Re: [gentoo-hardened] Can't get fully functional (kde) desktop with SELinux - gentoo-hardened

From:	Paolo Barile <f.p.barile@×××××.com>
To:	gentoo-hardened@l.g.o
Subject:	Re: [gentoo-hardened] Can't get fully functional (kde) desktop with SELinux
Date:	Sat, 25 Aug 2012 18:02:34
Message-Id:	`50390499.2050305@gmail.com`
In Reply to:	Re: [gentoo-hardened] Can't get fully functional (kde) desktop with SELinux by Sven Vermeulen

1

Hi Sven, thank you for rev4, but it didn't conclusively solve my

2

problems. Sone denial has gone, but many of them remain.

3

4

So let's see again all the step by step denial, I'll avoid redundancies.

5

6

As I boot (whithout starting xdm) I obtain:

7

8

Aug 25 18:06:05 dell-studio kernel: [    8.028595] type=1400

9

audit(1345917944.027:3): avc:  denied  { search } for  pid=1433

10

comm="alsactl" name="root" dev="sda5" ino=1308163

11

scontext=system_u:system_r:alsa_t tcontext=system_u:object_r:default_t

12

tclass=dir

13

Aug 25 18:06:05 dell-studio kernel: [    8.707035] type=1400

14

audit(1345917944.706:7): avc:  denied  { read } for  pid=1431

15

comm="alsactl" name="urandom" dev="tmpfs" ino=3356

16

scontext=system_u:system_r:alsa_t

17

tcontext=system_u:object_r:urandom_device_t tclass=chr_file

18

Aug 25 18:06:05 dell-studio kernel: [    8.707053] type=1400

19

audit(1345917944.706:9): avc:  denied  { read } for  pid=1431

20

comm="alsactl" name="random" dev="tmpfs" ino=1642

21

scontext=system_u:system_r:alsa_t

22

tcontext=system_u:object_r:random_device_t tclass=chr_file

23

Aug 25 18:06:05 dell-studio kernel: [    8.707089] type=1400

24

audit(1345917944.706:11): avc:  denied  { getattr } for  pid=1431

25

comm="alsactl" name="/" dev="tmpfs" ino=2970

26

scontext=system_u:system_r:alsa_t tcontext=system_u:object_r:tmpfs_t

27

tclass=filesystem

28

Aug 25 18:06:05 dell-studio kernel: [   16.930444] type=1400

29

audit(1345910753.814:32): avc:  denied  { module_request } for  pid=1517

30

comm="cryptsetup" kmod="cbc(aes)" scontext=system_u:system_r:lvm_t

31

tcontext=system_u:system_r:kernel_t tclass=system

32

Aug 25 18:06:05 dell-studio kernel: [   16.930452] type=1400

33

audit(1345910753.814:33): avc:  denied  { module_request } for  pid=1517

34

comm="cryptsetup" kmod="cbc(aes)-all" scontext=system_u:system_r:lvm_t

35

tcontext=system_u:system_r:kernel_t tclass=system

36

Aug 25 18:06:05 dell-studio kernel: [   16.930505] type=1400

37

audit(1345910753.814:34): avc:  denied  { module_request } for  pid=1517

38

comm="cryptsetup" kmod="cbc(aes-asm)" scontext=system_u:system_r:lvm_t

39

tcontext=system_u:system_r:kernel_t tclass=system

40

Aug 25 18:06:05 dell-studio kernel: [   16.930512] type=1400

41

audit(1345910753.814:35): avc:  denied  { module_request } for  pid=1517

42

comm="cryptsetup" kmod="cbc(aes-asm)-all"

