OFb8yfxaPf0AnI87a96s+K73bHU9rARp5/WqCL6p7uuLHKJuRU7sJnrKk5
IOE1nJMBmc+UT6pPZPYidCu5D+mcu0qDrBP259pF1ONY7786zU eV6WsSKuY+EdKE/NA5
+oMB+ODitxJUNprEhR5c7d4bt4gKREqxXGfovVIv6oM8Zd6OKj zJv+G7v4BI+MNppA6r
+hhlwf46+nGDjdUkbHlZ9o87FdNgcGbNn/Fvlx2Kvdvtev5WNI1frZM3mrq1DQ09VlWc
deqJo1TsWn/Qg6GPqdfhu/bPvyrkwTe1y46mzf9MWQgmugAikQQbPfNu/OQBZEcGe6S4
9Owg==
Received: by 10.14.203.69 with SMTP id e45mr14550771eeo.23.1345572649093;
Tue, 21 Aug 2012 11:10:49 -0700 (PDT)
Received: from localhost.localdomain (noc.skyggnir.is. [217.28.190.150])
by mx.google.com with ESMTPS id u47sm6405282eeo.9.2012.08.21.11.10.47
(version=TLSv1/SSLv3 cipher=OTHER);
Tue, 21 Aug 2012 11:10:48 -0700 (PDT)
Message-ID: <5033CEE2.2000305@gmail.com>
Date: Tue, 21 Aug 2012 18:09:38 +0000
From: =?UTF-8?B?IkrDs2hhbm4gQi4gR3XDsG11bmRzc29uIg==?=
<johannbg@gmail.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64;
rv:14.0) Gecko/20120717 Thunderbird/14.0
MIME-Version: 1.0
To: devel@lists.fedoraproject.org
Subject: Re: Mass changes to packaging
References: <bug-850364-123769@bugzilla.redhat.com>
<20120821145215.GQ1448@rhmail.home.annexia.org>
<5033BCC8.3070008@gmail.com>
<20120821170835.GA2811@tango.0pointer.de>
In-Reply-To: <20120821170835.GA2811@tango.0pointer.de>
X-BeenThere: devel@lists.fedoraproject.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: Development discussions related to Fedora
<devel@lists.fedoraproject.org>
List-Id: Development discussions related to Fedora
<devel.lists.fedoraproject.org>
List-Unsubscribe: <https://admin.fedoraproject.org/mailman/options/devel>,
<mailto:devel-request@lists.fedoraproject.org?subject=unsubscrib e>
List-Archive: <http://lists.fedoraproject.org/pipermail/devel/>
List-Post: <mailto:devel@lists.fedoraproject.org>
List-Help: <mailto:devel-request@lists.fedoraproject.org?subject=help>
List-Subscribe: <https://admin.fedoraproject.org/mailman/listinfo/devel>,
<mailto:devel-request@lists.fedoraproject.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============6202879569694410565=="
Sender: devel-bounces@lists.fedoraproject.org
Errors-To: devel-bounces@lists.fedoraproject.org

This is a multi-part message in MIME format.
--===============6202879569694410565==
Content-Type: multipart/alternative;
boundary="------------030704040907010008090909"

This is a multi-part message in MIME format.
--------------030704040907010008090909
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit

On 08/21/2012 05:08 PM, Lennart Poettering wrote:
> On Tue, 21.08.12 16:52, "Jóhann B. Guðmundsson" (johannbg@gmail.com) wrote:
>
>> >On 08/21/2012 02:52 PM, Richard W.M. Jones wrote:
>>> > >However, the person who is sending these bugs reports is
>>> > >(a) in a much better position to change the packages because they
>>> > >understand the problem and the solution, and (b) ought to take on this
>>> > >work because that's part of whatever feature/cleanup/etc they are
>>> > >proposing, instead of pushing part of that work off to everyone else.
>> >
>> >That's how I*initially* though the feature process worked as in the
>> >feature owner always has to do all the work.
>> >
>> >Then again I suspect not many maintainers will do this change since
>> >if I'm not mistaken it a) means they have to have separated spec
>> >files for <F18 and b) will break everybody's upgrade path since if
>> >I'm not mistaken preset*resets* units enable/disablement*again* (
>> >it happens when the legacy sysv to systemd migration takes place
>> >)...
> No, presets don't reset existing enablement/disablement status.
>
> Presets only matter with the initial installation of a package and when
> a package is converted from sysv to systemd, but do not matter if a
> package already uses systemd unit files, or just converts non-macro
> scriptlets to macro scriptlets.

But it's still necessary to keep two separate spec files ( <F18 & F18> )
+ given the time of the packaging guideline changes and the branching
happening the *day after* I tempted to put on my QA hat and argue this
should only apply to F19 not F18 and from the looks of it the Red Hat's
systemd *Team* is behind this which constitutes of what 5 - 10 people
now so there should be sufficient manpower for those that requested this
to actually make those changes themselves before F19 get's released...

JBG

--------------030704040907010008090909
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: 8bit

<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 08/21/2012 05:08 PM, Lennart
Poettering wrote:<br>
</div>
<blockquote cite="mid:20120821170835.GA2811@tango.0pointer.de"
type="cite">
<pre wrap="">On Tue, 21.08.12 16:52, "Jóhann B. Guðmundsson" (<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:johannbg@gmail.com">johannbg@gmail.co m</a>) wrote:

</pre>
<blockquote type="cite" style="color: #000000;">
<pre wrap=""><span class="moz-txt-citetags">&gt; </span>On 08/21/2012 02:52 PM, Richard W.M. Jones wrote:
</pre>
<blockquote type="cite" style="color: #000000;">
<pre wrap=""><span class="moz-txt-citetags">&gt; &gt;</span>However, the person who is sending these bugs reports is
<span class="moz-txt-citetags">&gt; &gt;</span>(a) in a much better position to change the packages because they
<span class="moz-txt-citetags">&gt; &gt;</span>understand the problem and the solution, and (b) ought to take on this
<span class="moz-txt-citetags">&gt; &gt;</span>work because that's part of whatever feature/cleanup/etc they are
<span class="moz-txt-citetags">&gt; &gt;</span>proposing, instead of pushing part of that work off to everyone else.
</pre>
</blockquote>
<pre wrap=""><span class="moz-txt-citetags">&gt; </span>
<span class="moz-txt-citetags">&gt; </span>That's how I <b class="moz-txt-star"><span class="moz-txt-tag">*</span>initially<span class="moz-txt-tag">*</span></b> though the feature process worked as in the
<span class="moz-txt-citetags">&gt; </span>feature owner always has to do all the work.
<span class="moz-txt-citetags">&gt; </span>
<span class="moz-txt-citetags">&gt; </span>Then again I suspect not many maintainers will do this change since
<span class="moz-txt-citetags">&gt; </span>if I'm not mistaken it a) means they have to have separated spec
<span class="moz-txt-citetags">&gt; </span>files for &lt;F18 and b) will break everybody's upgrade path since if
<span class="moz-txt-citetags">&gt; </span>I'm not mistaken preset <b class="moz-txt-star"><span class="moz-txt-tag">*</span>resets<span class="moz-txt-tag">*</span></b> units enable/disablement <b class="moz-txt-star"><span class="moz-txt-tag">*</span>again<span class="moz-txt-tag">*</span></b> (
<span class="moz-txt-citetags">&gt; </span>it happens when the legacy sysv to systemd migration takes place
<span class="moz-txt-citetags">&gt; </span>)...
</pre>
</blockquote>
<pre wrap="">No, presets don't reset existing enablement/disablement status.

Presets only matter with the initial installation of a package and when
a package is converted from sysv to systemd, but do not matter if a
package already uses systemd unit files, or just converts non-macro
scriptlets to macro scriptlets.
</pre>
</blockquote>
<br>
But it's still necessary to keep two separate spec files ( &lt;F18
&amp; F18&gt; ) + given the time of the packaging guideline changes
and the branching happening the *day after* I tempted to put on my
QA hat and argue this should only apply to F19 not F18 and from the
looks of it the Red Hat's systemd *Team* is behind this which
constitutes of what 5 - 10 people now so there should be sufficient
manpower for those that requested this to actually make those
changes themselves before F19 get's released... <br>
<br>
JBG<br>
</body>
</html>

--------------030704040907010008090909--

--===============6202879569694410565==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: inline

LS0gCmRldmVsIG1haWxpbmcgbGlzdApkZXZlbEBsaXN0cy5mZW RvcmFwcm9qZWN0Lm9yZwpodHRw
czovL2FkbWluLmZlZG9yYXByb2plY3Qub3JnL21haWxtYW4vbG lzdGluZm8vZGV2ZWw=

--===============6202879569694410565==--
 
Old 08-22-2012, 07:12 AM
"f.p.barile@gmail.com2"
 
Default Can't get fully functional (kde) desktop with SELinux

Hi Sven, nice to meet you again and thank you for your work in SELinux
and for your help.

I did as you suggested reading the denials step by step. Anyway I didn't
find a way to start pulseaudio seprately, but I don't think it's really
pulseaudio related. I beleave it's hardware revealing related because
nor pulsaudio, nor kmix, nor systemsettings can see the audio card, they
can only use the "output dummy" card.

