1 |
On 28/08/2012 19:27, Sven Vermeulen wrote: |
2 |
> On Mon, Aug 27, 2012 at 08:28:20PM +0200, Paolo Barile wrote: |
3 |
>> Well I only had a policykit crash window. But It disappeared when, |
4 |
>> following your suggestion, I've made a rule with audit2allow only on |
5 |
>> the execute denials. But even with that rule the problems of audio card |
6 |
>> and powerdevil weren't solved. |
7 |
> [...] |
8 |
> |
9 |
> Okay. I'll take a look at the AVCs earlier and draft up a possible fix for |
10 |
> you to try out (you can use audit2allow but I'm not sure yet if the result |
11 |
> is correct or not). |
12 |
Thank you very much. As for your question about error messages, i |
13 |
noticed that starting kmix from shell gives me: |
14 |
|
15 |
QDBusConnection: session D-Bus connection created before |
16 |
QCoreApplication. Application may misbehave. |
17 |
|
18 |
And kmix doesn't start. |
19 |
> |
20 |
>>> What does "semanage login -l" say? |
21 |
>> Semanage login -l outputs only: |
22 |
>> __default__ unconfined_u |
23 |
>> system_u system_u |
24 |
>> |
25 |
>> Anyway I think that I "solved" this problem (probably it's rather a |
26 |
>> workaround) using the context you wrote: "semanage fcontext -a -t |
27 |
>> user_home_dir_t /root". In fact the su delay disappeared. |
28 |
> Looks like we need to declare the root user for unconfined_u anyhow. You |
29 |
> might want to run the following to do so: |
30 |
> |
31 |
> ~# semanage login -a -s unconfined_u root |
32 |
> |
33 |
> It seems that genhomedircon (well, it's now part of the semodule command but |
34 |
> the genhomedircon command still works) only looks at users with a UID of 500 |
35 |
> and more. By not explicitly declaring root as an interactive user, the tools |
36 |
> just ignore it (and as a result don't generate the proper contexts). |
37 |
> |
38 |
> If you do that, then genhomedircon and then look at the output of the |
39 |
> following command again, I hope you get enough output? |
40 |
> |
41 |
> ~# grep root /etc/selinux/*/contexts/files/file_contexts.homedirs |
42 |
Oh well, even too much perhaps now! ;) I mean it contains strings like: |
43 |
|
44 |
/root/\.mozilla(/.*)? unconfined_u:object_r:mozilla_home_t |
45 |
|
46 |
But I don't know why the root user should have rights for X |
47 |
applications. Is that normal? If so, I think we can consider it solved! |
48 |
|
49 |
Do you suggest to map to unconfined_u the other users too? I'm asking it |
50 |
because I noticed a slowness in openening folders (in X) for the first |
51 |
time after the login. |
52 |
|
53 |
> |
54 |
>> There is one more problem. As I wrote in the previous mail two folders |
55 |
>> in /run are mislabeled: /run/ConsoleKit and /run/console. For the first, |
56 |
>> the mislabeling was solved by using the script for the initramfs users |
57 |
>> (of course addin restorecon -R /run). But I couldn't relabel permanently |
58 |
>> the second dir. I think it's because it belongs to pam, so perhaps it is |
59 |
>> created after a login, but the script runs before it. Am I right? |