43

scontext=system_u:system_r:lvm_t tcontext=system_u:system_r:kernel_t

44

tclass=system

45

Aug 25 18:06:05 dell-studio kernel: [   16.936081] type=1400

46

audit(1345910753.820:36): avc:  denied  { getattr } for  pid=1517

47

comm="cryptsetup" name="/" dev="tmpfs" ino=2970

48

scontext=system_u:system_r:lvm_t tcontext=system_u:object_r:tmpfs_t

49

tclass=filesystem

50

Aug 25 18:06:05 dell-studio kernel: [   17.138342] type=1400

51

audit(1345910754.022:38): avc:  denied  { read } for  pid=1538

52

comm="cryptsetup" name="queue.bin" dev="tmpfs" ino=4265

53

scontext=system_u:system_r:lvm_t

54

tcontext=system_u:object_r:udev_var_run_t tclass=file

55

Aug 25 18:06:05 dell-studio kernel: [   27.701565] type=1400

56

audit(1345910764.585:45): avc:  denied  { setrlimit } for  pid=1968

57

comm="dbus-daemon" scontext=system_u:system_r:system_dbusd_t

58

tcontext=system_u:system_r:system_dbusd_t tclass=process

59

Aug 25 18:06:05 dell-studio kernel: [   28.235761] type=1400

60

audit(1345910765.120:46): avc:  denied  { getattr } for  pid=1998

61

comm="console-kit-dae" path="/run/ConsoleKit" dev="tmpfs" ino=5251

62

scontext=system_u:system_r:consolekit_t

63

tcontext=system_u:object_r:initrc_var_run_t tclass=dir

64

Aug 25 18:06:05 dell-studio kernel: [   28.417954] type=1400

65

audit(1345910765.302:47): avc:  denied  { read } for  pid=2074

66

comm="crond" name="root" dev="sda7" ino=12796

67

scontext=system_u:system_r:crond_t tcontext=system_u:object_r:file_t

68

tclass=file

69

Aug 25 18:06:05 dell-studio kernel: [   28.632129] type=1400

70

audit(1345910765.516:48): avc:  denied  { execute } for  pid=2089

71

comm="dbus-daemon-lau" name="polkitd" dev="sda5" ino=922900

72

scontext=system_u:system_r:system_dbusd_t

73

tcontext=system_u:object_r:policykit_exec_t tclass=file

74

Aug 25 18:06:05 dell-studio kernel: [   28.633786] type=1400

75

audit(1345910765.517:49): avc:  denied  { search } for  pid=1998

76

comm="console-kit-dae" name="ConsoleKit" dev="tmpfs" ino=5251

77

scontext=system_u:system_r:consolekit_t

78

tcontext=system_u:object_r:initrc_var_run_t tclass=dir

79

Aug 25 18:06:05 dell-studio kernel: [   28.633811] type=1400

80

audit(1345910765.517:50): avc:  denied  { getattr } for  pid=1998

81

comm="console-kit-dae" path="/run/ConsoleKit" dev="tmpfs" ino=5251

82

scontext=system_u:system_r:consolekit_t

83

tcontext=system_u:object_r:initrc_var_run_t tclass=dir

84

Aug 25 18:06:05 dell-studio kernel: [   28.633842] type=1400

85

audit(1345910765.517:51): avc:  denied  { search } for  pid=1998

86

comm="console-kit-dae" name="ConsoleKit" dev="tmpfs" ino=5251

87

scontext=system_u:system_r:consolekit_t

88

tcontext=system_u:object_r:initrc_var_run_t tclass=dir

89

Aug 25 18:06:06 dell-studio kernel: [   29.168487] type=1400

90

audit(1345910766.052:52): avc:  denied  { write } for  pid=2222

91

comm="mii-tool" path="/run/lock/lmt-req.lock" dev="tmpfs" ino=5314

92

scontext=system_u:system_r:ifconfig_t

93

tcontext=system_u:object_r:var_lock_t tclass=file

94

Aug 25 18:06:06 dell-studio kernel: [   29.168499] type=1400

95

audit(1345910766.052:53): avc:  denied  { write } for  pid=2222

96

comm="mii-tool" path="/run/lock/lmt-invoc.lock" dev="tmpfs" ino=4776

97

scontext=system_u:system_r:ifconfig_t

98

tcontext=system_u:object_r:var_lock_t tclass=file

99

Aug 25 18:06:10 dell-studio kernel: [   33.586645] type=1400

100

audit(1345910770.470:87): avc:  denied  { read } for  pid=2851 comm="sh"

