Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-hardened

From: Paolo Barile <f.p.barile@×××××.com>
To: gentoo-hardened@l.g.o
Subject: Re: [gentoo-hardened] Can't get fully functional (kde) desktop with SELinux
Date: Wed, 29 Aug 2012 18:02:28
Message-Id: 503E44F7.4060900@gmail.com
In Reply to: Re: [gentoo-hardened] Can't get fully functional (kde) desktop with SELinux by Sven Vermeulen
1 On 28/08/2012 19:27, Sven Vermeulen wrote:
2 > On Mon, Aug 27, 2012 at 08:28:20PM +0200, Paolo Barile wrote:
3 >> Well I only had a policykit crash window. But It disappeared when,
4 >> following your suggestion, I've made a rule with audit2allow only on
5 >> the execute denials. But even with that rule the problems of audio card
6 >> and powerdevil weren't solved.
7 > [...]
8 >
9 > Okay. I'll take a look at the AVCs earlier and draft up a possible fix for
10 > you to try out (you can use audit2allow but I'm not sure yet if the result
11 > is correct or not).
12 Thank you very much. As for your question about error messages, i
13 noticed that starting kmix from shell gives me:
14
15 QDBusConnection: session D-Bus connection created before
16 QCoreApplication. Application may misbehave.
17
18 And kmix doesn't start.
19 >
20 >>> What does "semanage login -l" say?
21 >> Semanage login -l outputs only:
22 >> __default__ unconfined_u
23 >> system_u system_u
24 >>
25 >> Anyway I think that I "solved" this problem (probably it's rather a
26 >> workaround) using the context you wrote: "semanage fcontext -a -t
27 >> user_home_dir_t /root". In fact the su delay disappeared.
28 > Looks like we need to declare the root user for unconfined_u anyhow. You
29 > might want to run the following to do so:
30 >
31 > ~# semanage login -a -s unconfined_u root
32 >
33 > It seems that genhomedircon (well, it's now part of the semodule command but
34 > the genhomedircon command still works) only looks at users with a UID of 500
35 > and more. By not explicitly declaring root as an interactive user, the tools
36 > just ignore it (and as a result don't generate the proper contexts).
37 >
38 > If you do that, then genhomedircon and then look at the output of the
39 > following command again, I hope you get enough output?
40 >
41 > ~# grep root /etc/selinux/*/contexts/files/file_contexts.homedirs
42 Oh well, even too much perhaps now! ;) I mean it contains strings like:
43
44 /root/\.mozilla(/.*)? unconfined_u:object_r:mozilla_home_t
45
46 But I don't know why the root user should have rights for X
47 applications. Is that normal? If so, I think we can consider it solved!
48
49 Do you suggest to map to unconfined_u the other users too? I'm asking it
50 because I noticed a slowness in openening folders (in X) for the first
51 time after the login.
52
53 >
54 >> There is one more problem. As I wrote in the previous mail two folders
55 >> in /run are mislabeled: /run/ConsoleKit and /run/console. For the first,
56 >> the mislabeling was solved by using the script for the initramfs users
57 >> (of course addin restorecon -R /run). But I couldn't relabel permanently
58 >> the second dir. I think it's because it belongs to pam, so perhaps it is
59 >> created after a login, but the script runs before it. Am I right?
60 > Sounds probable. We'll need to figure out what is creating the console
61 > directory. From the label (consolekit_var_run_t) I imagine it is something
62 > of ConsoleKit.
63 >
64 > I can probably create a named file transition for this. The ConsoleKit stuff
65 > is acknowledged already, perhaps the /run/console is solved with something
66 > like the following?
67 >
68 > #v+
69 > policy_module(localconsolekit, 1.0)
70 >
71 > gen_require(`
72 > type pam_var_console_t;
73 > type consolekit_t;
74 > ')
75 >
76 > files_pid_filetrans(consolekit_t, pam_var_console_t, dir, "console")
77 > #v-
78 >
79 > This basically sais that, if a domain "consolekit_t" creates a
80 > dir(ectory) with name "console" in a location with label var_run_t ("pid"),
81 > then that directory would be labeled "pam_var_console_t" immediately.
