Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-hardened

From: "f.p.barile@×××××.com2" <f.p.barile@×××××.com>
To: gentoo-hardened@l.g.o
Subject: Re: [gentoo-hardened] Can't get fully functional (kde) desktop with SELinux
Date: Wed, 22 Aug 2012 09:02:40
Message-Id: 50348674.2010704@gmail.com
In Reply to: Re: [gentoo-hardened] Can't get fully functional (kde) desktop with SELinux by Sven Vermeulen
1 Hi Sven, nice to meet you again and thank you for your work in SELinux
2 and for your help.
3
4 I did as you suggested reading the denials step by step. Anyway I didn't
5 find a way to start pulseaudio seprately, but I don't think it's really
6 pulseaudio related. I beleave it's hardware revealing related because
7 nor pulsaudio, nor kmix, nor systemsettings can see the audio card, they
8 can only use the "output dummy" card.
9
10 Now the step by step denials.
11 I firstly removed the xdm initscript from the default runlevel and I
12 started it manually. After starting xdm these were the denials:
13
14 Aug 22 08:39:03 dell-studio kernel: [ 162.895575] type=1400
15 audit(1345617543.503:121): avc: denied { getattr } for pid=2010
16 comm="console-kit-dae" path="/run/ConsoleKit" dev="tmpfs" ino=4632
17 scontext=system_u:system_r:consolekit_t
18 tcontext=system_u:object_r:initrc_var_run_t tclass=dir
19 Aug 22 08:39:27 dell-studio kernel: [ 187.237204] type=1400
20 audit(1345617567.845:122): avc: denied { getattr } for pid=2010
21 comm="console-kit-dae" path="/run/ConsoleKit" dev="tmpfs" ino=4632
22 scontext=system_u:system_r:consolekit_t
23 tcontext=system_u:object_r:initrc_var_run_t tclass=dir
24 Aug 22 08:39:27 dell-studio kernel: [ 187.239432] type=1400
25 audit(1345617567.847:123): avc: denied { search } for pid=3086
26 comm="udev-acl.ck" name="ConsoleKit" dev="tmpfs" ino=4632
27 scontext=system_u:system_r:consolekit_t
28 tcontext=system_u:object_r:initrc_var_run_t tclass=dir
29 Aug 22 08:39:27 dell-studio kernel: [ 187.239574] type=1400
30 audit(1345617567.847:124): avc: denied { read } for pid=3086
31 comm="udev-acl.ck" name="udev-acl" dev="tmpfs" ino=1427
32 scontext=system_u:system_r:consolekit_t
33 tcontext=system_u:object_r:udev_var_run_t tclass=dir
34 Aug 22 08:39:34 dell-studio kernel: [ 193.781500] type=1400
35 audit(1345617574.389:125): avc: denied { getattr } for pid=2010
36 comm="console-kit-dae" path="/run/ConsoleKit" dev="tmpfs" ino=4632
37 scontext=system_u:system_r:consolekit_t
38 tcontext=system_u:object_r:initrc_var_run_t tclass=dir
39 Aug 22 08:39:34 dell-studio kernel: [ 193.785181] type=1400
40 audit(1345617574.393:126): avc: denied { read } for pid=3101
41 comm="udev-acl.ck" name="udev-acl" dev="tmpfs" ino=1427
42 scontext=system_u:system_r:consolekit_t
43 tcontext=system_u:object_r:udev_var_run_t tclass=dir
44
45 After logging in kdm I read:
46
47 Aug 22 08:40:04 dell-studio kernel: [ 223.565209] type=1400
48 audit(1345617604.173:127): avc: denied { getattr } for pid=2010
49 comm="console-kit-dae" path="/run/ConsoleKit" dev="tmpfs" ino=4632
50 scontext=system_u:system_r:consolekit_t
51 tcontext=system_u:object_r:initrc_var_run_t tclass=dir
52 Aug 22 08:40:06 dell-studio kernel: [ 226.166311] type=1400
53 audit(1345617606.774:128): avc: denied { getattr } for pid=2010
54 comm="console-kit-dae" path="/run/ConsoleKit" dev="tmpfs" ino=4632