101

name="meminfo" dev="proc" ino=4026532031

102

scontext=system_u:system_r:wpa_cli_t tcontext=system_u:object_r:proc_t

103

tclass=file

104

Aug 25 18:06:10 dell-studio kernel: [   33.613072] type=1400

105

audit(1345910770.497:88): avc:  denied  { read } for  pid=2851

106

comm="wpa_cli.sh" name="meminfo" dev="proc" ino=4026532031

107

scontext=system_u:system_r:wpa_cli_t tcontext=system_u:object_r:proc_t

108

tclass=file

109

Aug 25 18:06:10 dell-studio kernel: [   33.893591] type=1400

110

audit(1345910770.777:89): avc:  denied  { use } for  pid=3024

111

comm="mount" path="/dev/null" dev="tmpfs" ino=1278

112

scontext=system_u:system_r:mount_t tcontext=system_u:system_r:wpa_cli_t

113

tclass=fd

114

Aug 25 18:06:10 dell-studio kernel: [   33.893637] type=1400

115

audit(1345910770.777:92): avc:  denied  { use } for  pid=3024

116

comm="mount" path="socket:[5617]" dev="sockfs" ino=5617

117

scontext=system_u:system_r:mount_t tcontext=system_u:system_r:wpa_cli_t

118

tclass=fd

119

Aug 25 18:06:59 dell-studio kernel: [   83.022406] type=1400

120

audit(1345910819.922:97): avc:  denied  { search } for  pid=3031

121

comm="login" name="root" dev="sda5" ino=1308163

122

scontext=system_u:system_r:local_login_t

123

tcontext=system_u:object_r:default_t tclass=dir

124

Aug 25 18:06:59 dell-studio kernel: [   83.068589] type=1400

125

audit(1345910819.969:100): avc:  denied  { read } for  pid=1998

126

comm="console-kit-dae" name="machine-id" dev="sda7" ino=184383

127

scontext=system_u:system_r:consolekit_t

128

tcontext=system_u:object_r:system_dbusd_var_lib_t tclass=lnk_file

129

Aug 25 18:07:00 dell-studio kernel: [   83.165783] type=1400

130

audit(1345910820.065:103): avc:  denied  { read } for  pid=3046

131

comm="udev-acl.ck" name="udev-acl" dev="tmpfs" ino=3175

132

scontext=system_u:system_r:consolekit_t

133

tcontext=system_u:object_r:udev_var_run_t tclass=dir

134

135

After starting kdm (with xdm initscript):

136

Aug 25 18:08:47 dell-studio kernel: [  190.122045] type=1400

137

audit(1345910927.023:107): avc:  denied  { read } for  pid=3054

138

comm="rc" name="profile.env" dev="sda5" ino=663502

139

scontext=unconfined_u:unconfined_r:run_init_t

140

tcontext=system_u:object_r:etc_runtime_t tclass=file

141

Aug 25 18:08:55 dell-studio kernel: [  199.069675] type=1400

142

audit(1345910935.970:109): avc:  denied  { search } for  pid=3099

143

comm="udev-acl.ck" name="ConsoleKit" dev="tmpfs" ino=5251

144

scontext=system_u:system_r:consolekit_t

145

tcontext=system_u:object_r:initrc_var_run_t tclass=dir

146

147

After logging in, apart all the same mentioned above that repeat

148

themselves, I get a lot of:

149

Aug 25 18:10:25 dell-studio kernel: [  289.004361] type=1400

150

audit(1345911025.905:163): avc:  denied  { search } for  pid=1968

151

comm="dbus-daemon" name="console" dev="tmpfs" ino=5945

152

scontext=system_u:system_r:system_dbusd_t

153

tcontext=system_u:object_r:consolekit_var_run_t tclass=dir

154

155

I hope I wrote all.