82 >
83 > It is possible however that consolekit_t doesn't hold the rights to do so,
84 > so you might need to add in:
85 >
86 > #v+
87 > create_dirs_pattern(consolekit_t, pam_var_console_t, pam_var_console_t)
88 > #v-
89 >
90 > Thanks for your patience on this so far ;-)
91 >
92 > Wkr,
93 > Sven Vermeulen
94 >
95 Well thanks to you for the yours!
96 Anyway with that module (but the creat_dirs_pattern rule is necessary),
97 the /run/console situation is solved too.
98
99 Now let's try to summarize all the denials I have now at this point.
100
101 On boot I have:
102
103 Aug 29 18:07:34 dell-studio kernel: [ 8.446914] type=1400
104 audit(1346263638.445:4): avc: denied { getattr } for pid=1454
105 comm="alsactl" name="/" dev="tmpfs" ino=3130
106 scontext=system_u:system_r:alsa_t tcontext=system_u:object_r:tmpfs_t
107 tclass=filesystem
108 Aug 29 18:07:34 dell-studio kernel: [ 8.446939] type=1400
109 audit(1346263638.445:5): avc: denied { write } for pid=1454
110 comm="alsactl" name="shm" dev="tmpfs" ino=1124
111 scontext=system_u:system_r:alsa_t tcontext=system_u:object_r:device_t
112 tclass=dir
113 Aug 29 18:07:34 dell-studio kernel: [ 8.446947] type=1400
114 audit(1346263638.445:6): avc: denied { add_name } for pid=1454
115 comm="alsactl" name="pulse-shm-688087777"
116 scontext=system_u:system_r:alsa_t tcontext=system_u:object_r:device_t
117 tclass=dir
118 Aug 29 18:07:34 dell-studio kernel: [ 8.446963] type=1400
119 audit(1346263638.445:7): avc: denied { create } for pid=1454
120 comm="alsactl" name="pulse-shm-688087777"
121 scontext=system_u:system_r:alsa_t tcontext=system_u:object_r:device_t
122 tclass=file
123 Aug 29 18:07:34 dell-studio kernel: [ 8.446976] type=1400
124 audit(1346263638.445:8): avc: denied { read write open } for pid=1454
125 comm="alsactl" name="pulse-shm-688087777" dev="tmpfs" ino=3801
126 scontext=system_u:system_r:alsa_t tcontext=system_u:object_r:device_t
127 tclass=file
128 Aug 29 18:07:34 dell-studio kernel: [ 8.466988] type=1400
129 audit(1346263638.465:9): avc: denied { remove_name } for pid=1456
130 comm="alsactl" name="pulse-shm-2524473597" dev="tmpfs" ino=4125
131 scontext=system_u:system_r:alsa_t tcontext=system_u:object_r:device_t
132 tclass=dir
133 Aug 29 18:07:34 dell-studio kernel: [ 8.467011] type=1400
134 audit(1346263638.465:10): avc: denied { unlink } for pid=1456
135 comm="alsactl" name="pulse-shm-2524473597" dev="tmpfs" ino=4125
136 scontext=system_u:system_r:alsa_t tcontext=system_u:object_r:device_t
137 tclass=file
138 Aug 29 18:07:34 dell-studio kernel: [ 8.984725] type=1400
139 audit(1346256440.202:11): avc: denied { getattr } for pid=1538
140 comm="cryptsetup" name="/" dev="tmpfs" ino=3130
141 scontext=system_u:system_r:lvm_t tcontext=system_u:object_r:tmpfs_t
142 tclass=filesystem
143 Aug 29 18:07:34 dell-studio kernel: [ 14.683311] type=1400
144 audit(1346256445.900:15): avc: denied { module_request } for pid=1543
145 comm="cryptsetup" kmod="cbc(aes)" scontext=system_u:system_r:lvm_t
146 tcontext=system_u:system_r:kernel_t tclass=system
147 Aug 29 18:07:34 dell-studio kernel: [ 23.000643] type=1400
148 audit(1346256454.217:16): avc: denied { setrlimit } for pid=2008
149 comm="dbus-daemon" scontext=system_u:system_r:system_dbusd_t
150 tcontext=system_u:system_r:system_dbusd_t tclass=process
151 Aug 29 18:07:34 dell-studio kernel: [ 23.230831] type=1400
152 audit(1346256454.447:17): avc: denied { read } for pid=2024