Now the step by step denials.
I firstly removed the xdm initscript from the default runlevel and I
started it manually. After starting xdm these were the denials:

Aug 22 08:39:03 dell-studio kernel: [ 162.895575] type=1400
audit(1345617543.503:121): avc: denied { getattr } for pid=2010
comm="console-kit-dae" path="/run/ConsoleKit" dev="tmpfs" ino=4632
scontext=system_u:system_r:consolekit_t
tcontext=system_ubject_r:initrc_var_run_t tclass=dir
Aug 22 08:39:27 dell-studio kernel: [ 187.237204] type=1400
audit(1345617567.845:122): avc: denied { getattr } for pid=2010
comm="console-kit-dae" path="/run/ConsoleKit" dev="tmpfs" ino=4632
scontext=system_u:system_r:consolekit_t
tcontext=system_ubject_r:initrc_var_run_t tclass=dir
Aug 22 08:39:27 dell-studio kernel: [ 187.239432] type=1400
audit(1345617567.847:123): avc: denied { search } for pid=3086
comm="udev-acl.ck" name="ConsoleKit" dev="tmpfs" ino=4632
scontext=system_u:system_r:consolekit_t
tcontext=system_ubject_r:initrc_var_run_t tclass=dir
Aug 22 08:39:27 dell-studio kernel: [ 187.239574] type=1400
audit(1345617567.847:124): avc: denied { read } for pid=3086
comm="udev-acl.ck" name="udev-acl" dev="tmpfs" ino=1427
scontext=system_u:system_r:consolekit_t
tcontext=system_ubject_r:udev_var_run_t tclass=dir
Aug 22 08:39:34 dell-studio kernel: [ 193.781500] type=1400
audit(1345617574.389:125): avc: denied { getattr } for pid=2010
comm="console-kit-dae" path="/run/ConsoleKit" dev="tmpfs" ino=4632
scontext=system_u:system_r:consolekit_t
tcontext=system_ubject_r:initrc_var_run_t tclass=dir
Aug 22 08:39:34 dell-studio kernel: [ 193.785181] type=1400
audit(1345617574.393:126): avc: denied { read } for pid=3101
comm="udev-acl.ck" name="udev-acl" dev="tmpfs" ino=1427
scontext=system_u:system_r:consolekit_t
tcontext=system_ubject_r:udev_var_run_t tclass=dir

After logging in kdm I read:

