| 1 |
On Wed, Aug 29, 2012 at 06:36:07PM +0200, Paolo Barile wrote: |
| 2 |
> Aug 29 18:09:04 dell-studio kernel: [ 112.875933] type=1400 |
| 3 |
> audit(1346256544.115:57): avc: denied { read } for pid=3066 |
| 4 |
> comm="udev-acl.ck" name="udev-acl" dev="tmpfs" ino=3219 |
| 5 |
> scontext=system_u:system_r:consolekit_t |
| 6 |
> tcontext=system_u:object_r:udev_var_run_t tclass=dir |
| 7 |
|
| 8 |
This one is biting me a bit. Could you try labeling udev-acl.ck (wherever it |
| 9 |
is) as udev_exec_t and see if that helps? |
| 10 |
|
| 11 |
The udev-acl.ck code tries to iterate over devices, setting the proper |
| 12 |
access controls. This is most likely what is causing your USB disks to not |
| 13 |
show up (properly). However, I'm not very fond of allowing consolekit_t to |
| 14 |
do this if this is a udev-task (and more specifically, udev-acl.c (the |
| 15 |
source cde) uses a lot of udev related methods for this. |
| 16 |
|
| 17 |
The alternative (if we don't run it as udev) is to allow all possible rights |
| 18 |
on consolekit, but I think that'll be a lot more than reading the directory |
| 19 |
(as this is just the first step). |
| 20 |
|
| 21 |
> Aug 29 18:10:14 dell-studio kernel: [ 183.307019] type=1400 |
| 22 |
> audit(1346256614.546:69): avc: denied { getattr } for pid=3233 |
| 23 |
> comm="pm-is-supported" path="/dev/snapshot" dev="tmpfs" ino=3438 |
| 24 |
> scontext=system_u:system_r:devicekit_power_t |
| 25 |
> tcontext=system_u:object_r:apm_bios_t tclass=chr_file |
| 26 |
> Aug 29 18:10:14 dell-studio kernel: [ 183.318766] type=1400 |
| 27 |
> audit(1346256614.558:70): avc: denied { getattr } for pid=3252 |
| 28 |
> comm="pm-is-supported" path="/dev/snapshot" dev="tmpfs" ino=3438 |
| 29 |
> scontext=system_u:system_r:devicekit_power_t |
| 30 |
> tcontext=system_u:object_r:apm_bios_t tclass=chr_file |
| 31 |
> Aug 29 18:10:14 dell-studio kernel: [ 183.717762] type=1400 |
| 32 |
> audit(1346256614.957:71): avc: denied { getattr } for pid=3276 |
| 33 |
> comm="pm-powersave" path="/dev/snapshot" dev="tmpfs" ino=3438 |
| 34 |
> scontext=system_u:system_r:devicekit_power_t |
| 35 |
> tcontext=system_u:object_r:apm_bios_t tclass=chr_file |
| 36 |
> Aug 29 18:10:14 dell-studio kernel: [ 183.721637] type=1400 |
| 37 |
> audit(1346256614.961:72): avc: denied { write } for pid=3281 |
| 38 |
> comm="mkdir" name="/" dev="tmpfs" ino=1059 |
| 39 |
> scontext=system_u:system_r:devicekit_power_t |
| 40 |
> tcontext=system_u:object_r:var_run_t tclass=dir |
| 41 |
[...] |
| 42 |
|
| 43 |
This one we need to work out further. I'm okay with allowing |
| 44 |
devicekit_power_t to get the attributes of apm_bios_t, but for some reason I |
| 45 |
don't think that'll be enough. |
| 46 |
|
| 47 |
Care to add in something like: |
| 48 |
|
| 49 |
#v+ |
| 50 |
policy_module(localdevicekit, 1.0) |
| 51 |
|
| 52 |
gen_require(` |
| 53 |
type devicekit_power_t; |
| 54 |
') |
| 55 |
|
| 56 |
dev_getattr_apm_bios_dev(devicekit_power_t) |
| 57 |
#v- |
| 58 |
|
| 59 |
and then see what happens next? If it wants to read or write to it, add in: |
| 60 |
|
| 61 |
#v+ |
| 62 |
dev_rw_apm_bios(devicekit_power_t) |
| 63 |
#v- |
| 64 |
|
| 65 |
For the rest, I've put in quite a few changes in the policy for the other |
| 66 |
denials shown earlier. They will definitely be in revision 5, but if you |
| 67 |
know how to work with live ebuilds, you can use the SELinux live ebuilds as |
| 68 |
well (since the changes are in the policy repository). |
| 69 |
|
| 70 |
An overview of all changes: |
| 71 |
http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=summary |
| 72 |
|
| 73 |
Wkr, |
| 74 |
Sven Vermeulen |
Archives