60 |
> Sounds probable. We'll need to figure out what is creating the console |
61 |
> directory. From the label (consolekit_var_run_t) I imagine it is something |
62 |
> of ConsoleKit. |
63 |
> |
64 |
> I can probably create a named file transition for this. The ConsoleKit stuff |
65 |
> is acknowledged already, perhaps the /run/console is solved with something |
66 |
> like the following? |
67 |
> |
68 |
> #v+ |
69 |
> policy_module(localconsolekit, 1.0) |
70 |
> |
71 |
> gen_require(` |
72 |
> type pam_var_console_t; |
73 |
> type consolekit_t; |
74 |
> ') |
75 |
> |
76 |
> files_pid_filetrans(consolekit_t, pam_var_console_t, dir, "console") |
77 |
> #v- |
78 |
> |
79 |
> This basically sais that, if a domain "consolekit_t" creates a |
80 |
> dir(ectory) with name "console" in a location with label var_run_t ("pid"), |
81 |
> then that directory would be labeled "pam_var_console_t" immediately. |
82 |
> |
83 |
> It is possible however that consolekit_t doesn't hold the rights to do so, |
84 |
> so you might need to add in: |
85 |
> |
86 |
> #v+ |
87 |
> create_dirs_pattern(consolekit_t, pam_var_console_t, pam_var_console_t) |
88 |
> #v- |
89 |
> |
90 |
> Thanks for your patience on this so far ;-) |
91 |
> |
92 |
> Wkr, |
93 |
> Sven Vermeulen |
94 |
> |
95 |
Well thanks to you for the yours! |
96 |
Anyway with that module (but the creat_dirs_pattern rule is necessary), |
97 |
the /run/console situation is solved too. |
98 |
|
99 |
Now let's try to summarize all the denials I have now at this point. |
100 |
|
101 |
On boot I have: |
102 |
|
103 |
Aug 29 18:07:34 dell-studio kernel: [ 8.446914] type=1400 |
104 |
audit(1346263638.445:4): avc: denied { getattr } for pid=1454 |
105 |
comm="alsactl" name="/" dev="tmpfs" ino=3130 |
106 |
scontext=system_u:system_r:alsa_t tcontext=system_u:object_r:tmpfs_t |
107 |
tclass=filesystem |
108 |
Aug 29 18:07:34 dell-studio kernel: [ 8.446939] type=1400 |
109 |
audit(1346263638.445:5): avc: denied { write } for pid=1454 |
110 |
comm="alsactl" name="shm" dev="tmpfs" ino=1124 |
111 |
scontext=system_u:system_r:alsa_t tcontext=system_u:object_r:device_t |
112 |
tclass=dir |
113 |
Aug 29 18:07:34 dell-studio kernel: [ 8.446947] type=1400 |
114 |
audit(1346263638.445:6): avc: denied { add_name } for pid=1454 |
115 |
comm="alsactl" name="pulse-shm-688087777" |
116 |
scontext=system_u:system_r:alsa_t tcontext=system_u:object_r:device_t |
117 |
tclass=dir |
118 |
Aug 29 18:07:34 dell-studio kernel: [ 8.446963] type=1400 |
119 |
audit(1346263638.445:7): avc: denied { create } for pid=1454 |
120 |
comm="alsactl" name="pulse-shm-688087777" |
121 |
scontext=system_u:system_r:alsa_t tcontext=system_u:object_r:device_t |
122 |
tclass=file |
123 |
Aug 29 18:07:34 dell-studio kernel: [ 8.446976] type=1400 |
124 |
audit(1346263638.445:8): avc: denied { read write open } for pid=1454 |
125 |
comm="alsactl" name="pulse-shm-688087777" dev="tmpfs" ino=3801 |
126 |
scontext=system_u:system_r:alsa_t tcontext=system_u:object_r:device_t |
127 |
tclass=file |
128 |