55 scontext=system_u:system_r:consolekit_t
56 tcontext=system_u:object_r:initrc_var_run_t tclass=dir
57 Aug 22 08:40:06 dell-studio kernel: [ 226.172123] type=1400
58 audit(1345617606.780:129): avc: denied { search } for pid=3106
59 comm="udev-acl.ck" name="ConsoleKit" dev="tmpfs" ino=4632
60 scontext=system_u:system_r:consolekit_t
61 tcontext=system_u:object_r:initrc_var_run_t tclass=dir
62 Aug 22 08:40:06 dell-studio kernel: [ 226.172508] type=1400
63 audit(1345617606.780:130): avc: denied { read } for pid=3106
64 comm="udev-acl.ck" name="udev-acl" dev="tmpfs" ino=1427
65 scontext=system_u:system_r:consolekit_t
66 tcontext=system_u:object_r:udev_var_run_t tclass=dir
67 Aug 22 08:40:15 dell-studio kernel: [ 234.411908] type=1400
68 audit(1345617615.019:131): avc: denied { getattr } for pid=2010
69 comm="console-kit-dae" path="/run/ConsoleKit" dev="tmpfs" ino=4632
70 scontext=system_u:system_r:consolekit_t
71 tcontext=system_u:object_r:initrc_var_run_t tclass=dir
72 Aug 22 08:40:15 dell-studio kernel: [ 234.415286] type=1400
73 audit(1345617615.023:132): avc: denied { read } for pid=3109
74 comm="udev-acl.ck" name="udev-acl" dev="tmpfs" ino=1427
75 scontext=system_u:system_r:consolekit_t
76 tcontext=system_u:object_r:udev_var_run_t tclass=dir
77 Aug 22 08:40:34 dell-studio kernel: [ 253.639780] type=1400
78 audit(1345617634.247:133): avc: denied { getattr } for pid=2010
79 comm="console-kit-dae" path="/run/ConsoleKit" dev="tmpfs" ino=4632
80 scontext=system_u:system_r:consolekit_t
81 tcontext=system_u:object_r:initrc_var_run_t tclass=dir
82 Aug 22 08:40:34 dell-studio kernel: [ 253.645402] type=1400
83 audit(1345617634.253:134): avc: denied { search } for pid=3111
84 comm="udev-acl.ck" name="ConsoleKit" dev="tmpfs" ino=4632
85 scontext=system_u:system_r:consolekit_t
86 tcontext=system_u:object_r:initrc_var_run_t tclass=dir
87 Aug 22 08:40:34 dell-studio kernel: [ 253.645790] type=1400
88 audit(1345617634.253:135): avc: denied { read } for pid=3111
89 comm="udev-acl.ck" name="udev-acl" dev="tmpfs" ino=1427
90 scontext=system_u:system_r:consolekit_t
91 tcontext=system_u:object_r:udev_var_run_t tclass=dir
92 Aug 22 08:40:35 dell-studio kernel: [ 254.527065] type=1400
93 audit(1345617635.135:136): avc: denied { search } for pid=1980
94 comm="dbus-daemon" name="console" dev="tmpfs" ino=6314
95 scontext=system_u:system_r:system_dbusd_t
96 tcontext=system_u:object_r:consolekit_var_run_t tclass=dir
97 Aug 22 08:40:35 dell-studio kernel: [ 254.527789] type=1400
98 audit(1345617635.135:137): avc: denied { read } for pid=2010
99 comm="console-kit-dae" name="machine-id" dev="sda7" ino=184383
100 scontext=system_u:system_r:consolekit_t
101 tcontext=system_u:object_r:system_dbusd_var_lib_t tclass=lnk_file
102 Aug 22 08:40:35 dell-studio kernel: [ 254.530276] type=1400
103 audit(1345617635.138:138): avc: denied { getattr } for pid=2010
104 comm="console-kit-dae" path="/run/ConsoleKit" dev="tmpfs" ino=4632
105 scontext=system_u:system_r:consolekit_t
106 tcontext=system_u:object_r:initrc_var_run_t tclass=dir
107 Aug 22 08:40:35 dell-studio kernel: [ 254.535883] type=1400
108 audit(1345617635.143:139): avc: denied { getattr } for pid=2010
109 comm="console-kit-dae" path="/run/ConsoleKit" dev="tmpfs" ino=4632
110 scontext=system_u:system_r:consolekit_t