153 comm="syslog-ng" name="syslog-ng.persist" dev="sda7" ino=73732
154 scontext=system_u:system_r:syslogd_t
155 tcontext=system_u:object_r:var_lib_t tclass=file
156 Aug 29 18:07:34 dell-studio kernel: [ 23.230847] type=1400
157 audit(1346256454.447:18): avc: denied { open } for pid=2024
158 comm="syslog-ng" name="syslog-ng.persist" dev="sda7" ino=73732
159 scontext=system_u:system_r:syslogd_t
160 tcontext=system_u:object_r:var_lib_t tclass=file
161 Aug 29 18:07:34 dell-studio kernel: [ 23.230869] type=1400
162 audit(1346256454.447:19): avc: denied { getattr } for pid=2024
163 comm="syslog-ng" path="/var/lib/misc/syslog-ng.persist" dev="sda7"
164 ino=73732 scontext=system_u:system_r:syslogd_t
165 tcontext=system_u:object_r:var_lib_t tclass=file
166 Aug 29 18:07:34 dell-studio kernel: [ 23.240312] type=1400
167 audit(1346256454.457:20): avc: denied { unlink } for pid=2024
168 comm="syslog-ng" name="syslog-ng.persist" dev="sda7" ino=73732
169 scontext=system_u:system_r:syslogd_t
170 tcontext=system_u:object_r:var_lib_t tclass=file
171 Aug 29 18:07:34 dell-studio kernel: [ 23.593562] type=1400
172 audit(1346256454.810:21): avc: denied { getattr } for pid=2038
173 comm="console-kit-dae" path="/run/ConsoleKit" dev="tmpfs" ino=5404
174 scontext=system_u:system_r:consolekit_t
175 tcontext=system_u:object_r:initrc_var_run_t tclass=dir
176 Aug 29 18:07:34 dell-studio kernel: [ 23.593583] type=1400
177 audit(1346256454.810:22): avc: denied { search } for pid=2038
178 comm="console-kit-dae" name="ConsoleKit" dev="tmpfs" ino=5404
179 scontext=system_u:system_r:consolekit_t
180 tcontext=system_u:object_r:initrc_var_run_t tclass=dir
181 Aug 29 18:07:34 dell-studio kernel: [ 23.593600] type=1400
182 audit(1346256454.810:23): avc: denied { write } for pid=2038
183 comm="console-kit-dae" name="ConsoleKit" dev="tmpfs" ino=5404
184 scontext=system_u:system_r:consolekit_t
185 tcontext=system_u:object_r:initrc_var_run_t tclass=dir
186 Aug 29 18:07:34 dell-studio kernel: [ 23.593608] type=1400
187 audit(1346256454.810:24): avc: denied { add_name } for pid=2038
188 comm="console-kit-dae" name="database~"
189 scontext=system_u:system_r:consolekit_t
190 tcontext=system_u:object_r:initrc_var_run_t tclass=dir
191 Aug 29 18:07:40 dell-studio kernel: [ 29.589769] type=1400
192 audit(1346256460.806:49): avc: denied { read } for pid=2782 comm="sh"
193 name="meminfo" dev="proc" ino=4026532031
194 scontext=system_u:system_r:wpa_cli_t tcontext=system_u:object_r:proc_t
195 tclass=file
196 Aug 29 18:07:40 dell-studio kernel: [ 29.589778] type=1400
197 audit(1346256460.806:50): avc: denied { open } for pid=2782 comm="sh"
198 name="meminfo" dev="proc" ino=4026532031
199 scontext=system_u:system_r:wpa_cli_t tcontext=system_u:object_r:proc_t
200 tclass=file
201 Aug 29 18:07:40 dell-studio kernel: [ 29.589797] type=1400
202 audit(1346256460.806:51): avc: denied { getattr } for pid=2782
203 comm="sh" path="/proc/meminfo" dev="proc" ino=4026532031
204 scontext=system_u:system_r:wpa_cli_t tcontext=system_u:object_r:proc_t
205 tclass=file
206 Aug 29 18:07:41 dell-studio kernel: [ 29.823183] type=1400
207 audit(1346256461.040:52): avc: denied { read write } for pid=2826
208 comm="ifconfig" path="socket:[5036]" dev="sockfs" ino=5036
209 scontext=system_u:system_r:ifconfig_t
210 tcontext=system_u:system_r:wpa_cli_t tclass=unix_dgram_socket
211 Aug 29 18:07:41 dell-studio kernel: [ 30.120105] type=1400