Aug 29 18:07:34 dell-studio kernel: [ 8.466988] type=1400 |
129 |
audit(1346263638.465:9): avc: denied { remove_name } for pid=1456 |
130 |
comm="alsactl" name="pulse-shm-2524473597" dev="tmpfs" ino=4125 |
131 |
scontext=system_u:system_r:alsa_t tcontext=system_u:object_r:device_t |
132 |
tclass=dir |
133 |
Aug 29 18:07:34 dell-studio kernel: [ 8.467011] type=1400 |
134 |
audit(1346263638.465:10): avc: denied { unlink } for pid=1456 |
135 |
comm="alsactl" name="pulse-shm-2524473597" dev="tmpfs" ino=4125 |
136 |
scontext=system_u:system_r:alsa_t tcontext=system_u:object_r:device_t |
137 |
tclass=file |
138 |
Aug 29 18:07:34 dell-studio kernel: [ 8.984725] type=1400 |
139 |
audit(1346256440.202:11): avc: denied { getattr } for pid=1538 |
140 |
comm="cryptsetup" name="/" dev="tmpfs" ino=3130 |
141 |
scontext=system_u:system_r:lvm_t tcontext=system_u:object_r:tmpfs_t |
142 |
tclass=filesystem |
143 |
Aug 29 18:07:34 dell-studio kernel: [ 14.683311] type=1400 |
144 |
audit(1346256445.900:15): avc: denied { module_request } for pid=1543 |
145 |
comm="cryptsetup" kmod="cbc(aes)" scontext=system_u:system_r:lvm_t |
146 |
tcontext=system_u:system_r:kernel_t tclass=system |
147 |
Aug 29 18:07:34 dell-studio kernel: [ 23.000643] type=1400 |
148 |
audit(1346256454.217:16): avc: denied { setrlimit } for pid=2008 |
149 |
comm="dbus-daemon" scontext=system_u:system_r:system_dbusd_t |
150 |
tcontext=system_u:system_r:system_dbusd_t tclass=process |
151 |
Aug 29 18:07:34 dell-studio kernel: [ 23.230831] type=1400 |
152 |
audit(1346256454.447:17): avc: denied { read } for pid=2024 |
153 |
comm="syslog-ng" name="syslog-ng.persist" dev="sda7" ino=73732 |
154 |
scontext=system_u:system_r:syslogd_t |
155 |
tcontext=system_u:object_r:var_lib_t tclass=file |
156 |
Aug 29 18:07:34 dell-studio kernel: [ 23.230847] type=1400 |
157 |
audit(1346256454.447:18): avc: denied { open } for pid=2024 |
158 |
comm="syslog-ng" name="syslog-ng.persist" dev="sda7" ino=73732 |
159 |
scontext=system_u:system_r:syslogd_t |
160 |
tcontext=system_u:object_r:var_lib_t tclass=file |
161 |
Aug 29 18:07:34 dell-studio kernel: [ 23.230869] type=1400 |
162 |
audit(1346256454.447:19): avc: denied { getattr } for pid=2024 |
163 |
comm="syslog-ng" path="/var/lib/misc/syslog-ng.persist" dev="sda7" |
164 |
ino=73732 scontext=system_u:system_r:syslogd_t |
165 |
tcontext=system_u:object_r:var_lib_t tclass=file |
166 |
Aug 29 18:07:34 dell-studio kernel: [ 23.240312] type=1400 |
167 |
audit(1346256454.457:20): avc: denied { unlink } for pid=2024 |
168 |
comm="syslog-ng" name="syslog-ng.persist" dev="sda7" ino=73732 |
169 |
scontext=system_u:system_r:syslogd_t |
170 |
tcontext=system_u:object_r:var_lib_t tclass=file |
171 |
Aug 29 18:07:34 dell-studio kernel: [ 23.593562] type=1400 |
172 |
audit(1346256454.810:21): avc: denied { getattr } for pid=2038 |
173 |
comm="console-kit-dae" path="/run/ConsoleKit" dev="tmpfs" ino=5404 |
174 |
scontext=system_u:system_r:consolekit_t |
175 |
tcontext=system_u:object_r:initrc_var_run_t tclass=dir |
176 |
Aug 29 18:07:34 dell-studio kernel: [ 23.593583] type=1400 |