111 tcontext=system_u:object_r:initrc_var_run_t tclass=dir
112 Aug 22 08:40:35 dell-studio kernel: [ 254.537701] type=1400
113 audit(1345617635.145:140): avc: denied { read } for pid=3121
114 comm="udev-acl.ck" name="udev-acl" dev="tmpfs" ino=1427
115 scontext=system_u:system_r:consolekit_t
116 tcontext=system_u:object_r:udev_var_run_t tclass=dir
117 Aug 22 08:40:36 dell-studio kernel: [ 255.550398] type=1400
118 audit(1345617636.158:141): avc: denied { search } for pid=1980
119 comm="dbus-daemon" name="console" dev="tmpfs" ino=6314
120 scontext=system_u:system_r:system_dbusd_t
121 tcontext=system_u:object_r:consolekit_var_run_t tclass=dir
122 Aug 22 08:40:36 dell-studio kernel: [ 255.554058] type=1400
123 audit(1345617636.162:142): avc: denied { search } for pid=1980
124 comm="dbus-daemon" name="console" dev="tmpfs" ino=6314
125 scontext=system_u:system_r:system_dbusd_t
126 tcontext=system_u:object_r:consolekit_var_run_t tclass=dir
127 Aug 22 08:40:40 dell-studio kernel: [ 259.566581] type=1400
128 audit(1345617640.174:143): avc: denied { search } for pid=1980
129 comm="dbus-daemon" name="console" dev="tmpfs" ino=6314
130 scontext=system_u:system_r:system_dbusd_t
131 tcontext=system_u:object_r:consolekit_var_run_t tclass=dir
132 Aug 22 08:40:40 dell-studio kernel: [ 259.569518] type=1400
133 audit(1345617640.177:144): avc: denied { execute } for pid=3194
134 comm="dbus-daemon-lau" name="upowerd" dev="sda5" ino=939375
135 scontext=system_u:system_r:system_dbusd_t
136 tcontext=system_u:object_r:bin_t tclass=file
137 Aug 22 08:40:40 dell-studio kernel: [ 259.572229] type=1400
138 audit(1345617640.180:145): avc: denied { execute } for pid=3197
139 comm="dbus-daemon-lau" name="upowerd" dev="sda5" ino=939375
140 scontext=system_u:system_r:system_dbusd_t
141 tcontext=system_u:object_r:bin_t tclass=file
142 Aug 22 08:40:40 dell-studio kernel: [ 259.574665] type=1400
143 audit(1345617640.182:146): avc: denied { execute } for pid=3199
144 comm="dbus-daemon-lau" name="udisks-daemon" dev="sda5" ino=939378
145 scontext=system_u:system_r:system_dbusd_t
146 tcontext=system_u:object_r:bin_t tclass=file
147 Aug 22 08:40:40 dell-studio kernel: [ 259.577151] type=1400
148 audit(1345617640.185:147): avc: denied { execute } for pid=3201
149 comm="dbus-daemon-lau" name="udisks-daemon" dev="sda5" ino=939378
150 scontext=system_u:system_r:system_dbusd_t
151 tcontext=system_u:object_r:bin_t tclass=file
152 Aug 22 08:40:40 dell-studio kernel: [ 259.579385] type=1400
153 audit(1345617640.187:148): avc: denied { execute } for pid=3203
154 comm="dbus-daemon-lau" name="udisks-daemon" dev="sda5" ino=939378
155 scontext=system_u:system_r:system_dbusd_t
156 tcontext=system_u:object_r:bin_t tclass=file
157 Aug 22 08:40:40 dell-studio kernel: [ 259.581693] type=1400
158 audit(1345617640.189:149): avc: denied { execute } for pid=3205
159 comm="dbus-daemon-lau" name="udisks-daemon" dev="sda5" ino=939378
160 scontext=system_u:system_r:system_dbusd_t
161 tcontext=system_u:object_r:bin_t tclass=file
162 Aug 22 08:40:40 dell-studio kernel: [ 259.583959] type=1400
163 audit(1345617640.191:150): avc: denied { execute } for pid=3207
164 comm="dbus-daemon-lau" name="udisks-daemon" dev="sda5" ino=939378
165 scontext=system_u:system_r:system_dbusd_t
166 tcontext=system_u:object_r:bin_t tclass=file