Aug 22 08:40:04 dell-studio kernel: [ 223.565209] type=1400
audit(1345617604.173:127): avc: denied { getattr } for pid=2010
comm="console-kit-dae" path="/run/ConsoleKit" dev="tmpfs" ino=4632
scontext=system_u:system_r:consolekit_t
tcontext=system_ubject_r:initrc_var_run_t tclass=dir
Aug 22 08:40:06 dell-studio kernel: [ 226.166311] type=1400
audit(1345617606.774:128): avc: denied { getattr } for pid=2010
comm="console-kit-dae" path="/run/ConsoleKit" dev="tmpfs" ino=4632
scontext=system_u:system_r:consolekit_t
tcontext=system_ubject_r:initrc_var_run_t tclass=dir
Aug 22 08:40:06 dell-studio kernel: [ 226.172123] type=1400
audit(1345617606.780:129): avc: denied { search } for pid=3106
comm="udev-acl.ck" name="ConsoleKit" dev="tmpfs" ino=4632
scontext=system_u:system_r:consolekit_t
tcontext=system_ubject_r:initrc_var_run_t tclass=dir
Aug 22 08:40:06 dell-studio kernel: [ 226.172508] type=1400
audit(1345617606.780:130): avc: denied { read } for pid=3106
comm="udev-acl.ck" name="udev-acl" dev="tmpfs" ino=1427
scontext=system_u:system_r:consolekit_t
tcontext=system_ubject_r:udev_var_run_t tclass=dir
Aug 22 08:40:15 dell-studio kernel: [ 234.411908] type=1400
audit(1345617615.019:131): avc: denied { getattr } for pid=2010
comm="console-kit-dae" path="/run/ConsoleKit" dev="tmpfs" ino=4632
scontext=system_u:system_r:consolekit_t
tcontext=system_ubject_r:initrc_var_run_t tclass=dir
Aug 22 08:40:15 dell-studio kernel: [ 234.415286] type=1400
audit(1345617615.023:132): avc: denied { read } for pid=3109
comm="udev-acl.ck" name="udev-acl" dev="tmpfs" ino=1427
scontext=system_u:system_r:consolekit_t
tcontext=system_ubject_r:udev_var_run_t tclass=dir
Aug 22 08:40:34 dell-studio kernel: [ 253.639780] type=1400
audit(1345617634.247:133): avc: denied { getattr } for pid=2010
comm="console-kit-dae" path="/run/ConsoleKit" dev="tmpfs" ino=4632
scontext=system_u:system_r:consolekit_t
tcontext=system_ubject_r:initrc_var_run_t tclass=dir
Aug 22 08:40:34 dell-studio kernel: [ 253.645402] type=1400
audit(1345617634.253:134): avc: denied { search } for pid=3111
comm="udev-acl.ck" name="ConsoleKit" dev="tmpfs" ino=4632
scontext=system_u:system_r:consolekit_t
tcontext=system_ubject_r:initrc_var_run_t tclass=dir
Aug 22 08:40:34 dell-studio kernel: [ 253.645790] type=1400
audit(1345617634.253:135): avc: denied { read } for pid=3111
comm="udev-acl.ck" name="udev-acl" dev="tmpfs" ino=1427
scontext=system_u:system_r:consolekit_t
tcontext=system_ubject_r:udev_var_run_t tclass=dir
Aug 22 08:40:35 dell-studio kernel: [ 254.527065] type=1400
audit(1345617635.135:136): avc: denied { search } for pid=1980
comm="dbus-daemon" name="console" dev="tmpfs" ino=6314
scontext=system_u:system_r:system_dbusd_t
tcontext=system_ubject_r:consolekit_var_run_t tclass=dir
Aug 22 08:40:35 dell-studio kernel: [ 254.527789] type=1400
audit(1345617635.135:137): avc: denied { read } for pid=2010
comm="console-kit-dae" name="machine-id" dev="sda7" ino=184383
scontext=system_u:system_r:consolekit_t
tcontext=system_ubject_r:system_dbusd_var_lib_t tclass=lnk_file
Aug 22 08:40:35 dell-studio kernel: [ 254.530276] type=1400
audit(1345617635.138:138): avc: denied { getattr } for pid=2010
comm="console-kit-dae" path="/run/ConsoleKit" dev="tmpfs" ino=4632
scontext=system_u:system_r:consolekit_t
tcontext=system_ubject_r:initrc_var_run_t tclass=dir
Aug 22 08:40:35 dell-studio kernel: [ 254.535883] type=1400
audit(1345617635.143:139): avc: denied { getattr } for pid=2010
comm="console-kit-dae" path="/run/ConsoleKit" dev="tmpfs" ino=4632
scontext=system_u:system_r:consolekit_t
tcontext=system_ubject_r:initrc_var_run_t tclass=dir
Aug 22 08:40:35 dell-studio kernel: [ 254.537701] type=1400
audit(1345617635.145:140): avc: denied { read } for pid=3121
comm="udev-acl.ck" name="udev-acl" dev="tmpfs" ino=1427
scontext=system_u:system_r:consolekit_t
tcontext=system_ubject_r:udev_var_run_t tclass=dir
Aug 22 08:40:36 dell-studio kernel: [ 255.550398] type=1400
audit(1345617636.158:141): avc: denied { search } for pid=1980
comm="dbus-daemon" name="console" dev="tmpfs" ino=6314
scontext=system_u:system_r:system_dbusd_t
tcontext=system_ubject_r:consolekit_var_run_t tclass=dir
Aug 22 08:40:36 dell-studio kernel: [ 255.554058] type=1400
audit(1345617636.162:142): avc: denied { search } for pid=1980
comm="dbus-daemon" name="console" dev="tmpfs" ino=6314
scontext=system_u:system_r:system_dbusd_t
tcontext=system_ubject_r:consolekit_var_run_t tclass=dir
Aug 22 08:40:40 dell-studio kernel: [ 259.566581] type=1400
audit(1345617640.174:143): avc: denied { search } for pid=1980
comm="dbus-daemon" name="console" dev="tmpfs" ino=6314
scontext=system_u:system_r:system_dbusd_t
tcontext=system_ubject_r:consolekit_var_run_t tclass=dir
Aug 22 08:40:40 dell-studio kernel: [ 259.569518] type=1400
audit(1345617640.177:144): avc: denied { execute } for pid=3194
comm="dbus-daemon-lau" name="upowerd" dev="sda5" ino=939375
scontext=system_u:system_r:system_dbusd_t
tcontext=system_ubject_r:bin_t tclass=file
Aug 22 08:40:40 dell-studio kernel: [ 259.572229] type=1400
audit(1345617640.180:145): avc: denied { execute } for pid=3197
comm="dbus-daemon-lau" name="upowerd" dev="sda5" ino=939375
scontext=system_u:system_r:system_dbusd_t
tcontext=system_ubject_r:bin_t tclass=file
Aug 22 08:40:40 dell-studio kernel: [ 259.574665] type=1400
audit(1345617640.182:146): avc: denied { execute } for pid=3199
comm="dbus-daemon-lau" name="udisks-daemon" dev="sda5" ino=939378
scontext=system_u:system_r:system_dbusd_t
tcontext=system_ubject_r:bin_t tclass=file
Aug 22 08:40:40 dell-studio kernel: [ 259.577151] type=1400
audit(1345617640.185:147): avc: denied { execute } for pid=3201
comm="dbus-daemon-lau" name="udisks-daemon" dev="sda5" ino=939378
scontext=system_u:system_r:system_dbusd_t
tcontext=system_ubject_r:bin_t tclass=file
Aug 22 08:40:40 dell-studio kernel: [ 259.579385] type=1400
audit(1345617640.187:148): avc: denied { execute } for pid=3203
comm="dbus-daemon-lau" name="udisks-daemon" dev="sda5" ino=939378
scontext=system_u:system_r:system_dbusd_t
tcontext=system_ubject_r:bin_t tclass=file
Aug 22 08:40:40 dell-studio kernel: [ 259.581693] type=1400
audit(1345617640.189:149): avc: denied { execute } for pid=3205
comm="dbus-daemon-lau" name="udisks-daemon" dev="sda5" ino=939378
scontext=system_u:system_r:system_dbusd_t
tcontext=system_ubject_r:bin_t tclass=file
Aug 22 08:40:40 dell-studio kernel: [ 259.583959] type=1400
audit(1345617640.191:150): avc: denied { execute } for pid=3207
comm="dbus-daemon-lau" name="udisks-daemon" dev="sda5" ino=939378
scontext=system_u:system_r:system_dbusd_t
tcontext=system_ubject_r:bin_t tclass=file
Aug 22 08:40:40 dell-studio kernel: [ 260.191675] type=1400
audit(1345617640.799:151): avc: denied { execmem } for pid=3214
comm="kwin_opengl_tes" scontext=unconfined_u:unconfined_r:unconfined_t
tcontext=unconfined_u:unconfined_r:unconfined_t tclass=process
Aug 22 08:40:44 dell-studio kernel: [ 263.474683] type=1400
audit(1345617644.082:152): avc: denied { search } for pid=1980
comm="dbus-daemon" name="console" dev="tmpfs" ino=6314
scontext=system_u:system_r:system_dbusd_t
tcontext=system_ubject_r:consolekit_var_run_t tclass=dir
Aug 22 08:40:57 dell-studio kernel: [ 276.731494] type=1400
audit(1345617657.339:162): avc: denied { search } for pid=1980
comm="dbus-daemon" name="console" dev="tmpfs" ino=6314
scontext=system_u:system_r:system_dbusd_t
tcontext=system_ubject_r:consolekit_var_run_t tclass=dir
Aug 22 08:40:57 dell-studio kernel: [ 276.733813] type=1400
audit(1345617657.341:163): avc: denied { execute } for pid=3284
comm="dbus-daemon-lau" name="upowerd" dev="sda5" ino=939375
scontext=system_u:system_r:system_dbusd_t
tcontext=system_ubject_r:bin_t tclass=file
Aug 22 08:40:57 dell-studio kernel: [ 276.736414] type=1400
audit(1345617657.344:164): avc: denied { execute } for pid=3286
comm="dbus-daemon-lau" name="upowerd" dev="sda5" ino=939375
scontext=system_u:system_r:system_dbusd_t
tcontext=system_ubject_r:bin_t tclass=file
Aug 22 08:40:57 dell-studio kernel: [ 276.738821] type=1400
audit(1345617657.346:165): avc: denied { execute } for pid=3288
comm="dbus-daemon-lau" name="udisks-daemon" dev="sda5" ino=939378
scontext=system_u:system_r:system_dbusd_t
tcontext=system_ubject_r:bin_t tclass=file
Aug 22 08:40:57 dell-studio kernel: [ 276.741286] type=1400
audit(1345617657.349:166): avc: denied { execute } for pid=3290
comm="dbus-daemon-lau" name="udisks-daemon" dev="sda5" ino=939378
scontext=system_u:system_r:system_dbusd_t
tcontext=system_ubject_r:bin_t tclass=file
Aug 22 08:40:57 dell-studio kernel: [ 276.743700] type=1400
audit(1345617657.351:167): avc: denied { execute } for pid=3292
comm="dbus-daemon-lau" name="upowerd" dev="sda5" ino=939375
scontext=system_u:system_r:system_dbusd_t
tcontext=system_ubject_r:bin_t tclass=file
Aug 22 08:40:57 dell-studio kernel: [ 276.745985] type=1400
audit(1345617657.353:168): avc: denied { execute } for pid=3294
comm="dbus-daemon-lau" name="upowerd" dev="sda5" ino=939375
scontext=system_u:system_r:system_dbusd_t
tcontext=system_ubject_r:bin_t tclass=file
Aug 22 08:40:58 dell-studio kernel: [ 277.491022] type=1400
audit(1345617658.099:169): avc: denied { execute } for pid=3309
comm="dbus-daemon-lau" name="udisks-daemon" dev="sda5" ino=939378
scontext=system_u:system_r:system_dbusd_t
tcontext=system_ubject_r:bin_t tclass=file
Aug 22 08:40:58 dell-studio kernel: [ 277.493490] type=1400
audit(1345617658.101:170): avc: denied { execute } for pid=3311
comm="dbus-daemon-lau" name="udisks-daemon" dev="sda5" ino=939378
scontext=system_u:system_r:system_dbusd_t
tcontext=system_ubject_r:bin_t tclass=file
Aug 22 08:40:58 dell-studio kernel: [ 277.495741] type=1400
audit(1345617658.103:171): avc: denied { execute } for pid=3313
comm="dbus-daemon-lau" name="udisks-daemon" dev="sda5" ino=939378
scontext=system_u:system_r:system_dbusd_t
tcontext=system_ubject_r:bin_t tclass=file
Aug 22 08:41:03 dell-studio kernel: [ 283.169479] type=1400
audit(1345617663.776:178): avc: denied { search } for pid=1980
comm="dbus-daemon" name="console" dev="tmpfs" ino=6314
scontext=system_u:system_r:system_dbusd_t
tcontext=system_ubject_r:consolekit_var_run_t tclass=dir
Aug 22 08:41:03 dell-studio kernel: [ 283.171841] type=1400
audit(1345617663.778:179): avc: denied { execute } for pid=3343
comm="dbus-daemon-lau" name="upowerd" dev="sda5" ino=939375
scontext=system_u:system_r:system_dbusd_t
tcontext=system_ubject_r:bin_t tclass=file
Aug 22 08:41:03 dell-studio kernel: [ 283.174291] type=1400
audit(1345617663.781:180): avc: denied { execute } for pid=3345
comm="dbus-daemon-lau" name="upowerd" dev="sda5" ino=939375
scontext=system_u:system_r:system_dbusd_t
tcontext=system_ubject_r:bin_t tclass=file
Aug 22 08:41:03 dell-studio kernel: [ 283.176853] type=1400
audit(1345617663.783:181): avc: denied { execute } for pid=3347
comm="dbus-daemon-lau" name="udisks-daemon" dev="sda5" ino=939378
scontext=system_u:system_r:system_dbusd_t
tcontext=system_ubject_r:bin_t tclass=file
Aug 22 08:41:03 dell-studio kernel: [ 283.179307] type=1400
audit(1345617663.786:182): avc: denied { execute } for pid=3349
comm="dbus-daemon-lau" name="udisks-daemon" dev="sda5" ino=939378
scontext=system_u:system_r:system_dbusd_t
tcontext=system_ubject_r:bin_t tclass=file
Aug 22 08:41:04 dell-studio kernel: [ 283.549112] type=1400
audit(1345617664.156:183): avc: denied { search } for pid=1980
comm="dbus-daemon" name="console" dev="tmpfs" ino=6314
scontext=system_u:system_r:system_dbusd_t
tcontext=system_ubject_r:consolekit_var_run_t tclass=dir
Aug 22 08:41:04 dell-studio kernel: [ 283.880610] type=1400
audit(1345617664.487:184): avc: denied { search } for pid=1980
comm="dbus-daemon" name="console" dev="tmpfs" ino=6314
scontext=system_u:system_r:system_dbusd_t
tcontext=system_ubject_r:consolekit_var_run_t tclass=dir
Aug 22 08:41:06 dell-studio kernel: [ 285.409187] type=1400
audit(1345617666.016:185): avc: denied { execute } for pid=3391
comm="dbus-daemon-lau" name="udisks-daemon" dev="sda5" ino=939378
scontext=system_u:system_r:system_dbusd_t
tcontext=system_ubject_r:bin_t tclass=file
Aug 22 08:41:06 dell-studio kernel: [ 285.412221] type=1400
audit(1345617666.019:186): avc: denied { execute } for pid=3393
comm="dbus-daemon-lau" name="udisks-daemon" dev="sda5" ino=939378
scontext=system_u:system_r:system_dbusd_t
tcontext=system_ubject_r:bin_t tclass=file
Aug 22 08:41:06 dell-studio kernel: [ 285.415310] type=1400
audit(1345617666.022:187): avc: denied { execute } for pid=3396
comm="dbus-daemon-lau" name="udisks-daemon" dev="sda5" ino=939378
scontext=system_u:system_r:system_dbusd_t
tcontext=system_ubject_r:bin_t tclass=file
Aug 22 08:41:08 dell-studio kernel: [ 288.179455] type=1400
audit(1345617668.786:219): avc: denied { execute } for pid=3516
comm="dbus-daemon-lau" name="polkitd" dev="sda5" ino=922900
scontext=system_u:system_r:system_dbusd_t
tcontext=system_ubject_rolicykit_exec_t tclass=file
Aug 22 08:41:37 dell-studio kernel: [ 317.293037] type=1400
audit(1345617697.900:220): avc: denied { getattr } for pid=2010
comm="console-kit-dae" path="/run/ConsoleKit" dev="tmpfs" ino=4632
scontext=system_u:system_r:consolekit_t
tcontext=system_ubject_r:initrc_var_run_t tclass=dir
Aug 22 08:41:37 dell-studio kernel: [ 317.296511] type=1400
audit(1345617697.904:221): avc: denied { search } for pid=3666
comm="udev-acl.ck" name="ConsoleKit" dev="tmpfs" ino=4632
scontext=system_u:system_r:consolekit_t
tcontext=system_ubject_r:initrc_var_run_t tclass=dir
Aug 22 08:41:37 dell-studio kernel: [ 317.296674] type=1400
audit(1345617697.904:222): avc: denied { read } for pid=3666
comm="udev-acl.ck" name="udev-acl" dev="tmpfs" ino=1427
scontext=system_u:system_r:consolekit_t
tcontext=system_ubject_r:udev_var_run_t tclass=dir
Aug 22 08:41:37 dell-studio kernel: [ 317.296710] type=1400
audit(1345617697.904:223): avc: denied { read } for pid=3666
comm="udev-acl.ck" name="udev-acl" dev="tmpfs" ino=1427
scontext=system_u:system_r:consolekit_t
tcontext=system_ubject_r:udev_var_run_t tclass=dir

Then I tried to start powerdevil in kde systemsettings and these were
the denials:

Aug 22 08:47:14 dell-studio kernel: [ 653.535413] type=1400
audit(1345618034.143:239): avc: denied { execute } for pid=5378
comm="dbus-daemon-lau" name="upowerd" dev="sda5" ino=939375
scontext=system_u:system_r:system_dbusd_t
tcontext=system_ubject_r:bin_t tclass=file
Aug 22 08:47:14 dell-studio kernel: [ 653.538755] type=1400
audit(1345618034.146:240): avc: denied { execute } for pid=5380
comm="dbus-daemon-lau" name="upowerd" dev="sda5" ino=939375
scontext=system_u:system_r:system_dbusd_t
tcontext=system_ubject_r:bin_t tclass=file
Aug 22 08:47:14 dell-studio kernel: [ 653.542123] type=1400
audit(1345618034.150:241): avc: denied { execute } for pid=5382
comm="dbus-daemon-lau" name="upowerd" dev="sda5" ino=939375
scontext=system_u:system_r:system_dbusd_t
tcontext=system_ubject_r:bin_t tclass=file
Aug 22 08:47:14 dell-studio kernel: [ 653.545562] type=1400
audit(1345618034.153:242): avc: denied { execute } for pid=5385
comm="dbus-daemon-lau" name="upowerd" dev="sda5" ino=939375
scontext=system_u:system_r:system_dbusd_t
tcontext=system_ubject_r:bin_t tclass=file
Aug 22 08:47:14 dell-studio kernel: [ 653.550155] type=1400
audit(1345618034.158:243): avc: denied { execute } for pid=5387
comm="dbus-daemon-lau" name="upowerd" dev="sda5" ino=939375
scontext=system_u:system_r:system_dbusd_t
tcontext=system_ubject_r:bin_t tclass=file
Aug 22 08:47:14 dell-studio kernel: [ 653.553430] type=1400
audit(1345618034.161:244): avc: denied { execute } for pid=5389
comm="dbus-daemon-lau" name="upowerd" dev="sda5" ino=939375
scontext=system_u:system_r:system_dbusd_t
tcontext=system_ubject_r:bin_t tclass=file
Aug 22 08:47:14 dell-studio kernel: [ 653.680410] type=1400
audit(1345618034.288:245): avc: denied { search } for pid=1980
comm="dbus-daemon" name="console" dev="tmpfs" ino=6314
scontext=system_u:system_r:system_dbusd_t
tcontext=system_ubject_r:consolekit_var_run_t tclass=dir
Aug 22 08:47:14 dell-studio kernel: [ 653.683357] type=1400
audit(1345618034.291:246): avc: denied { execute } for pid=5393
comm="dbus-daemon-lau" name="polkitd" dev="sda5" ino=922900
scontext=system_u:system_r:system_dbusd_t
tcontext=system_ubject_rolicykit_exec_t tclass=file
Aug 22 08:47:16 dell-studio kernel: [ 655.718026] type=1400
audit(1345618036.325:247): avc: denied { execute } for pid=5407
comm="dbus-daemon-lau" name="upowerd" dev="sda5" ino=939375
scontext=system_u:system_r:system_dbusd_t
tcontext=system_ubject_r:bin_t tclass=file
Aug 22 08:47:16 dell-studio kernel: [ 655.724292] type=1400
audit(1345618036.332:248): avc: denied { execute } for pid=5409
comm="dbus-daemon-lau" name="upowerd" dev="sda5" ino=939375
scontext=system_u:system_r:system_dbusd_t
tcontext=system_ubject_r:bin_t tclass=file


About the su question, before and after logging in su the context is
unconfined_u:unconfined_r:unconfined_t, while the denials are:

Aug 22 08:43:53 dell-studio kernel: [ 452.789311] type=1400
audit(1345617833.396:228): avc: denied { search } for pid=4358
comm="xauth" name="root" dev="sda5" ino=1308163
scontext=unconfined_u:unconfined_r:xauth_t
tcontext=system_ubject_r:default_t tclass=dir
Aug 22 08:43:53 dell-studio kernel: [ 452.789325] type=1400
audit(1345617833.396:229): avc: denied { search } for pid=4358
comm="xauth" name="root" dev="sda5" ino=1308163
scontext=unconfined_u:unconfined_r:xauth_t
tcontext=system_ubject_r:default_t tclass=dir
Aug 22 08:43:55 dell-studio kernel: [ 454.789483] type=1400
audit(1345617835.396:230): avc: denied { search } for pid=4358
comm="xauth" name="root" dev="sda5" ino=1308163
scontext=unconfined_u:unconfined_r:xauth_t
tcontext=system_ubject_r:default_t tclass=dir
Aug 22 08:43:57 dell-studio kernel: [ 456.789663] type=1400
audit(1345617837.397:231): avc: denied { search } for pid=4358
comm="xauth" name="root" dev="sda5" ino=1308163
scontext=unconfined_u:unconfined_r:xauth_t
tcontext=system_ubject_r:default_t tclass=dir
Aug 22 08:43:59 dell-studio kernel: [ 458.789842] type=1400
audit(1345617839.397:232): avc: denied { search } for pid=4358
comm="xauth" name="root" dev="sda5" ino=1308163
scontext=unconfined_u:unconfined_r:xauth_t
tcontext=system_ubject_r:default_t tclass=dir
Aug 22 08:44:01 dell-studio kernel: [ 460.790069] type=1400
audit(1345617841.398:233): avc: denied { search } for pid=4358
comm="xauth" name="root" dev="sda5" ino=1308163
scontext=unconfined_u:unconfined_r:xauth_t
tcontext=system_ubject_r:default_t tclass=dir
Aug 22 08:44:03 dell-studio kernel: [ 462.790251] type=1400
audit(1345617843.398:234): avc: denied { search } for pid=4358
comm="xauth" name="root" dev="sda5" ino=1308163
scontext=unconfined_u:unconfined_r:xauth_t
tcontext=system_ubject_r:default_t tclass=dir
Aug 22 08:44:05 dell-studio kernel: [ 464.790430] type=1400
audit(1345617845.398:235): avc: denied { search } for pid=4358
comm="xauth" name="root" dev="sda5" ino=1308163
scontext=unconfined_u:unconfined_r:xauth_t
tcontext=system_ubject_r:default_t tclass=dir
Aug 22 08:44:07 dell-studio kernel: [ 466.790614] type=1400
audit(1345617847.398:236): avc: denied { search } for pid=4358
comm="xauth" name="root" dev="sda5" ino=1308163
scontext=unconfined_u:unconfined_r:xauth_t
tcontext=system_ubject_r:default_t tclass=dir
Aug 22 08:44:09 dell-studio kernel: [ 468.790797] type=1400
audit(1345617849.398:237): avc: denied { search } for pid=4358
comm="xauth" name="root" dev="sda5" ino=1308163
scontext=unconfined_u:unconfined_r:xauth_t
tcontext=system_ubject_r:default_t tclass=dir
Aug 22 08:44:11 dell-studio kernel: [ 470.791079] type=1400
audit(1345617851.399:238): avc: denied { search } for pid=4358
comm="xauth" name="root" dev="sda5" ino=1308163
scontext=unconfined_u:unconfined_r:xauth_t
tcontext=system_ubject_r:default_t tclass=dir

Of course, as I wrote in the past email the sda5 who the denials are
complaining about is my / (ext4) partition.

Thank you again.


On 21/08/2012 20:03, Sven Vermeulen wrote:
> On Tue, Aug 21, 2012 at 09:14:39AM +0200, f.p.barile@gmail.com2 wrote:
>> Hello to all the list. I need your help to understand what's wrong here.
>> I tried to convert my laptop to a selinux profile (targeted) several
>> times following the documentation step by step.
> Hi F.P.
>
> First of all, thanks for trying the SELinux stuff out. I'm pretty sure we
> can help you further and fix things so that others don't get the same
> problems.
>
>> 1) it seems like some part of hardware can't be revealed in enforcing
>> mode: Pulseaudio can't see the soundcard, powerdevil can't see power
>> statistics, newly atttached usb drives are ingored. Obviously
>> selinux-consolekit, selinux-policykit and selinux-dbus are installed.
> It is best to look at the AVC denials that come up when you launch
> pulseaudio, powerdevel etc. one by one. Providing all possible denials will
> make it much more difficult to fine-tune the problems.
>
> What I usually do to debug issues is to do:
>
> ~# tail -f /var/log/avc.log
>
> Then perform one activity (1) that doesn't work. For instance, try to play
> an MP3/OGG file which fails. Then look at the denials that came up right
> when you did that action.
>
>> 3) Logging in root with su or kdesu (in X environment) takes too long:
>> if the password I write is ok, it takes even some minute to give me the
>> root shell.
> Here too looking at the AVC denials that come up right then would be
> interesting. However, in this case it is best to also provide the output of
> "id -Z" right before you switch root, and right after.
>
> Wkr,
> Sven Vermeulen
>
 
Old 08-22-2012, 07:34 AM
Hinnerk van Bruinehsen
 
Default Can't get fully functional (kde) desktop with SELinux

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 22.08.2012 09:12, f.p.barile@gmail.com2 wrote:
> Hi Sven, nice to meet you again and thank you for your work in
> SELinux and for your help.
>
> I did as you suggested reading the denials step by step. Anyway I
> didn't find a way to start pulseaudio seprately, but I don't think
> it's really pulseaudio related. I beleave it's hardware revealing
> related because nor pulsaudio, nor kmix, nor systemsettings can see
> the audio card, they can only use the "output dummy" card.
>
> Now the step by step denials. I firstly removed the xdm initscript
> from the default runlevel and I started it manually. After starting
> xdm these were the denials:
>
<SNIP>
>>
>
>

Hi,

you could try to kill pulseaudio (open a Konsole and use pulseaudio
- -k) and restart it afterwards via pulseaudio.
It may change some AVCs, though, because I'm not sure from which
user/role/type pulseaudio ist started by default.