177 |
audit(1346256454.810:22): avc: denied { search } for pid=2038 |
178 |
comm="console-kit-dae" name="ConsoleKit" dev="tmpfs" ino=5404 |
179 |
scontext=system_u:system_r:consolekit_t |
180 |
tcontext=system_u:object_r:initrc_var_run_t tclass=dir |
181 |
Aug 29 18:07:34 dell-studio kernel: [ 23.593600] type=1400 |
182 |
audit(1346256454.810:23): avc: denied { write } for pid=2038 |
183 |
comm="console-kit-dae" name="ConsoleKit" dev="tmpfs" ino=5404 |
184 |
scontext=system_u:system_r:consolekit_t |
185 |
tcontext=system_u:object_r:initrc_var_run_t tclass=dir |
186 |
Aug 29 18:07:34 dell-studio kernel: [ 23.593608] type=1400 |
187 |
audit(1346256454.810:24): avc: denied { add_name } for pid=2038 |
188 |
comm="console-kit-dae" name="database~" |
189 |
scontext=system_u:system_r:consolekit_t |
190 |
tcontext=system_u:object_r:initrc_var_run_t tclass=dir |
191 |
Aug 29 18:07:40 dell-studio kernel: [ 29.589769] type=1400 |
192 |
audit(1346256460.806:49): avc: denied { read } for pid=2782 comm="sh" |
193 |
name="meminfo" dev="proc" ino=4026532031 |
194 |
scontext=system_u:system_r:wpa_cli_t tcontext=system_u:object_r:proc_t |
195 |
tclass=file |
196 |
Aug 29 18:07:40 dell-studio kernel: [ 29.589778] type=1400 |
197 |
audit(1346256460.806:50): avc: denied { open } for pid=2782 comm="sh" |
198 |
name="meminfo" dev="proc" ino=4026532031 |
199 |
scontext=system_u:system_r:wpa_cli_t tcontext=system_u:object_r:proc_t |
200 |
tclass=file |
201 |
Aug 29 18:07:40 dell-studio kernel: [ 29.589797] type=1400 |
202 |
audit(1346256460.806:51): avc: denied { getattr } for pid=2782 |
203 |
comm="sh" path="/proc/meminfo" dev="proc" ino=4026532031 |
204 |
scontext=system_u:system_r:wpa_cli_t tcontext=system_u:object_r:proc_t |
205 |
tclass=file |
206 |
Aug 29 18:07:41 dell-studio kernel: [ 29.823183] type=1400 |
207 |
audit(1346256461.040:52): avc: denied { read write } for pid=2826 |
208 |
comm="ifconfig" path="socket:[5036]" dev="sockfs" ino=5036 |
209 |
scontext=system_u:system_r:ifconfig_t |
210 |
tcontext=system_u:system_r:wpa_cli_t tclass=unix_dgram_socket |
211 |
Aug 29 18:07:41 dell-studio kernel: [ 30.120105] type=1400 |
212 |
audit(1346256461.337:53): avc: denied { use } for pid=2955 |
213 |
comm="mount" path="/dev/null" dev="tmpfs" ino=1122 |
214 |
scontext=system_u:system_r:mount_t tcontext=system_u:system_r:wpa_cli_t |
215 |
tclass=fd |
216 |
Aug 29 18:07:41 dell-studio kernel: [ 30.120124] type=1400 |
217 |
audit(1346256461.337:54): avc: denied { read write } for pid=2955 |
218 |
comm="mount" path="socket:[5036]" dev="sockfs" ino=5036 |
219 |
scontext=system_u:system_r:mount_t tcontext=system_u:system_r:wpa_cli_t |
220 |
tclass=unix_dgram_socket |
221 |
Aug 29 18:09:04 dell-studio kernel: [ 112.791995] type=1400 |
222 |
audit(1346256544.031:56): avc: denied { read } for pid=2038 |
223 |
comm="console-kit-dae" name="machine-id" dev="sda7" ino=184383 |
224 |
scontext=system_u:system_r:consolekit_t |
225 |
tcontext=system_u:object_r:system_dbusd_var_lib_t tclass=lnk_file |
226 |