167 Aug 22 08:40:40 dell-studio kernel: [ 260.191675] type=1400
168 audit(1345617640.799:151): avc: denied { execmem } for pid=3214
169 comm="kwin_opengl_tes" scontext=unconfined_u:unconfined_r:unconfined_t
170 tcontext=unconfined_u:unconfined_r:unconfined_t tclass=process
171 Aug 22 08:40:44 dell-studio kernel: [ 263.474683] type=1400
172 audit(1345617644.082:152): avc: denied { search } for pid=1980
173 comm="dbus-daemon" name="console" dev="tmpfs" ino=6314
174 scontext=system_u:system_r:system_dbusd_t
175 tcontext=system_u:object_r:consolekit_var_run_t tclass=dir
176 Aug 22 08:40:57 dell-studio kernel: [ 276.731494] type=1400
177 audit(1345617657.339:162): avc: denied { search } for pid=1980
178 comm="dbus-daemon" name="console" dev="tmpfs" ino=6314
179 scontext=system_u:system_r:system_dbusd_t
180 tcontext=system_u:object_r:consolekit_var_run_t tclass=dir
181 Aug 22 08:40:57 dell-studio kernel: [ 276.733813] type=1400
182 audit(1345617657.341:163): avc: denied { execute } for pid=3284
183 comm="dbus-daemon-lau" name="upowerd" dev="sda5" ino=939375
184 scontext=system_u:system_r:system_dbusd_t
185 tcontext=system_u:object_r:bin_t tclass=file
186 Aug 22 08:40:57 dell-studio kernel: [ 276.736414] type=1400
187 audit(1345617657.344:164): avc: denied { execute } for pid=3286
188 comm="dbus-daemon-lau" name="upowerd" dev="sda5" ino=939375
189 scontext=system_u:system_r:system_dbusd_t
190 tcontext=system_u:object_r:bin_t tclass=file
191 Aug 22 08:40:57 dell-studio kernel: [ 276.738821] type=1400
192 audit(1345617657.346:165): avc: denied { execute } for pid=3288
193 comm="dbus-daemon-lau" name="udisks-daemon" dev="sda5" ino=939378
194 scontext=system_u:system_r:system_dbusd_t
195 tcontext=system_u:object_r:bin_t tclass=file
196 Aug 22 08:40:57 dell-studio kernel: [ 276.741286] type=1400
197 audit(1345617657.349:166): avc: denied { execute } for pid=3290
198 comm="dbus-daemon-lau" name="udisks-daemon" dev="sda5" ino=939378
199 scontext=system_u:system_r:system_dbusd_t
200 tcontext=system_u:object_r:bin_t tclass=file
201 Aug 22 08:40:57 dell-studio kernel: [ 276.743700] type=1400
202 audit(1345617657.351:167): avc: denied { execute } for pid=3292
203 comm="dbus-daemon-lau" name="upowerd" dev="sda5" ino=939375
204 scontext=system_u:system_r:system_dbusd_t
205 tcontext=system_u:object_r:bin_t tclass=file
206 Aug 22 08:40:57 dell-studio kernel: [ 276.745985] type=1400
207 audit(1345617657.353:168): avc: denied { execute } for pid=3294
208 comm="dbus-daemon-lau" name="upowerd" dev="sda5" ino=939375
209 scontext=system_u:system_r:system_dbusd_t
210 tcontext=system_u:object_r:bin_t tclass=file
211 Aug 22 08:40:58 dell-studio kernel: [ 277.491022] type=1400
212 audit(1345617658.099:169): avc: denied { execute } for pid=3309
213 comm="dbus-daemon-lau" name="udisks-daemon" dev="sda5" ino=939378
214 scontext=system_u:system_r:system_dbusd_t
215 tcontext=system_u:object_r:bin_t tclass=file
216 Aug 22 08:40:58 dell-studio kernel: [ 277.493490] type=1400
217 audit(1345617658.101:170): avc: denied { execute } for pid=3311
218 comm="dbus-daemon-lau" name="udisks-daemon" dev="sda5" ino=939378
219 scontext=system_u:system_r:system_dbusd_t
220 tcontext=system_u:object_r:bin_t tclass=file
221 Aug 22 08:40:58 dell-studio kernel: [ 277.495741] type=1400