212 audit(1346256461.337:53): avc: denied { use } for pid=2955
213 comm="mount" path="/dev/null" dev="tmpfs" ino=1122
214 scontext=system_u:system_r:mount_t tcontext=system_u:system_r:wpa_cli_t
215 tclass=fd
216 Aug 29 18:07:41 dell-studio kernel: [ 30.120124] type=1400
217 audit(1346256461.337:54): avc: denied { read write } for pid=2955
218 comm="mount" path="socket:[5036]" dev="sockfs" ino=5036
219 scontext=system_u:system_r:mount_t tcontext=system_u:system_r:wpa_cli_t
220 tclass=unix_dgram_socket
221 Aug 29 18:09:04 dell-studio kernel: [ 112.791995] type=1400
222 audit(1346256544.031:56): avc: denied { read } for pid=2038
223 comm="console-kit-dae" name="machine-id" dev="sda7" ino=184383
224 scontext=system_u:system_r:consolekit_t
225 tcontext=system_u:object_r:system_dbusd_var_lib_t tclass=lnk_file
226 Aug 29 18:09:04 dell-studio kernel: [ 112.875933] type=1400
227 audit(1346256544.115:57): avc: denied { read } for pid=3066
228 comm="udev-acl.ck" name="udev-acl" dev="tmpfs" ino=3219
229 scontext=system_u:system_r:consolekit_t
230 tcontext=system_u:object_r:udev_var_run_t tclass=dir
231
232 After starting xdm:
233
234 Aug 29 18:09:34 dell-studio kernel: [ 142.834237] type=1400
235 audit(1346256574.075:58): avc: denied { read } for pid=3073 comm="rc"
236 name="profile.env" dev="sda5" ino=663084
237 scontext=unconfined_u:unconfined_r:run_init_t
238 tcontext=system_u:object_r:etc_runtime_t tclass=file
239 Aug 29 18:09:40 dell-studio kernel: [ 149.431140] type=1400
240 audit(1346256580.672:59): avc: denied { read } for pid=3118
241 comm="udev-acl.ck" name="udev-acl" dev="tmpfs" ino=3219
242 scontext=system_u:system_r:consolekit_t
243 tcontext=system_u:object_r:udev_var_run_t tclass=dir
244 Aug 29 18:09:46 dell-studio kernel: [ 154.930603] type=1400
245 audit(1346256586.170:60): avc: denied { read } for pid=3133
246 comm="udev-acl.ck" name="udev-acl" dev="tmpfs" ino=3219
247 scontext=system_u:system_r:consolekit_t
248 tcontext=system_u:object_r:udev_var_run_t tclass=dir
249
250 And after the login:
251
252 Aug 29 18:10:04 dell-studio kernel: [ 173.755581] type=1400
253 audit(1346256604.995:65): avc: denied { read } for pid=3140
254 comm="udev-acl.ck" name="udev-acl" dev="tmpfs" ino=3219
255 scontext=system_u:system_r:consolekit_t
256 tcontext=system_u:object_r:udev_var_run_t tclass=dir
257 Aug 29 18:10:09 dell-studio kernel: [ 177.817507] type=1400
258 audit(1346256609.057:66): avc: denied { read } for pid=2038
259 comm="console-kit-dae" name="machine-id" dev="sda7" ino=184383
260 scontext=system_u:system_r:consolekit_t
261 tcontext=system_u:object_r:system_dbusd_var_lib_t tclass=lnk_file
262 Aug 29 18:10:14 dell-studio kernel: [ 182.951425] type=1400
263 audit(1346256614.192:68): avc: denied { getattr } for pid=3236
264 comm="udisks-daemon" name="/" dev="sda7" ino=2
265 scontext=system_u:system_r:devicekit_disk_t
266 tcontext=system_u:object_r:fs_t tclass=filesystem
267 Aug 29 18:10:14 dell-studio kernel: [ 183.307019] type=1400
268 audit(1346256614.546:69): avc: denied { getattr } for pid=3233
269 comm="pm-is-supported" path="/dev/snapshot" dev="tmpfs" ino=3438
270 scontext=system_u:system_r:devicekit_power_t
271 tcontext=system_u:object_r:apm_bios_t tclass=chr_file
272 Aug 29 18:10:14 dell-studio kernel: [ 183.318766] type=1400
273 audit(1346256614.558:70): avc: denied { getattr } for pid=3252
274 comm="pm-is-supported" path="/dev/snapshot" dev="tmpfs" ino=3438