Aug 29 18:09:04 dell-studio kernel: [ 112.875933] type=1400 |
227 |
audit(1346256544.115:57): avc: denied { read } for pid=3066 |
228 |
comm="udev-acl.ck" name="udev-acl" dev="tmpfs" ino=3219 |
229 |
scontext=system_u:system_r:consolekit_t |
230 |
tcontext=system_u:object_r:udev_var_run_t tclass=dir |
231 |
|
232 |
After starting xdm: |
233 |
|
234 |
Aug 29 18:09:34 dell-studio kernel: [ 142.834237] type=1400 |
235 |
audit(1346256574.075:58): avc: denied { read } for pid=3073 comm="rc" |
236 |
name="profile.env" dev="sda5" ino=663084 |
237 |
scontext=unconfined_u:unconfined_r:run_init_t |
238 |
tcontext=system_u:object_r:etc_runtime_t tclass=file |
239 |
Aug 29 18:09:40 dell-studio kernel: [ 149.431140] type=1400 |
240 |
audit(1346256580.672:59): avc: denied { read } for pid=3118 |
241 |
comm="udev-acl.ck" name="udev-acl" dev="tmpfs" ino=3219 |
242 |
scontext=system_u:system_r:consolekit_t |
243 |
tcontext=system_u:object_r:udev_var_run_t tclass=dir |
244 |
Aug 29 18:09:46 dell-studio kernel: [ 154.930603] type=1400 |
245 |
audit(1346256586.170:60): avc: denied { read } for pid=3133 |
246 |
comm="udev-acl.ck" name="udev-acl" dev="tmpfs" ino=3219 |
247 |
scontext=system_u:system_r:consolekit_t |
248 |
tcontext=system_u:object_r:udev_var_run_t tclass=dir |
249 |
|
250 |
And after the login: |
251 |
|
252 |
Aug 29 18:10:04 dell-studio kernel: [ 173.755581] type=1400 |
253 |
audit(1346256604.995:65): avc: denied { read } for pid=3140 |
254 |
comm="udev-acl.ck" name="udev-acl" dev="tmpfs" ino=3219 |
255 |
scontext=system_u:system_r:consolekit_t |
256 |
tcontext=system_u:object_r:udev_var_run_t tclass=dir |
257 |
Aug 29 18:10:09 dell-studio kernel: [ 177.817507] type=1400 |
258 |
audit(1346256609.057:66): avc: denied { read } for pid=2038 |
259 |
comm="console-kit-dae" name="machine-id" dev="sda7" ino=184383 |
260 |
scontext=system_u:system_r:consolekit_t |
261 |
tcontext=system_u:object_r:system_dbusd_var_lib_t tclass=lnk_file |
262 |
Aug 29 18:10:14 dell-studio kernel: [ 182.951425] type=1400 |
263 |
audit(1346256614.192:68): avc: denied { getattr } for pid=3236 |
264 |
comm="udisks-daemon" name="/" dev="sda7" ino=2 |
265 |
scontext=system_u:system_r:devicekit_disk_t |
266 |
tcontext=system_u:object_r:fs_t tclass=filesystem |
267 |
Aug 29 18:10:14 dell-studio kernel: [ 183.307019] type=1400 |
268 |
audit(1346256614.546:69): avc: denied { getattr } for pid=3233 |
269 |
comm="pm-is-supported" path="/dev/snapshot" dev="tmpfs" ino=3438 |
270 |
scontext=system_u:system_r:devicekit_power_t |
271 |
tcontext=system_u:object_r:apm_bios_t tclass=chr_file |
272 |
Aug 29 18:10:14 dell-studio kernel: [ 183.318766] type=1400 |
273 |
audit(1346256614.558:70): avc: denied { getattr } for pid=3252 |
274 |
comm="pm-is-supported" path="/dev/snapshot" dev="tmpfs" ino=3438 |
275 |
scontext=system_u:system_r:devicekit_power_t |
276 |
tcontext=system_u:object_r:apm_bios_t tclass=chr_file |
277 |
Aug 29 18:10:14 dell-studio kernel: [ 183.717762] type=1400 |
278 |
audit(1346256614.957:71): avc: denied { getattr } for pid=3276 |
279 |