222 audit(1345617658.103:171): avc: denied { execute } for pid=3313
223 comm="dbus-daemon-lau" name="udisks-daemon" dev="sda5" ino=939378
224 scontext=system_u:system_r:system_dbusd_t
225 tcontext=system_u:object_r:bin_t tclass=file
226 Aug 22 08:41:03 dell-studio kernel: [ 283.169479] type=1400
227 audit(1345617663.776:178): avc: denied { search } for pid=1980
228 comm="dbus-daemon" name="console" dev="tmpfs" ino=6314
229 scontext=system_u:system_r:system_dbusd_t
230 tcontext=system_u:object_r:consolekit_var_run_t tclass=dir
231 Aug 22 08:41:03 dell-studio kernel: [ 283.171841] type=1400
232 audit(1345617663.778:179): avc: denied { execute } for pid=3343
233 comm="dbus-daemon-lau" name="upowerd" dev="sda5" ino=939375
234 scontext=system_u:system_r:system_dbusd_t
235 tcontext=system_u:object_r:bin_t tclass=file
236 Aug 22 08:41:03 dell-studio kernel: [ 283.174291] type=1400
237 audit(1345617663.781:180): avc: denied { execute } for pid=3345
238 comm="dbus-daemon-lau" name="upowerd" dev="sda5" ino=939375
239 scontext=system_u:system_r:system_dbusd_t
240 tcontext=system_u:object_r:bin_t tclass=file
241 Aug 22 08:41:03 dell-studio kernel: [ 283.176853] type=1400
242 audit(1345617663.783:181): avc: denied { execute } for pid=3347
243 comm="dbus-daemon-lau" name="udisks-daemon" dev="sda5" ino=939378
244 scontext=system_u:system_r:system_dbusd_t
245 tcontext=system_u:object_r:bin_t tclass=file
246 Aug 22 08:41:03 dell-studio kernel: [ 283.179307] type=1400
247 audit(1345617663.786:182): avc: denied { execute } for pid=3349
248 comm="dbus-daemon-lau" name="udisks-daemon" dev="sda5" ino=939378
249 scontext=system_u:system_r:system_dbusd_t
250 tcontext=system_u:object_r:bin_t tclass=file
251 Aug 22 08:41:04 dell-studio kernel: [ 283.549112] type=1400
252 audit(1345617664.156:183): avc: denied { search } for pid=1980
253 comm="dbus-daemon" name="console" dev="tmpfs" ino=6314
254 scontext=system_u:system_r:system_dbusd_t
255 tcontext=system_u:object_r:consolekit_var_run_t tclass=dir
256 Aug 22 08:41:04 dell-studio kernel: [ 283.880610] type=1400
257 audit(1345617664.487:184): avc: denied { search } for pid=1980
258 comm="dbus-daemon" name="console" dev="tmpfs" ino=6314
259 scontext=system_u:system_r:system_dbusd_t
260 tcontext=system_u:object_r:consolekit_var_run_t tclass=dir
261 Aug 22 08:41:06 dell-studio kernel: [ 285.409187] type=1400
262 audit(1345617666.016:185): avc: denied { execute } for pid=3391
263 comm="dbus-daemon-lau" name="udisks-daemon" dev="sda5" ino=939378
264 scontext=system_u:system_r:system_dbusd_t
265 tcontext=system_u:object_r:bin_t tclass=file
266 Aug 22 08:41:06 dell-studio kernel: [ 285.412221] type=1400
267 audit(1345617666.019:186): avc: denied { execute } for pid=3393
268 comm="dbus-daemon-lau" name="udisks-daemon" dev="sda5" ino=939378
269 scontext=system_u:system_r:system_dbusd_t
270 tcontext=system_u:object_r:bin_t tclass=file
271 Aug 22 08:41:06 dell-studio kernel: [ 285.415310] type=1400
272 audit(1345617666.022:187): avc: denied { execute } for pid=3396
273 comm="dbus-daemon-lau" name="udisks-daemon" dev="sda5" ino=939378
274 scontext=system_u:system_r:system_dbusd_t
275 tcontext=system_u:object_r:bin_t tclass=file
276 Aug 22 08:41:08 dell-studio kernel: [ 288.179455] type=1400
277 audit(1345617668.786:219): avc: denied { execute } for pid=3516