156

Paolo.

Gentoo Archives: gentoo-hardened

Replies

1	Hi Sven, thank you for rev4, but it didn't conclusively solve my
2	problems. Sone denial has gone, but many of them remain.
3
4	So let's see again all the step by step denial, I'll avoid redundancies.
5
6	As I boot (whithout starting xdm) I obtain:
7
8	Aug 25 18:06:05 dell-studio kernel: [ 8.028595] type=1400
9	audit(1345917944.027:3): avc: denied { search } for pid=1433
10	comm="alsactl" name="root" dev="sda5" ino=1308163
11	scontext=system_u:system_r:alsa_t tcontext=system_u:object_r:default_t
12	tclass=dir
13	Aug 25 18:06:05 dell-studio kernel: [ 8.707035] type=1400
14	audit(1345917944.706:7): avc: denied { read } for pid=1431
15	comm="alsactl" name="urandom" dev="tmpfs" ino=3356
16	scontext=system_u:system_r:alsa_t
17	tcontext=system_u:object_r:urandom_device_t tclass=chr_file
18	Aug 25 18:06:05 dell-studio kernel: [ 8.707053] type=1400
19	audit(1345917944.706:9): avc: denied { read } for pid=1431
20	comm="alsactl" name="random" dev="tmpfs" ino=1642
21	scontext=system_u:system_r:alsa_t
22	tcontext=system_u:object_r:random_device_t tclass=chr_file
23	Aug 25 18:06:05 dell-studio kernel: [ 8.707089] type=1400
24	audit(1345917944.706:11): avc: denied { getattr } for pid=1431
25	comm="alsactl" name="/" dev="tmpfs" ino=2970
26	scontext=system_u:system_r:alsa_t tcontext=system_u:object_r:tmpfs_t
27	tclass=filesystem
28	Aug 25 18:06:05 dell-studio kernel: [ 16.930444] type=1400
29	audit(1345910753.814:32): avc: denied { module_request } for pid=1517
30	comm="cryptsetup" kmod="cbc(aes)" scontext=system_u:system_r:lvm_t
31	tcontext=system_u:system_r:kernel_t tclass=system
32	Aug 25 18:06:05 dell-studio kernel: [ 16.930452] type=1400
33	audit(1345910753.814:33): avc: denied { module_request } for pid=1517
34	comm="cryptsetup" kmod="cbc(aes)-all" scontext=system_u:system_r:lvm_t
35	tcontext=system_u:system_r:kernel_t tclass=system
36	Aug 25 18:06:05 dell-studio kernel: [ 16.930505] type=1400
37	audit(1345910753.814:34): avc: denied { module_request } for pid=1517
38	comm="cryptsetup" kmod="cbc(aes-asm)" scontext=system_u:system_r:lvm_t
39	tcontext=system_u:system_r:kernel_t tclass=system
40	Aug 25 18:06:05 dell-studio kernel: [ 16.930512] type=1400
41	audit(1345910753.814:35): avc: denied { module_request } for pid=1517
42	comm="cryptsetup" kmod="cbc(aes-asm)-all"
43	scontext=system_u:system_r:lvm_t tcontext=system_u:system_r:kernel_t
44	tclass=system
45	Aug 25 18:06:05 dell-studio kernel: [ 16.936081] type=1400
46	audit(1345910753.820:36): avc: denied { getattr } for pid=1517
47	comm="cryptsetup" name="/" dev="tmpfs" ino=2970
48	scontext=system_u:system_r:lvm_t tcontext=system_u:object_r:tmpfs_t
49	tclass=filesystem
50	Aug 25 18:06:05 dell-studio kernel: [ 17.138342] type=1400
51	audit(1345910754.022:38): avc: denied { read } for pid=1538
52	comm="cryptsetup" name="queue.bin" dev="tmpfs" ino=4265