WKR
Hinnerk
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJQNIudAAoJEJwwOFaNFkYcCoIH/04PM0Ps0KwCV/mPk+W4jnVa
UTiNrEUrTYro9GhhjGnDZFVrYePuTpwGbjkOplJ55UK96cq9+4 sLPza0TmURWfJb
xPUOKcPMs84ULybJl0yJOcuk0n/ClwOWzwTYZCPxEokaloG7/cVaQ9W5rUrxIQ9/
85XweNEGY3u9v/K45Qlfg3mPl93H5CGnUJHAVauUM93qzQQv5DjmlD4CYIh8gUxQ
wZ2tgqa5S2RulOKQECUFzPPjunL+xJX5/nUwx0cbg4rRYpjHDtOKmpUUIpTWuzLV
EfWiiH0XPo3vLuygB+VEmX6MAWoBVWVeucHSqmBmDLKMwaR50F xHH3JJLCnQdQE=
=W8Aa
-----END PGP SIGNATURE-----
 
Old 08-22-2012, 12:01 PM
"f.p.barile@gmail.com2"
 
Default Can't get fully functional (kde) desktop with SELinux

Thank you for your help, but I already tried "pulseaudio -k" and
"pulseaudio --kill", but it didn't stop pulseaudio because ps still
showed it. Moreover when restarting pulseaudio with "pulseaudio -vv"
I read "E: [pulseaudio] pid.c: Daemon already running.".





On 22/08/2012 09:34, Hinnerk van Bruinehsen wrote:

On 22.08.2012 09:12, f.p.barile@gmail.com2
wrote:

> Hi Sven, nice to meet you again and thank you for your work
in

> SELinux and for your help.



> I did as you suggested reading the denials step by step.
Anyway I

> didn't find a way to start pulseaudio seprately, but I don't
think

> it's really pulseaudio related. I beleave it's hardware
revealing

> related because nor pulsaudio, nor kmix, nor systemsettings
can see

> the audio card, they can only use the "output dummy" card.



> Now the step by step denials. I firstly removed the xdm
initscript

> from the default runlevel and I started it manually. After
starting

> xdm these were the denials:



<SNIP>

>>







Hi,



you could try to kill pulseaudio (open a Konsole and use
pulseaudio

-k) and restart it afterwards via pulseaudio.

It may change some AVCs, though, because I'm not sure from which

user/role/type pulseaudio ist started by default.



WKR

Hinnerk


>
 
Old 08-22-2012, 06:43 PM
Sven Vermeulen
 
Default Can't get fully functional (kde) desktop with SELinux

On Wed, Aug 22, 2012 at 09:12:52AM +0200, f.p.barile@gmail.com2 wrote:
> Now the step by step denials.
> I firstly removed the xdm initscript from the default runlevel and I
> started it manually. After starting xdm these were the denials:
>
> Aug 22 08:39:03 dell-studio kernel: [ 162.895575] type=1400
> audit(1345617543.503:121): avc: denied { getattr } for pid=2010
> comm="console-kit-dae" path="/run/ConsoleKit" dev="tmpfs" ino=4632
> scontext=system_u:system_r:consolekit_t
> tcontext=system_ubject_r:initrc_var_run_t tclass=dir

This first one is an interesting one to immediately look at. It seems that
the console-kit-dae(mon?) uses /run/ConsoleKit, and I guess (from the
initrc_var_run_t domain) that its init script creates it, not?

If that's indeed the case, I'll need to update the policy to reflect this,
allowing initrc_t to create /run/ConsoleKit but with a good file transition
(in this case, to consolekit_var_run_t).

Skipping a few other denials related to this, and then we get:

> Aug 22 08:39:34 dell-studio kernel: [ 193.785181] type=1400
> audit(1345617574.393:126): avc: denied { read } for pid=3101
> comm="udev-acl.ck" name="udev-acl" dev="tmpfs" ino=1427
> scontext=system_u:system_r:consolekit_t
> tcontext=system_ubject_r:udev_var_run_t tclass=dir

I don't know consolekit, but I assume there is some udev rule somewhere that
creates a file for consolekit?

The consolekit_t domain has the rights to read udev_tbl_t stuff (which I
find a stupid name for a domain). Where is this udev-acl.ck file located?
You can find it through its inode number (ino=1427) if you haven't rebooted
yet (since it is on a tmpfs within a *_var_run_t so very likely to be within
/run/udev somewhere).

Usually, I ignore the remainder of denials (especially if it is in
permissive mode) until I fixed the first ones, because those can be a
trigger for other behavior (and I don't want to update the policy for things
that aren't needed).

> Then I tried to start powerdevil in kde systemsettings and these were
> the denials:
>
> Aug 22 08:47:14 dell-studio kernel: [ 653.535413] type=1400
> audit(1345618034.143:239): avc: denied { execute } for pid=5378
> comm="dbus-daemon-lau" name="upowerd" dev="sda5" ino=939375
> scontext=system_u:system_r:system_dbusd_t
> tcontext=system_ubject_r:bin_t tclass=file

I had (still have actually) a bug open for udisks which is launched by dbus.
From what I can tell, everything dbus launches should be in its own domain
(otherwise it'll run in the permissions of system_dbusd_t, which we want to
keep as limited as they are).

So most of the remainder of the denials I'll have to ignore until we can get
a policy for it.

It looks like the devicekit policy is a match for it, but I haven't created
an ebuild for it yet. I'll do so soon (with the rev4 release) so you can
test this out.

> About the su question, before and after logging in su the context is
> unconfined_u:unconfined_r:unconfined_t, while the denials are:
>
> Aug 22 08:43:53 dell-studio kernel: [ 452.789311] type=1400
> audit(1345617833.396:228): avc: denied { search } for pid=4358
> comm="xauth" name="root" dev="sda5" ino=1308163
> scontext=unconfined_u:unconfined_r:xauth_t
> tcontext=system_ubject_r:default_t tclass=dir

That's not good. default_t means that there is a directory not labeled
properly (most likely root's home directory). Run "rlpkg -a -r" to relabel
the entire system and see if that removes any traces of default_t (you
should never encounter default_t iirc).

Wkr,
Sven Vermeulen
 
Old 08-23-2012, 06:51 AM
Paolo Barile
 
Default Can't get fully functional (kde) desktop with SELinux

On 22/08/2012 20:43, Sven Vermeulen wrote:
> On Wed, Aug 22, 2012 at 09:12:52AM +0200, f.p.barile@gmail.com2 wrote:
>> Now the step by step denials.
>> I firstly removed the xdm initscript from the default runlevel and I
>> started it manually. After starting xdm these were the denials:
>>
>> Aug 22 08:39:03 dell-studio kernel: [ 162.895575] type=1400
>> audit(1345617543.503:121): avc: denied { getattr } for pid=2010
>> comm="console-kit-dae" path="/run/ConsoleKit" dev="tmpfs" ino=4632
>> scontext=system_u:system_r:consolekit_t
>> tcontext=system_ubject_r:initrc_var_run_t tclass=dir
> This first one is an interesting one to immediately look at. It seems that
> the console-kit-dae(mon?) uses /run/ConsoleKit, and I guess (from the
> initrc_var_run_t domain) that its init script creates it, not?
In /etc/init.d/consolekit I read "checkpath -q -d -m 0755
/var/run/ConsoleKit" and being /var/run symlinked to /run, it seems
you're right.
>
> If that's indeed the case, I'll need to update the policy to reflect this,
> allowing initrc_t to create /run/ConsoleKit but with a good file transition
> (in this case, to consolekit_var_run_t).
Excuse me for the stupid question... In that case, will consolekit_t
have rights over consolekit_var_run_t? Will it be in rev4?
>
> Skipping a few other denials related to this, and then we get:
>
>> Aug 22 08:39:34 dell-studio kernel: [ 193.785181] type=1400
>> audit(1345617574.393:126): avc: denied { read } for pid=3101
>> comm="udev-acl.ck" name="udev-acl" dev="tmpfs" ino=1427
>> scontext=system_u:system_r:consolekit_t
>> tcontext=system_ubject_r:udev_var_run_t tclass=dir
> I don't know consolekit, but I assume there is some udev rule somewhere that
> creates a file for consolekit?
>
> The consolekit_t domain has the rights to read udev_tbl_t stuff (which I
> find a stupid name for a domain). Where is this udev-acl.ck file located?
> You can find it through its inode number (ino=1427) if you haven't rebooted
> yet (since it is on a tmpfs within a *_var_run_t so very likely to be within
> /run/udev somewhere).
Searching from inode I located a folder (/run/udev/tags/udev-acl)
containing files called bXXX:X or cXXX:X, but there is no trace of any
udev-acl.ck file.

>
> Usually, I ignore the remainder of denials (especially if it is in
> permissive mode) until I fixed the first ones, because those can be a
> trigger for other behavior (and I don't want to update the policy for things
> that aren't needed).
I completely agree with you.
>
>> Then I tried to start powerdevil in kde systemsettings and these were
>> the denials:
>>
>> Aug 22 08:47:14 dell-studio kernel: [ 653.535413] type=1400
>> audit(1345618034.143:239): avc: denied { execute } for pid=5378
>> comm="dbus-daemon-lau" name="upowerd" dev="sda5" ino=939375
>> scontext=system_u:system_r:system_dbusd_t
>> tcontext=system_ubject_r:bin_t tclass=file
> I had (still have actually) a bug open for udisks which is launched by dbus.
> From what I can tell, everything dbus launches should be in its own domain
> (otherwise it'll run in the permissions of system_dbusd_t, which we want to
> keep as limited as they are).
>
> So most of the remainder of the denials I'll have to ignore until we can get
> a policy for it.
>
> It looks like the devicekit policy is a match for it, but I haven't created
> an ebuild for it yet. I'll do so soon (with the rev4 release) so you can
> test this out.
>
>> About the su question, before and after logging in su the context is
>> unconfined_u:unconfined_r:unconfined_t, while the denials are:
>>
>> Aug 22 08:43:53 dell-studio kernel: [ 452.789311] type=1400
>> audit(1345617833.396:228): avc: denied { search } for pid=4358
>> comm="xauth" name="root" dev="sda5" ino=1308163
>> scontext=unconfined_u:unconfined_r:xauth_t
>> tcontext=system_ubject_r:default_t tclass=dir
> That's not good. default_t means that there is a directory not labeled
> properly (most likely root's home directory). Run "rlpkg -a -r" to relabel
> the entire system and see if that removes any traces of default_t (you
> should never encounter default_t iirc).
I tried rlpkg but /root still remains in system_ubject_r:default_t
context. Moreover in /etc/selinux/targeted/contexts/files/file_contexts
the only thing related to that folder is
"/root/.default_contexts --
system_ubject_r:default_context_t".
>
> Wkr,
> Sven Vermeulen
>
Thank you again, Sven. Paolo.
 