278 comm="dbus-daemon-lau" name="polkitd" dev="sda5" ino=922900
279 scontext=system_u:system_r:system_dbusd_t
280 tcontext=system_u:object_r:policykit_exec_t tclass=file
281 Aug 22 08:41:37 dell-studio kernel: [ 317.293037] type=1400
282 audit(1345617697.900:220): avc: denied { getattr } for pid=2010
283 comm="console-kit-dae" path="/run/ConsoleKit" dev="tmpfs" ino=4632
284 scontext=system_u:system_r:consolekit_t
285 tcontext=system_u:object_r:initrc_var_run_t tclass=dir
286 Aug 22 08:41:37 dell-studio kernel: [ 317.296511] type=1400
287 audit(1345617697.904:221): avc: denied { search } for pid=3666
288 comm="udev-acl.ck" name="ConsoleKit" dev="tmpfs" ino=4632
289 scontext=system_u:system_r:consolekit_t
290 tcontext=system_u:object_r:initrc_var_run_t tclass=dir
291 Aug 22 08:41:37 dell-studio kernel: [ 317.296674] type=1400
292 audit(1345617697.904:222): avc: denied { read } for pid=3666
293 comm="udev-acl.ck" name="udev-acl" dev="tmpfs" ino=1427
294 scontext=system_u:system_r:consolekit_t
295 tcontext=system_u:object_r:udev_var_run_t tclass=dir
296 Aug 22 08:41:37 dell-studio kernel: [ 317.296710] type=1400
297 audit(1345617697.904:223): avc: denied { read } for pid=3666
298 comm="udev-acl.ck" name="udev-acl" dev="tmpfs" ino=1427
299 scontext=system_u:system_r:consolekit_t
300 tcontext=system_u:object_r:udev_var_run_t tclass=dir
301
302 Then I tried to start powerdevil in kde systemsettings and these were
303 the denials:
304
305 Aug 22 08:47:14 dell-studio kernel: [ 653.535413] type=1400
306 audit(1345618034.143:239): avc: denied { execute } for pid=5378
307 comm="dbus-daemon-lau" name="upowerd" dev="sda5" ino=939375
308 scontext=system_u:system_r:system_dbusd_t
309 tcontext=system_u:object_r:bin_t tclass=file
310 Aug 22 08:47:14 dell-studio kernel: [ 653.538755] type=1400
311 audit(1345618034.146:240): avc: denied { execute } for pid=5380
312 comm="dbus-daemon-lau" name="upowerd" dev="sda5" ino=939375
313 scontext=system_u:system_r:system_dbusd_t
314 tcontext=system_u:object_r:bin_t tclass=file
315 Aug 22 08:47:14 dell-studio kernel: [ 653.542123] type=1400
316 audit(1345618034.150:241): avc: denied { execute } for pid=5382
317 comm="dbus-daemon-lau" name="upowerd" dev="sda5" ino=939375
318 scontext=system_u:system_r:system_dbusd_t
319 tcontext=system_u:object_r:bin_t tclass=file
320 Aug 22 08:47:14 dell-studio kernel: [ 653.545562] type=1400
321 audit(1345618034.153:242): avc: denied { execute } for pid=5385
322 comm="dbus-daemon-lau" name="upowerd" dev="sda5" ino=939375
323 scontext=system_u:system_r:system_dbusd_t
324 tcontext=system_u:object_r:bin_t tclass=file
325 Aug 22 08:47:14 dell-studio kernel: [ 653.550155] type=1400
326 audit(1345618034.158:243): avc: denied { execute } for pid=5387
327 comm="dbus-daemon-lau" name="upowerd" dev="sda5" ino=939375
328 scontext=system_u:system_r:system_dbusd_t
329 tcontext=system_u:object_r:bin_t tclass=file
330 Aug 22 08:47:14 dell-studio kernel: [ 653.553430] type=1400
331 audit(1345618034.161:244): avc: denied { execute } for pid=5389
332 comm="dbus-daemon-lau" name="upowerd" dev="sda5" ino=939375
333 scontext=system_u:system_r:system_dbusd_t
334 tcontext=system_u:object_r:bin_t tclass=file
335 Aug 22 08:47:14 dell-studio kernel: [ 653.680410] type=1400