275 scontext=system_u:system_r:devicekit_power_t
276 tcontext=system_u:object_r:apm_bios_t tclass=chr_file
277 Aug 29 18:10:14 dell-studio kernel: [ 183.717762] type=1400
278 audit(1346256614.957:71): avc: denied { getattr } for pid=3276
279 comm="pm-powersave" path="/dev/snapshot" dev="tmpfs" ino=3438
280 scontext=system_u:system_r:devicekit_power_t
281 tcontext=system_u:object_r:apm_bios_t tclass=chr_file
282 Aug 29 18:10:14 dell-studio kernel: [ 183.721637] type=1400
283 audit(1346256614.961:72): avc: denied { write } for pid=3281
284 comm="mkdir" name="/" dev="tmpfs" ino=1059
285 scontext=system_u:system_r:devicekit_power_t
286 tcontext=system_u:object_r:var_run_t tclass=dir
287 Aug 29 18:10:41 dell-studio kernel: [ 210.642364] type=1400
288 audit(1346256641.883:73): avc: denied { search } for pid=2129
289 comm="polkitd" name="ConsoleKit" dev="tmpfs" ino=5404
290 scontext=system_u:system_r:system_dbusd_t
291 tcontext=system_u:object_r:consolekit_var_run_t tclass=dir
292 Aug 29 18:11:55 dell-studio kernel: [ 283.944883] type=1400
293 audit(1346256715.185:76): avc: denied { read } for pid=3540
294 comm="udev-acl.ck" name="udev-acl" dev="tmpfs" ino=3219
295 scontext=system_u:system_r:consolekit_t
296 tcontext=system_u:object_r:udev_var_run_t tclass=dir
297 Aug 29 18:12:01 dell-studio kernel: [ 290.394892] type=1400
298 audit(1346256721.635:77): avc: denied { search } for pid=2129
299 comm="polkitd" name="ConsoleKit" dev="tmpfs" ino=5404
300 scontext=system_u:system_r:system_dbusd_t
301 tcontext=system_u:object_r:consolekit_var_run_t tclass=dir
302 Aug 29 18:12:06 dell-studio kernel: [ 295.059511] type=1400
303 audit(1346256726.300:78): avc: denied { read } for pid=3574
304 comm="udev-acl.ck" name="udev-acl" dev="tmpfs" ino=3219
305 scontext=system_u:system_r:consolekit_t
306 tcontext=system_u:object_r:udev_var_run_t tclass=dir
307 Aug 29 18:20:01 dell-studio kernel: [ 769.954898] type=1400
308 audit(1346257201.195:80): avc: denied { read open } for pid=6070
309 comm="sh" name="run-crons" dev="sda5" ino=922129
310 scontext=system_u:system_r:crond_t tcontext=system_u:object_r:bin_t
311 tclass=file
312 Aug 29 18:20:01 dell-studio kernel: [ 769.954945] type=1400
313 audit(1346257201.195:81): avc: denied { getattr } for pid=6070
314 comm="sh" path="/usr/sbin/run-crons" dev="sda5" ino=922129
315 scontext=system_u:system_r:crond_t tcontext=system_u:object_r:bin_t
316 tclass=file
317 Aug 29 18:20:01 dell-studio kernel: [ 769.957780] type=1400
318 audit(1346257201.198:83): avc: denied { read } for pid=6071
319 comm="sendmail"
320 path=2F746D702F63726F6E2E637437754B742F63726F6E2E726F6F742E36303639202864656C6574656429
321 dev="sda5" ino=2229458 scontext=system_u:system_r:system_mail_t
322 tcontext=system_u:object_r:crond_tmp_t tclass=file
323 Aug 29 18:20:15 dell-studio kernel: [ 784.092973] type=1400
324 audit(1346257215.333:84): avc: denied { getattr } for pid=3227
325 comm="upowerd" name="/" dev="sda7" ino=2
326 scontext=system_u:system_r:devicekit_power_t
327 tcontext=system_u:object_r:fs_t tclass=filesystem
328
329 Thank you again for following me.
330 Paolo.

Replies

Subject Author
Re: [gentoo-hardened] Can't get fully functional (kde) desktop with SELinux Sven Vermeulen <swift@g.o>
Re: [gentoo-hardened] Can't get fully functional (kde) desktop with SELinux Sven Vermeulen <swift@g.o>
Report Message
Find on MARC Find on Google Groups