comm="pm-powersave" path="/dev/snapshot" dev="tmpfs" ino=3438 |
280 |
scontext=system_u:system_r:devicekit_power_t |
281 |
tcontext=system_u:object_r:apm_bios_t tclass=chr_file |
282 |
Aug 29 18:10:14 dell-studio kernel: [ 183.721637] type=1400 |
283 |
audit(1346256614.961:72): avc: denied { write } for pid=3281 |
284 |
comm="mkdir" name="/" dev="tmpfs" ino=1059 |
285 |
scontext=system_u:system_r:devicekit_power_t |
286 |
tcontext=system_u:object_r:var_run_t tclass=dir |
287 |
Aug 29 18:10:41 dell-studio kernel: [ 210.642364] type=1400 |
288 |
audit(1346256641.883:73): avc: denied { search } for pid=2129 |
289 |
comm="polkitd" name="ConsoleKit" dev="tmpfs" ino=5404 |
290 |
scontext=system_u:system_r:system_dbusd_t |
291 |
tcontext=system_u:object_r:consolekit_var_run_t tclass=dir |
292 |
Aug 29 18:11:55 dell-studio kernel: [ 283.944883] type=1400 |
293 |
audit(1346256715.185:76): avc: denied { read } for pid=3540 |
294 |
comm="udev-acl.ck" name="udev-acl" dev="tmpfs" ino=3219 |
295 |
scontext=system_u:system_r:consolekit_t |
296 |
tcontext=system_u:object_r:udev_var_run_t tclass=dir |
297 |
Aug 29 18:12:01 dell-studio kernel: [ 290.394892] type=1400 |
298 |
audit(1346256721.635:77): avc: denied { search } for pid=2129 |
299 |
comm="polkitd" name="ConsoleKit" dev="tmpfs" ino=5404 |
300 |
scontext=system_u:system_r:system_dbusd_t |
301 |
tcontext=system_u:object_r:consolekit_var_run_t tclass=dir |
302 |
Aug 29 18:12:06 dell-studio kernel: [ 295.059511] type=1400 |
303 |
audit(1346256726.300:78): avc: denied { read } for pid=3574 |
304 |
comm="udev-acl.ck" name="udev-acl" dev="tmpfs" ino=3219 |
305 |
scontext=system_u:system_r:consolekit_t |
306 |
tcontext=system_u:object_r:udev_var_run_t tclass=dir |
307 |
Aug 29 18:20:01 dell-studio kernel: [ 769.954898] type=1400 |
308 |
audit(1346257201.195:80): avc: denied { read open } for pid=6070 |
309 |
comm="sh" name="run-crons" dev="sda5" ino=922129 |
310 |
scontext=system_u:system_r:crond_t tcontext=system_u:object_r:bin_t |
311 |
tclass=file |
312 |
Aug 29 18:20:01 dell-studio kernel: [ 769.954945] type=1400 |
313 |
audit(1346257201.195:81): avc: denied { getattr } for pid=6070 |
314 |
comm="sh" path="/usr/sbin/run-crons" dev="sda5" ino=922129 |
315 |
scontext=system_u:system_r:crond_t tcontext=system_u:object_r:bin_t |
316 |
tclass=file |
317 |
Aug 29 18:20:01 dell-studio kernel: [ 769.957780] type=1400 |
318 |
audit(1346257201.198:83): avc: denied { read } for pid=6071 |
319 |
comm="sendmail" |
320 |
path=2F746D702F63726F6E2E637437754B742F63726F6E2E726F6F742E36303639202864656C6574656429 |
321 |
dev="sda5" ino=2229458 scontext=system_u:system_r:system_mail_t |
322 |
tcontext=system_u:object_r:crond_tmp_t tclass=file |
323 |
Aug 29 18:20:15 dell-studio kernel: [ 784.092973] type=1400 |
324 |
audit(1346257215.333:84): avc: denied { getattr } for pid=3227 |
325 |
comm="upowerd" name="/" dev="sda7" ino=2 |
326 |
scontext=system_u:system_r:devicekit_power_t |
327 |
tcontext=system_u:object_r:fs_t tclass=filesystem |
328 |
|
329 |
Thank you again for following me. |
330 |
Paolo. |