53	scontext=system_u:system_r:lvm_t
54	tcontext=system_u:object_r:udev_var_run_t tclass=file
55	Aug 25 18:06:05 dell-studio kernel: [ 27.701565] type=1400
56	audit(1345910764.585:45): avc: denied { setrlimit } for pid=1968
57	comm="dbus-daemon" scontext=system_u:system_r:system_dbusd_t
58	tcontext=system_u:system_r:system_dbusd_t tclass=process
59	Aug 25 18:06:05 dell-studio kernel: [ 28.235761] type=1400
60	audit(1345910765.120:46): avc: denied { getattr } for pid=1998
61	comm="console-kit-dae" path="/run/ConsoleKit" dev="tmpfs" ino=5251
62	scontext=system_u:system_r:consolekit_t
63	tcontext=system_u:object_r:initrc_var_run_t tclass=dir
64	Aug 25 18:06:05 dell-studio kernel: [ 28.417954] type=1400
65	audit(1345910765.302:47): avc: denied { read } for pid=2074
66	comm="crond" name="root" dev="sda7" ino=12796
67	scontext=system_u:system_r:crond_t tcontext=system_u:object_r:file_t
68	tclass=file
69	Aug 25 18:06:05 dell-studio kernel: [ 28.632129] type=1400
70	audit(1345910765.516:48): avc: denied { execute } for pid=2089
71	comm="dbus-daemon-lau" name="polkitd" dev="sda5" ino=922900
72	scontext=system_u:system_r:system_dbusd_t
73	tcontext=system_u:object_r:policykit_exec_t tclass=file
74	Aug 25 18:06:05 dell-studio kernel: [ 28.633786] type=1400
75	audit(1345910765.517:49): avc: denied { search } for pid=1998
76	comm="console-kit-dae" name="ConsoleKit" dev="tmpfs" ino=5251
77	scontext=system_u:system_r:consolekit_t
78	tcontext=system_u:object_r:initrc_var_run_t tclass=dir
79	Aug 25 18:06:05 dell-studio kernel: [ 28.633811] type=1400
80	audit(1345910765.517:50): avc: denied { getattr } for pid=1998
81	comm="console-kit-dae" path="/run/ConsoleKit" dev="tmpfs" ino=5251
82	scontext=system_u:system_r:consolekit_t
83	tcontext=system_u:object_r:initrc_var_run_t tclass=dir
84	Aug 25 18:06:05 dell-studio kernel: [ 28.633842] type=1400
85	audit(1345910765.517:51): avc: denied { search } for pid=1998
86	comm="console-kit-dae" name="ConsoleKit" dev="tmpfs" ino=5251
87	scontext=system_u:system_r:consolekit_t
88	tcontext=system_u:object_r:initrc_var_run_t tclass=dir
89	Aug 25 18:06:06 dell-studio kernel: [ 29.168487] type=1400
90	audit(1345910766.052:52): avc: denied { write } for pid=2222
91	comm="mii-tool" path="/run/lock/lmt-req.lock" dev="tmpfs" ino=5314
92	scontext=system_u:system_r:ifconfig_t
93	tcontext=system_u:object_r:var_lock_t tclass=file
94	Aug 25 18:06:06 dell-studio kernel: [ 29.168499] type=1400
95	audit(1345910766.052:53): avc: denied { write } for pid=2222
96	comm="mii-tool" path="/run/lock/lmt-invoc.lock" dev="tmpfs" ino=4776
97	scontext=system_u:system_r:ifconfig_t
98	tcontext=system_u:object_r:var_lock_t tclass=file
99	Aug 25 18:06:10 dell-studio kernel: [ 33.586645] type=1400
100	audit(1345910770.470:87): avc: denied { read } for pid=2851 comm="sh"
101	name="meminfo" dev="proc" ino=4026532031