Old 08-25-2012, 05:00 PM
Paolo Barile
 
Default Can't get fully functional (kde) desktop with SELinux

Hi Sven, thank you for rev4, but it didn't conclusively solve my
problems. Sone denial has gone, but many of them remain.

So let's see again all the step by step denial, I'll avoid redundancies.

As I boot (whithout starting xdm) I obtain:

Aug 25 18:06:05 dell-studio kernel: [ 8.028595] type=1400
audit(1345917944.027:3): avc: denied { search } for pid=1433
comm="alsactl" name="root" dev="sda5" ino=1308163
scontext=system_u:system_r:alsa_t tcontext=system_ubject_r:default_t
tclass=dir
Aug 25 18:06:05 dell-studio kernel: [ 8.707035] type=1400
audit(1345917944.706:7): avc: denied { read } for pid=1431
comm="alsactl" name="urandom" dev="tmpfs" ino=3356
scontext=system_u:system_r:alsa_t
tcontext=system_ubject_r:urandom_device_t tclass=chr_file
Aug 25 18:06:05 dell-studio kernel: [ 8.707053] type=1400
audit(1345917944.706:9): avc: denied { read } for pid=1431
comm="alsactl" name="random" dev="tmpfs" ino=1642
scontext=system_u:system_r:alsa_t
tcontext=system_ubject_r:random_device_t tclass=chr_file
Aug 25 18:06:05 dell-studio kernel: [ 8.707089] type=1400
audit(1345917944.706:11): avc: denied { getattr } for pid=1431
comm="alsactl" name="/" dev="tmpfs" ino=2970
scontext=system_u:system_r:alsa_t tcontext=system_ubject_r:tmpfs_t
tclass=filesystem
Aug 25 18:06:05 dell-studio kernel: [ 16.930444] type=1400
audit(1345910753.814:32): avc: denied { module_request } for pid=1517
comm="cryptsetup" kmod="cbc(aes)" scontext=system_u:system_r:lvm_t
tcontext=system_u:system_r:kernel_t tclass=system
Aug 25 18:06:05 dell-studio kernel: [ 16.930452] type=1400
audit(1345910753.814:33): avc: denied { module_request } for pid=1517
comm="cryptsetup" kmod="cbc(aes)-all" scontext=system_u:system_r:lvm_t
tcontext=system_u:system_r:kernel_t tclass=system
Aug 25 18:06:05 dell-studio kernel: [ 16.930505] type=1400
audit(1345910753.814:34): avc: denied { module_request } for pid=1517
comm="cryptsetup" kmod="cbc(aes-asm)" scontext=system_u:system_r:lvm_t
tcontext=system_u:system_r:kernel_t tclass=system
Aug 25 18:06:05 dell-studio kernel: [ 16.930512] type=1400
audit(1345910753.814:35): avc: denied { module_request } for pid=1517
comm="cryptsetup" kmod="cbc(aes-asm)-all"
scontext=system_u:system_r:lvm_t tcontext=system_u:system_r:kernel_t
tclass=system
Aug 25 18:06:05 dell-studio kernel: [ 16.936081] type=1400
audit(1345910753.820:36): avc: denied { getattr } for pid=1517
comm="cryptsetup" name="/" dev="tmpfs" ino=2970
scontext=system_u:system_r:lvm_t tcontext=system_ubject_r:tmpfs_t
tclass=filesystem
Aug 25 18:06:05 dell-studio kernel: [ 17.138342] type=1400
audit(1345910754.022:38): avc: denied { read } for pid=1538
comm="cryptsetup" name="queue.bin" dev="tmpfs" ino=4265
scontext=system_u:system_r:lvm_t
tcontext=system_ubject_r:udev_var_run_t tclass=file
Aug 25 18:06:05 dell-studio kernel: [ 27.701565] type=1400
audit(1345910764.585:45): avc: denied { setrlimit } for pid=1968
comm="dbus-daemon" scontext=system_u:system_r:system_dbusd_t
tcontext=system_u:system_r:system_dbusd_t tclass=process
Aug 25 18:06:05 dell-studio kernel: [ 28.235761] type=1400
audit(1345910765.120:46): avc: denied { getattr } for pid=1998
comm="console-kit-dae" path="/run/ConsoleKit" dev="tmpfs" ino=5251
scontext=system_u:system_r:consolekit_t
tcontext=system_ubject_r:initrc_var_run_t tclass=dir
Aug 25 18:06:05 dell-studio kernel: [ 28.417954] type=1400
audit(1345910765.302:47): avc: denied { read } for pid=2074
comm="crond" name="root" dev="sda7" ino=12796
scontext=system_u:system_r:crond_t tcontext=system_ubject_r:file_t
tclass=file
Aug 25 18:06:05 dell-studio kernel: [ 28.632129] type=1400
audit(1345910765.516:48): avc: denied { execute } for pid=2089
comm="dbus-daemon-lau" name="polkitd" dev="sda5" ino=922900
scontext=system_u:system_r:system_dbusd_t
tcontext=system_ubject_rolicykit_exec_t tclass=file
Aug 25 18:06:05 dell-studio kernel: [ 28.633786] type=1400
audit(1345910765.517:49): avc: denied { search } for pid=1998
comm="console-kit-dae" name="ConsoleKit" dev="tmpfs" ino=5251
scontext=system_u:system_r:consolekit_t
tcontext=system_ubject_r:initrc_var_run_t tclass=dir
Aug 25 18:06:05 dell-studio kernel: [ 28.633811] type=1400
audit(1345910765.517:50): avc: denied { getattr } for pid=1998
comm="console-kit-dae" path="/run/ConsoleKit" dev="tmpfs" ino=5251
scontext=system_u:system_r:consolekit_t
tcontext=system_ubject_r:initrc_var_run_t tclass=dir
Aug 25 18:06:05 dell-studio kernel: [ 28.633842] type=1400
audit(1345910765.517:51): avc: denied { search } for pid=1998
comm="console-kit-dae" name="ConsoleKit" dev="tmpfs" ino=5251
scontext=system_u:system_r:consolekit_t
tcontext=system_ubject_r:initrc_var_run_t tclass=dir
Aug 25 18:06:06 dell-studio kernel: [ 29.168487] type=1400
audit(1345910766.052:52): avc: denied { write } for pid=2222
comm="mii-tool" path="/run/lock/lmt-req.lock" dev="tmpfs" ino=5314
scontext=system_u:system_r:ifconfig_t
tcontext=system_ubject_r:var_lock_t tclass=file
Aug 25 18:06:06 dell-studio kernel: [ 29.168499] type=1400
audit(1345910766.052:53): avc: denied { write } for pid=2222
comm="mii-tool" path="/run/lock/lmt-invoc.lock" dev="tmpfs" ino=4776
scontext=system_u:system_r:ifconfig_t
tcontext=system_ubject_r:var_lock_t tclass=file
Aug 25 18:06:10 dell-studio kernel: [ 33.586645] type=1400
audit(1345910770.470:87): avc: denied { read } for pid=2851 comm="sh"
name="meminfo" dev="proc" ino=4026532031
scontext=system_u:system_r:wpa_cli_t tcontext=system_ubject_rroc_t
tclass=file
Aug 25 18:06:10 dell-studio kernel: [ 33.613072] type=1400
audit(1345910770.497:88): avc: denied { read } for pid=2851
comm="wpa_cli.sh" name="meminfo" dev="proc" ino=4026532031
scontext=system_u:system_r:wpa_cli_t tcontext=system_ubject_rroc_t
tclass=file
Aug 25 18:06:10 dell-studio kernel: [ 33.893591] type=1400
audit(1345910770.777:89): avc: denied { use } for pid=3024
comm="mount" path="/dev/null" dev="tmpfs" ino=1278
scontext=system_u:system_r:mount_t tcontext=system_u:system_r:wpa_cli_t
tclass=fd
Aug 25 18:06:10 dell-studio kernel: [ 33.893637] type=1400
audit(1345910770.777:92): avc: denied { use } for pid=3024
comm="mount" path="socket:[5617]" dev="sockfs" ino=5617
scontext=system_u:system_r:mount_t tcontext=system_u:system_r:wpa_cli_t
tclass=fd
Aug 25 18:06:59 dell-studio kernel: [ 83.022406] type=1400
audit(1345910819.922:97): avc: denied { search } for pid=3031
comm="login" name="root" dev="sda5" ino=1308163
scontext=system_u:system_r:local_login_t
tcontext=system_ubject_r:default_t tclass=dir
Aug 25 18:06:59 dell-studio kernel: [ 83.068589] type=1400
audit(1345910819.969:100): avc: denied { read } for pid=1998
comm="console-kit-dae" name="machine-id" dev="sda7" ino=184383
scontext=system_u:system_r:consolekit_t
tcontext=system_ubject_r:system_dbusd_var_lib_t tclass=lnk_file
Aug 25 18:07:00 dell-studio kernel: [ 83.165783] type=1400
audit(1345910820.065:103): avc: denied { read } for pid=3046
comm="udev-acl.ck" name="udev-acl" dev="tmpfs" ino=3175
scontext=system_u:system_r:consolekit_t
tcontext=system_ubject_r:udev_var_run_t tclass=dir

After starting kdm (with xdm initscript):
Aug 25 18:08:47 dell-studio kernel: [ 190.122045] type=1400
audit(1345910927.023:107): avc: denied { read } for pid=3054
comm="rc" name="profile.env" dev="sda5" ino=663502
scontext=unconfined_u:unconfined_r:run_init_t
tcontext=system_ubject_r:etc_runtime_t tclass=file
Aug 25 18:08:55 dell-studio kernel: [ 199.069675] type=1400
audit(1345910935.970:109): avc: denied { search } for pid=3099
comm="udev-acl.ck" name="ConsoleKit" dev="tmpfs" ino=5251
scontext=system_u:system_r:consolekit_t
tcontext=system_ubject_r:initrc_var_run_t tclass=dir

After logging in, apart all the same mentioned above that repeat
themselves, I get a lot of:
Aug 25 18:10:25 dell-studio kernel: [ 289.004361] type=1400
audit(1345911025.905:163): avc: denied { search } for pid=1968
comm="dbus-daemon" name="console" dev="tmpfs" ino=5945
scontext=system_u:system_r:system_dbusd_t
tcontext=system_ubject_r:consolekit_var_run_t tclass=dir

I hope I wrote all.
Paolo.
 