336 audit(1345618034.288:245): avc: denied { search } for pid=1980
337 comm="dbus-daemon" name="console" dev="tmpfs" ino=6314
338 scontext=system_u:system_r:system_dbusd_t
339 tcontext=system_u:object_r:consolekit_var_run_t tclass=dir
340 Aug 22 08:47:14 dell-studio kernel: [ 653.683357] type=1400
341 audit(1345618034.291:246): avc: denied { execute } for pid=5393
342 comm="dbus-daemon-lau" name="polkitd" dev="sda5" ino=922900
343 scontext=system_u:system_r:system_dbusd_t
344 tcontext=system_u:object_r:policykit_exec_t tclass=file
345 Aug 22 08:47:16 dell-studio kernel: [ 655.718026] type=1400
346 audit(1345618036.325:247): avc: denied { execute } for pid=5407
347 comm="dbus-daemon-lau" name="upowerd" dev="sda5" ino=939375
348 scontext=system_u:system_r:system_dbusd_t
349 tcontext=system_u:object_r:bin_t tclass=file
350 Aug 22 08:47:16 dell-studio kernel: [ 655.724292] type=1400
351 audit(1345618036.332:248): avc: denied { execute } for pid=5409
352 comm="dbus-daemon-lau" name="upowerd" dev="sda5" ino=939375
353 scontext=system_u:system_r:system_dbusd_t
354 tcontext=system_u:object_r:bin_t tclass=file
355
356
357 About the su question, before and after logging in su the context is
358 unconfined_u:unconfined_r:unconfined_t, while the denials are:
359
360 Aug 22 08:43:53 dell-studio kernel: [ 452.789311] type=1400
361 audit(1345617833.396:228): avc: denied { search } for pid=4358
362 comm="xauth" name="root" dev="sda5" ino=1308163
363 scontext=unconfined_u:unconfined_r:xauth_t
364 tcontext=system_u:object_r:default_t tclass=dir
365 Aug 22 08:43:53 dell-studio kernel: [ 452.789325] type=1400
366 audit(1345617833.396:229): avc: denied { search } for pid=4358
367 comm="xauth" name="root" dev="sda5" ino=1308163
368 scontext=unconfined_u:unconfined_r:xauth_t
369 tcontext=system_u:object_r:default_t tclass=dir
370 Aug 22 08:43:55 dell-studio kernel: [ 454.789483] type=1400
371 audit(1345617835.396:230): avc: denied { search } for pid=4358
372 comm="xauth" name="root" dev="sda5" ino=1308163
373 scontext=unconfined_u:unconfined_r:xauth_t
374 tcontext=system_u:object_r:default_t tclass=dir
375 Aug 22 08:43:57 dell-studio kernel: [ 456.789663] type=1400
376 audit(1345617837.397:231): avc: denied { search } for pid=4358
377 comm="xauth" name="root" dev="sda5" ino=1308163
378 scontext=unconfined_u:unconfined_r:xauth_t
379 tcontext=system_u:object_r:default_t tclass=dir
380 Aug 22 08:43:59 dell-studio kernel: [ 458.789842] type=1400
381 audit(1345617839.397:232): avc: denied { search } for pid=4358
382 comm="xauth" name="root" dev="sda5" ino=1308163
383 scontext=unconfined_u:unconfined_r:xauth_t
384 tcontext=system_u:object_r:default_t tclass=dir
385 Aug 22 08:44:01 dell-studio kernel: [ 460.790069] type=1400
386 audit(1345617841.398:233): avc: denied { search } for pid=4358
387 comm="xauth" name="root" dev="sda5" ino=1308163
388 scontext=unconfined_u:unconfined_r:xauth_t
389 tcontext=system_u:object_r:default_t tclass=dir
390 Aug 22 08:44:03 dell-studio kernel: [ 462.790251] type=1400
391 audit(1345617843.398:234): avc: denied { search } for pid=4358
392 comm="xauth" name="root" dev="sda5" ino=1308163
393 scontext=unconfined_u:unconfined_r:xauth_t
394 tcontext=system_u:object_r:default_t tclass=dir
395 Aug 22 08:44:05 dell-studio kernel: [ 464.790430] type=1400