102	scontext=system_u:system_r:wpa_cli_t tcontext=system_u:object_r:proc_t
103	tclass=file
104	Aug 25 18:06:10 dell-studio kernel: [ 33.613072] type=1400
105	audit(1345910770.497:88): avc: denied { read } for pid=2851
106	comm="wpa_cli.sh" name="meminfo" dev="proc" ino=4026532031
107	scontext=system_u:system_r:wpa_cli_t tcontext=system_u:object_r:proc_t
108	tclass=file
109	Aug 25 18:06:10 dell-studio kernel: [ 33.893591] type=1400
110	audit(1345910770.777:89): avc: denied { use } for pid=3024
111	comm="mount" path="/dev/null" dev="tmpfs" ino=1278
112	scontext=system_u:system_r:mount_t tcontext=system_u:system_r:wpa_cli_t
113	tclass=fd
114	Aug 25 18:06:10 dell-studio kernel: [ 33.893637] type=1400
115	audit(1345910770.777:92): avc: denied { use } for pid=3024
116	comm="mount" path="socket:[5617]" dev="sockfs" ino=5617
117	scontext=system_u:system_r:mount_t tcontext=system_u:system_r:wpa_cli_t
118	tclass=fd
119	Aug 25 18:06:59 dell-studio kernel: [ 83.022406] type=1400
120	audit(1345910819.922:97): avc: denied { search } for pid=3031
121	comm="login" name="root" dev="sda5" ino=1308163
122	scontext=system_u:system_r:local_login_t
123	tcontext=system_u:object_r:default_t tclass=dir
124	Aug 25 18:06:59 dell-studio kernel: [ 83.068589] type=1400
125	audit(1345910819.969:100): avc: denied { read } for pid=1998
126	comm="console-kit-dae" name="machine-id" dev="sda7" ino=184383
127	scontext=system_u:system_r:consolekit_t
128	tcontext=system_u:object_r:system_dbusd_var_lib_t tclass=lnk_file
129	Aug 25 18:07:00 dell-studio kernel: [ 83.165783] type=1400
130	audit(1345910820.065:103): avc: denied { read } for pid=3046
131	comm="udev-acl.ck" name="udev-acl" dev="tmpfs" ino=3175
132	scontext=system_u:system_r:consolekit_t
133	tcontext=system_u:object_r:udev_var_run_t tclass=dir
134
135	After starting kdm (with xdm initscript):
136	Aug 25 18:08:47 dell-studio kernel: [ 190.122045] type=1400
137	audit(1345910927.023:107): avc: denied { read } for pid=3054
138	comm="rc" name="profile.env" dev="sda5" ino=663502
139	scontext=unconfined_u:unconfined_r:run_init_t
140	tcontext=system_u:object_r:etc_runtime_t tclass=file
141	Aug 25 18:08:55 dell-studio kernel: [ 199.069675] type=1400
142	audit(1345910935.970:109): avc: denied { search } for pid=3099
143	comm="udev-acl.ck" name="ConsoleKit" dev="tmpfs" ino=5251
144	scontext=system_u:system_r:consolekit_t
145	tcontext=system_u:object_r:initrc_var_run_t tclass=dir
146
147	After logging in, apart all the same mentioned above that repeat
148	themselves, I get a lot of:
149	Aug 25 18:10:25 dell-studio kernel: [ 289.004361] type=1400
150	audit(1345911025.905:163): avc: denied { search } for pid=1968
151	comm="dbus-daemon" name="console" dev="tmpfs" ino=5945
152	scontext=system_u:system_r:system_dbusd_t
153	tcontext=system_u:object_r:consolekit_var_run_t tclass=dir
154
155	I hope I wrote all.
156	Paolo.