Old 08-25-2012, 05:24 PM
Sven Vermeulen
 
Default Can't get fully functional (kde) desktop with SELinux

On Sat, Aug 25, 2012 at 07:00:09PM +0200, Paolo Barile wrote:
> Hi Sven, thank you for rev4, but it didn't conclusively solve my
> problems. Sone denial has gone, but many of them remain.
>
> So let's see again all the step by step denial, I'll avoid redundancies.
>
> As I boot (whithout starting xdm) I obtain:
>
> Aug 25 18:06:05 dell-studio kernel: [ 8.028595] type=1400
> audit(1345917944.027:3): avc: denied { search } for pid=1433
> comm="alsactl" name="root" dev="sda5" ino=1308163
> scontext=system_u:system_r:alsa_t tcontext=system_ubject_r:default_t
> tclass=dir

This sais /root is default_t again. Mine sais:

~ # matchpathcon /root
/root rootbject_r:user_home_dir_t

~ # grep '/root' /etc/selinux/strict/contexts/files/file_contexts* | grep user_home_dir_t
/etc/selinux/strict/contexts/files/file_contexts.homedirs:/root -d rootbject_r:user_home_dir_t

It is because /root is marked as a home directory of a user that a hole set
of contexts is generated for it. Perhaps for a targeted system this is
different, but I don't think so.

Whenever you hit a denial with file_t or default_t in it, it means there is
something awry with the contexts on the system.

You might be able to fix it by running genhomedircon (without options). It
should regenerate the file context as mentioned in my grep result above.

> Aug 25 18:06:05 dell-studio kernel: [ 8.707035] type=1400
> audit(1345917944.706:7): avc: denied { read } for pid=1431
> comm="alsactl" name="urandom" dev="tmpfs" ino=3356
> scontext=system_u:system_r:alsa_t
> tcontext=system_ubject_r:urandom_device_t tclass=chr_file

Did you enable global_ssp (or are you not running a hardened system, just
SELinux)? By enabling the global_ssp boolean, all domains get access to the
urandom_device_t chr_file:

~ # sesearch -s alsa_t -t urandom_device_t -A -C
Found 2 semantic av rules:
DT allow nsswitch_domain urandom_device_t : chr_file { ioctl read getattr lock open } ; [ authlogin_nsswitch_use_ldap ]
ET allow domain urandom_device_t : chr_file { ioctl read getattr lock open } ; [ global_ssp ]

> Aug 25 18:06:05 dell-studio kernel: [ 8.707053] type=1400
> audit(1345917944.706:9): avc: denied { read } for pid=1431
> comm="alsactl" name="random" dev="tmpfs" ino=1642
> scontext=system_u:system_r:alsa_t
> tcontext=system_ubject_r:random_device_t tclass=chr_file

This one is new for me. If it is prohibiting alsa to work, we'll need to
allow this, but I think you're booting in permissive mode, so we can't know
for sure if the denial is cosmetic or not.

> Aug 25 18:06:05 dell-studio kernel: [ 8.707089] type=1400
> audit(1345917944.706:11): avc: denied { getattr } for pid=1431
> comm="alsactl" name="/" dev="tmpfs" ino=2970
> scontext=system_u:system_r:alsa_t tcontext=system_ubject_r:tmpfs_t
> tclass=filesystem

Which file system is it trying to get attributes from here?

> Aug 25 18:06:05 dell-studio kernel: [ 16.930444] type=1400
> audit(1345910753.814:32): avc: denied { module_request } for pid=1517
> comm="cryptsetup" kmod="cbc(aes)" scontext=system_u:system_r:lvm_t
> tcontext=system_u:system_r:kernel_t tclass=system
> Aug 25 18:06:05 dell-studio kernel: [ 16.930452] type=1400
> audit(1345910753.814:33): avc: denied { module_request } for pid=1517
> comm="cryptsetup" kmod="cbc(aes)-all" scontext=system_u:system_r:lvm_t
> tcontext=system_u:system_r:kernel_t tclass=system
> Aug 25 18:06:05 dell-studio kernel: [ 16.930505] type=1400
> audit(1345910753.814:34): avc: denied { module_request } for pid=1517
> comm="cryptsetup" kmod="cbc(aes-asm)" scontext=system_u:system_r:lvm_t
> tcontext=system_u:system_r:kernel_t tclass=system
> Aug 25 18:06:05 dell-studio kernel: [ 16.930512] type=1400
> audit(1345910753.814:35): avc: denied { module_request } for pid=1517
> comm="cryptsetup" kmod="cbc(aes-asm)-all"
> scontext=system_u:system_r:lvm_t tcontext=system_u:system_r:kernel_t
> tclass=system
> Aug 25 18:06:05 dell-studio kernel: [ 16.936081] type=1400
> audit(1345910753.820:36): avc: denied { getattr } for pid=1517
> comm="cryptsetup" name="/" dev="tmpfs" ino=2970
> scontext=system_u:system_r:lvm_t tcontext=system_ubject_r:tmpfs_t
> tclass=filesystem
> Aug 25 18:06:05 dell-studio kernel: [ 17.138342] type=1400
> audit(1345910754.022:38): avc: denied { read } for pid=1538
> comm="cryptsetup" name="queue.bin" dev="tmpfs" ino=4265
> scontext=system_u:system_r:lvm_t
> tcontext=system_ubject_r:udev_var_run_t tclass=file
> Aug 25 18:06:05 dell-studio kernel: [ 27.701565] type=1400

The cryptsetup stuff might need some more updates, I only use cryptsetup for
a small encrypted partition (and not a system partition) and I have most of
the stuff in-kernel anyway, so no module requests here...

We'll need to look at this when you boot in enforcing mode, since I need the
error message(s) as well in order to update the policy.

Same is true for most of the remaining denials btw. Some of them definitely
need to be looked at in advance, like the next set, but most of them will
need to be reproduced with enforcing mode...

> audit(1345910765.120:46): avc: denied { getattr } for pid=1998
> comm="console-kit-dae" path="/run/ConsoleKit" dev="tmpfs" ino=5251
> scontext=system_u:system_r:consolekit_t
> tcontext=system_ubject_r:initrc_var_run_t tclass=dir

Need to add in this run directory, haven't done that yet.

> Aug 25 18:06:05 dell-studio kernel: [ 28.632129] type=1400
> audit(1345910765.516:48): avc: denied { execute } for pid=2089
> comm="dbus-daemon-lau" name="polkitd" dev="sda5" ino=922900
> scontext=system_u:system_r:system_dbusd_t
> tcontext=system_ubject_rolicykit_exec_t tclass=file

Probably needs to be made a dbus domain.

> Aug 25 18:06:06 dell-studio kernel: [ 29.168487] type=1400
> audit(1345910766.052:52): avc: denied { write } for pid=2222
> comm="mii-tool" path="/run/lock/lmt-req.lock" dev="tmpfs" ino=5314
> scontext=system_u:system_r:ifconfig_t
> tcontext=system_ubject_r:var_lock_t tclass=file
> Aug 25 18:06:06 dell-studio kernel: [ 29.168499] type=1400
> audit(1345910766.052:53): avc: denied { write } for pid=2222
> comm="mii-tool" path="/run/lock/lmt-invoc.lock" dev="tmpfs" ino=4776
> scontext=system_u:system_r:ifconfig_t
> tcontext=system_ubject_r:var_lock_t tclass=file

Probably legit, but I'm not sure if I need to create an ifconfig_lock_t type
for this, or just grant in var_lock_t access. Probably the former.

> After logging in, apart all the same mentioned above that repeat
> themselves, I get a lot of:
> Aug 25 18:10:25 dell-studio kernel: [ 289.004361] type=1400
> audit(1345911025.905:163): avc: denied { search } for pid=1968
> comm="dbus-daemon" name="console" dev="tmpfs" ino=5945
> scontext=system_u:system_r:system_dbusd_t
> tcontext=system_ubject_r:consolekit_var_run_t tclass=dir

What does the console dir contain? It's probably in /var/run/ConsoleKit
(although from your earlier denials I get the impression /var/run/ConsoleKit
is not correctly labeled, whereas in this denial it is - did you relabel the
system or some parts of it in between?).

I recommend to first work on the default_t and file_t stuff. That shouldn't
be broken. Then in the denials, look at any denials for "execute", they
almost always need to be fixed (whereas getattr/read's can often be ignored,
especially in the beginning).

Then, when booted and logged in, clear the denial log and switch to
enforcing mode and see what stuff breaks. Then look in the denial log for
the denials, and give the error messages for the broken applications.

When we fixed that, we should then look at the cryptsetup stuff, since you
need that in order to boot succesfully I guess. Only then can we try to boot
in enforcing mode (once, until it boots fully).

Wkr,
Sven Vermeulen
 
Old 08-26-2012, 09:57 AM
Paolo Barile
 
Default Can't get fully functional (kde) desktop with SELinux

Hello Sven, first of all, all the denials I wrote here are from
enforcing mode.