396 audit(1345617845.398:235): avc: denied { search } for pid=4358
397 comm="xauth" name="root" dev="sda5" ino=1308163
398 scontext=unconfined_u:unconfined_r:xauth_t
399 tcontext=system_u:object_r:default_t tclass=dir
400 Aug 22 08:44:07 dell-studio kernel: [ 466.790614] type=1400
401 audit(1345617847.398:236): avc: denied { search } for pid=4358
402 comm="xauth" name="root" dev="sda5" ino=1308163
403 scontext=unconfined_u:unconfined_r:xauth_t
404 tcontext=system_u:object_r:default_t tclass=dir
405 Aug 22 08:44:09 dell-studio kernel: [ 468.790797] type=1400
406 audit(1345617849.398:237): avc: denied { search } for pid=4358
407 comm="xauth" name="root" dev="sda5" ino=1308163
408 scontext=unconfined_u:unconfined_r:xauth_t
409 tcontext=system_u:object_r:default_t tclass=dir
410 Aug 22 08:44:11 dell-studio kernel: [ 470.791079] type=1400
411 audit(1345617851.399:238): avc: denied { search } for pid=4358
412 comm="xauth" name="root" dev="sda5" ino=1308163
413 scontext=unconfined_u:unconfined_r:xauth_t
414 tcontext=system_u:object_r:default_t tclass=dir
415
416 Of course, as I wrote in the past email the sda5 who the denials are
417 complaining about is my / (ext4) partition.
418
419 Thank you again.
420
421
422 On 21/08/2012 20:03, Sven Vermeulen wrote:
423 > On Tue, Aug 21, 2012 at 09:14:39AM +0200, f.p.barile@×××××.com2 wrote:
424 >> Hello to all the list. I need your help to understand what's wrong here.
425 >> I tried to convert my laptop to a selinux profile (targeted) several
426 >> times following the documentation step by step.
427 > Hi F.P.
428 >
429 > First of all, thanks for trying the SELinux stuff out. I'm pretty sure we
430 > can help you further and fix things so that others don't get the same
431 > problems.
432 >
433 >> 1) it seems like some part of hardware can't be revealed in enforcing
434 >> mode: Pulseaudio can't see the soundcard, powerdevil can't see power
435 >> statistics, newly atttached usb drives are ingored. Obviously
436 >> selinux-consolekit, selinux-policykit and selinux-dbus are installed.
437 > It is best to look at the AVC denials that come up when you launch
438 > pulseaudio, powerdevel etc. one by one. Providing all possible denials will
439 > make it much more difficult to fine-tune the problems.
440 >
441 > What I usually do to debug issues is to do:
442 >
443 > ~# tail -f /var/log/avc.log
444 >
445 > Then perform one activity (1) that doesn't work. For instance, try to play
446 > an MP3/OGG file which fails. Then look at the denials that came up right
447 > when you did that action.
448 >
449 >> 3) Logging in root with su or kdesu (in X environment) takes too long:
450 >> if the password I write is ok, it takes even some minute to give me the
451 >> root shell.
452 > Here too looking at the AVC denials that come up right then would be
453 > interesting. However, in this case it is best to also provide the output of
454 > "id -Z" right before you switch root, and right after.
455 >
456 > Wkr,
457 > Sven Vermeulen
458 >

Replies

Subject Author
Re: [gentoo-hardened] Can't get fully functional (kde) desktop with SELinux Hinnerk van Bruinehsen <h.v.bruinehsen@×××××××××.de>
Re: [gentoo-hardened] Can't get fully functional (kde) desktop with SELinux Sven Vermeulen <swift@g.o>
Report Message
Find on MARC Find on Google Groups