| 1 |
On 27/08/2012 19:38, Sven Vermeulen wrote: |
| 2 |
> On Sun, Aug 26, 2012 at 11:57:46AM +0200, Paolo Barile wrote: |
| 3 |
>> Hello Sven, first of all, all the denials I wrote here are from |
| 4 |
>> enforcing mode. |
| 5 |
> Oh that's good then. Would you also happen to get any failures from the |
| 6 |
> applications themselves (or error messages you get)? |
| 7 |
> |
| 8 |
> Or, in other words, why shouldn't I just dontaudit everything ;) |
| 9 |
> |
| 10 |
> Getting the error messages is a very important and often misunderstood part. |
| 11 |
> It helps identify the reason why something needs to be allowed (since for |
| 12 |
> SELinux policies, we have several interfaces that allow something, but |
| 13 |
> depending on the reason why it needs to be allowed, we might need to use a |
| 14 |
> different interface) and also document the problem so the fix is easier to |
| 15 |
> submit upstream. |
| 16 |
Well I only had a policykit crash window. But It disappeared when, |
| 17 |
following your suggestion, I've made a rule with audit2allow only on |
| 18 |
the execute denials. But even with that rule the problems of audio card |
| 19 |
and powerdevil weren't solved. |
| 20 |
This is the rule: |
| 21 |
require { |
| 22 |
type policykit_exec_t; |
| 23 |
type bin_t; |
| 24 |
type crond_t; |
| 25 |
type system_dbusd_t; |
| 26 |
class file { execute execute_no_trans }; |
| 27 |
} |
| 28 |
|
| 29 |
#============= crond_t ============== |
| 30 |
allow crond_t bin_t:file { execute execute_no_trans }; |
| 31 |
|
| 32 |
#============= system_dbusd_t ============== |
| 33 |
allow system_dbusd_t policykit_exec_t:file execute; |
| 34 |
|
| 35 |
> |
| 36 |
>>>> Aug 25 18:06:05 dell-studio kernel: [ 8.028595] type=1400 |
| 37 |
>>>> audit(1345917944.027:3): avc: denied { search } for pid=1433 |
| 38 |
>>>> comm="alsactl" name="root" dev="sda5" ino=1308163 |
| 39 |
>>>> scontext=system_u:system_r:alsa_t tcontext=system_u:object_r:default_t |
| 40 |
>>>> tclass=dir |
| 41 |
>>> This sais /root is default_t again. Mine sais: |
| 42 |
>>> |
| 43 |
>>> ~ # matchpathcon /root |
| 44 |
>>> /root root:object_r:user_home_dir_t |
| 45 |
>>> |
| 46 |
>>> ~ # grep '/root' /etc/selinux/strict/contexts/files/file_contexts* | grep user_home_dir_t |
| 47 |
>>> /etc/selinux/strict/contexts/files/file_contexts.homedirs:/root -d root:object_r:user_home_dir_t |
| 48 |
>> The same gives me nothing. |
| 49 |
> You'll need to change the directory from strict to targeted in your case. |
| 50 |
> |
| 51 |
> The root users' home directory should definitely be mentioned here (just |
| 52 |
> checked on a targeted system at work). Is the root user mapped to a |
| 53 |
> particular SELinux user? |
| 54 |
> |
| 55 |
> What does "semanage login -l" say? |
| 56 |
Semanage login -l outputs only: |
| 57 |
__default__ unconfined_u |
| 58 |
system_u system_u |
| 59 |
|
| 60 |
Anyway I think that I "solved" this problem (probably it's rather a |
| 61 |
workaround) using the context you wrote: "semanage fcontext -a -t |
| 62 |
user_home_dir_t /root". In fact the su delay disappeared. |
| 63 |
|
| 64 |
> |
| 65 |
> [... Allowing global_ssp to allow domains access to urandom ...] |
| 66 |
>> No, it isn't. I did not enabled it because I'm still not in hardened |
| 67 |
>> because I'd want let selinux comletely work before the conversion. |
| 68 |
> That's okay. At least we now know that the domain probably needs it. Do you |
| 69 |
> only get the denials or also an error? |
| 70 |
> |
| 71 |
> Wkr, |
| 72 |
> Sven Vermeulen |
| 73 |
> |
| 74 |
Well, no, all what is related to alsactl is (perhaps) the fact that kde |
| 75 |
can't see my audio card. |
| 76 |
|
| 77 |
There is one more problem. As I wrote in the previous mail two folders |
| 78 |
in /run are mislabeled: /run/ConsoleKit and /run/console. For the first, |
| 79 |
the mislabeling was solved by using the script for the initramfs users |
| 80 |
(of course addin restorecon -R /run). But I couldn't relabel permanently |
| 81 |
the second dir. I think it's because it belongs to pam, so perhaps it is |
| 82 |
created after a login, but the script runs before it. Am I right? |
| 83 |
So how can it be solved? Why every boot mislabels these two directories? |
| 84 |
I think that if we solve it then we can try to summarize the denials I |
| 85 |
have at this point. |
| 86 |
|
| 87 |
Paolo. |
Archives