On 25/08/2012 19:24, Sven Vermeulen wrote:
> On Sat, Aug 25, 2012 at 07:00:09PM +0200, Paolo Barile wrote:
>> Hi Sven, thank you for rev4, but it didn't conclusively solve my
>> problems. Sone denial has gone, but many of them remain.
>>
>> So let's see again all the step by step denial, I'll avoid redundancies.
>>
>> As I boot (whithout starting xdm) I obtain:
>>
>> Aug 25 18:06:05 dell-studio kernel: [ 8.028595] type=1400
>> audit(1345917944.027:3): avc: denied { search } for pid=1433
>> comm="alsactl" name="root" dev="sda5" ino=1308163
>> scontext=system_u:system_r:alsa_t tcontext=system_ubject_r:default_t
>> tclass=dir
> This sais /root is default_t again. Mine sais:
>
> ~ # matchpathcon /root
> /root rootbject_r:user_home_dir_t
>
> ~ # grep '/root' /etc/selinux/strict/contexts/files/file_contexts* | grep user_home_dir_t
> /etc/selinux/strict/contexts/files/file_contexts.homedirs:/root -d rootbject_r:user_home_dir_t

The same gives me nothing.

>
> It is because /root is marked as a home directory of a user that a hole set
> of contexts is generated for it. Perhaps for a targeted system this is
> different, but I don't think so.
>
> Whenever you hit a denial with file_t or default_t in it, it means there is
> something awry with the contexts on the system.
>
> You might be able to fix it by running genhomedircon (without options). It
> should regenerate the file context as mentioned in my grep result above.
genhomedircon doesn't change anything.

>
>> Aug 25 18:06:05 dell-studio kernel: [ 8.707035] type=1400
>> audit(1345917944.706:7): avc: denied { read } for pid=1431
>> comm="alsactl" name="urandom" dev="tmpfs" ino=3356
>> scontext=system_u:system_r:alsa_t
>> tcontext=system_ubject_r:urandom_device_t tclass=chr_file
> Did you enable global_ssp (or are you not running a hardened system, just
> SELinux)? By enabling the global_ssp boolean, all domains get access to the
> urandom_device_t chr_file:
>
> ~ # sesearch -s alsa_t -t urandom_device_t -A -C
> Found 2 semantic av rules:
> DT allow nsswitch_domain urandom_device_t : chr_file { ioctl read getattr lock open } ; [ authlogin_nsswitch_use_ldap ]
> ET allow domain urandom_device_t : chr_file { ioctl read getattr lock open } ; [ global_ssp ]
No, it isn't. I did not enabled it because I'm still not in hardened
because I'd want let selinux comletely work before the conversion.

>
>> Aug 25 18:06:05 dell-studio kernel: [ 8.707053] type=1400
>> audit(1345917944.706:9): avc: denied { read } for pid=1431
>> comm="alsactl" name="random" dev="tmpfs" ino=1642
>> scontext=system_u:system_r:alsa_t
>> tcontext=system_ubject_r:random_device_t tclass=chr_file
> This one is new for me. If it is prohibiting alsa to work, we'll need to
> allow this, but I think you're booting in permissive mode, so we can't know
> for sure if the denial is cosmetic or not.
As I wrote, everything is already in enforcing moe.
>
>> Aug 25 18:06:05 dell-studio kernel: [ 8.707089] type=1400
>> audit(1345917944.706:11): avc: denied { getattr } for pid=1431
>> comm="alsactl" name="/" dev="tmpfs" ino=2970
>> scontext=system_u:system_r:alsa_t tcontext=system_ubject_r:tmpfs_t
>> tclass=filesystem
> Which file system is it trying to get attributes from here?
>
>> Aug 25 18:06:05 dell-studio kernel: [ 16.930444] type=1400
>> audit(1345910753.814:32): avc: denied { module_request } for pid=1517
>> comm="cryptsetup" kmod="cbc(aes)" scontext=system_u:system_r:lvm_t
>> tcontext=system_u:system_r:kernel_t tclass=system
>> Aug 25 18:06:05 dell-studio kernel: [ 16.930452] type=1400
>> audit(1345910753.814:33): avc: denied { module_request } for pid=1517
>> comm="cryptsetup" kmod="cbc(aes)-all" scontext=system_u:system_r:lvm_t
>> tcontext=system_u:system_r:kernel_t tclass=system
>> Aug 25 18:06:05 dell-studio kernel: [ 16.930505] type=1400
>> audit(1345910753.814:34): avc: denied { module_request } for pid=1517
>> comm="cryptsetup" kmod="cbc(aes-asm)" scontext=system_u:system_r:lvm_t
>> tcontext=system_u:system_r:kernel_t tclass=system
>> Aug 25 18:06:05 dell-studio kernel: [ 16.930512] type=1400
>> audit(1345910753.814:35): avc: denied { module_request } for pid=1517
>> comm="cryptsetup" kmod="cbc(aes-asm)-all"
>> scontext=system_u:system_r:lvm_t tcontext=system_u:system_r:kernel_t
>> tclass=system
>> Aug 25 18:06:05 dell-studio kernel: [ 16.936081] type=1400
>> audit(1345910753.820:36): avc: denied { getattr } for pid=1517
>> comm="cryptsetup" name="/" dev="tmpfs" ino=2970
>> scontext=system_u:system_r:lvm_t tcontext=system_ubject_r:tmpfs_t
>> tclass=filesystem
>> Aug 25 18:06:05 dell-studio kernel: [ 17.138342] type=1400
>> audit(1345910754.022:38): avc: denied { read } for pid=1538
>> comm="cryptsetup" name="queue.bin" dev="tmpfs" ino=4265
>> scontext=system_u:system_r:lvm_t
>> tcontext=system_ubject_r:udev_var_run_t tclass=file
>> Aug 25 18:06:05 dell-studio kernel: [ 27.701565] type=1400
> The cryptsetup stuff might need some more updates, I only use cryptsetup for
> a small encrypted partition (and not a system partition) and I have most of
> the stuff in-kernel anyway, so no module requests here...
>
> We'll need to look at this when you boot in enforcing mode, since I need the
> error message(s) as well in order to update the policy.
>
> Same is true for most of the remaining denials btw. Some of them definitely
> need to be looked at in advance, like the next set, but most of them will
> need to be reproduced with enforcing mode...
>
>> audit(1345910765.120:46): avc: denied { getattr } for pid=1998
>> comm="console-kit-dae" path="/run/ConsoleKit" dev="tmpfs" ino=5251
>> scontext=system_u:system_r:consolekit_t
>> tcontext=system_ubject_r:initrc_var_run_t tclass=dir
> Need to add in this run directory, haven't done that yet.
>
>> Aug 25 18:06:05 dell-studio kernel: [ 28.632129] type=1400
>> audit(1345910765.516:48): avc: denied { execute } for pid=2089
>> comm="dbus-daemon-lau" name="polkitd" dev="sda5" ino=922900
>> scontext=system_u:system_r:system_dbusd_t
>> tcontext=system_ubject_rolicykit_exec_t tclass=file
> Probably needs to be made a dbus domain.
>
>> Aug 25 18:06:06 dell-studio kernel: [ 29.168487] type=1400
>> audit(1345910766.052:52): avc: denied { write } for pid=2222
>> comm="mii-tool" path="/run/lock/lmt-req.lock" dev="tmpfs" ino=5314
>> scontext=system_u:system_r:ifconfig_t
>> tcontext=system_ubject_r:var_lock_t tclass=file
>> Aug 25 18:06:06 dell-studio kernel: [ 29.168499] type=1400
>> audit(1345910766.052:53): avc: denied { write } for pid=2222
>> comm="mii-tool" path="/run/lock/lmt-invoc.lock" dev="tmpfs" ino=4776
>> scontext=system_u:system_r:ifconfig_t
>> tcontext=system_ubject_r:var_lock_t tclass=file
> Probably legit, but I'm not sure if I need to create an ifconfig_lock_t type
> for this, or just grant in var_lock_t access. Probably the former.
>
>> After logging in, apart all the same mentioned above that repeat
>> themselves, I get a lot of:
>> Aug 25 18:10:25 dell-studio kernel: [ 289.004361] type=1400
>> audit(1345911025.905:163): avc: denied { search } for pid=1968
>> comm="dbus-daemon" name="console" dev="tmpfs" ino=5945
>> scontext=system_u:system_r:system_dbusd_t
>> tcontext=system_ubject_r:consolekit_var_run_t tclass=dir
> What does the console dir contain? It's probably in /var/run/ConsoleKit
> (although from your earlier denials I get the impression /var/run/ConsoleKit
> is not correctly labeled, whereas in this denial it is - did you relabel the
> system or some parts of it in between?).

The console dir is outside ConsoleKit:

drwxr-xr-x. 2 root root system_ubject_r:initrc_var_run_t 80
26 ago 11.32 ConsoleKit
drwxr-xr-x. 2 root root system_ubject_r:consolekit_var_run_t 60
26 ago 11.32 console

It contains... nothing!

Anyway a restorecon -R /run changed contexts inside it:

drwxr-xr-x. 2 root root system_ubject_r:consolekit_var_run_t 80
26 ago 11.32 ConsoleKit
drwxr-xr-x. 2 root root system_ubject_ram_var_console_t 60
26 ago 11.32 console

Of course after the policies upgrade I relabeld all the system
(twice!)... But since the /run is a tmpfs dir, and since its contexts
are wrong, should I use the initramfs approach (restorecon before
switching to enforcing)?


>
> I recommend to first work on the default_t and file_t stuff. That shouldn't
> be broken. Then in the denials, look at any denials for "execute", they
> almost always need to be fixed (whereas getattr/read's can often be ignored,
> especially in the beginning).
>
> Then, when booted and logged in, clear the denial log and switch to
> enforcing mode and see what stuff breaks. Then look in the denial log for
> the denials, and give the error messages for the broken applications.
It's exactly what I did in the previous email, after every step I
cleared the log file
>
> When we fixed that, we should then look at the cryptsetup stuff, since you
> need that in order to boot succesfully I guess. Only then can we try to boot
> in enforcing mode (once, until it boots fully).
>
> Wkr,
> Sven Vermeulen
>
Thank you again Sven. Paolo.
 

Thread Tools




All times are GMT. The time now is 12:29 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org