1 |
On Wed, Aug 29, 2012 at 06:36:07PM +0200, Paolo Barile wrote: |
2 |
> Aug 29 18:09:04 dell-studio kernel: [ 112.875933] type=1400 |
3 |
> audit(1346256544.115:57): avc: denied { read } for pid=3066 |
4 |
> comm="udev-acl.ck" name="udev-acl" dev="tmpfs" ino=3219 |
5 |
> scontext=system_u:system_r:consolekit_t |
6 |
> tcontext=system_u:object_r:udev_var_run_t tclass=dir |
7 |
|
8 |
This one is biting me a bit. Could you try labeling udev-acl.ck (wherever it |
9 |
is) as udev_exec_t and see if that helps? |
10 |
|
11 |
The udev-acl.ck code tries to iterate over devices, setting the proper |
12 |
access controls. This is most likely what is causing your USB disks to not |
13 |
show up (properly). However, I'm not very fond of allowing consolekit_t to |
14 |
do this if this is a udev-task (and more specifically, udev-acl.c (the |
15 |
source cde) uses a lot of udev related methods for this. |
16 |
|
17 |
The alternative (if we don't run it as udev) is to allow all possible rights |
18 |
on consolekit, but I think that'll be a lot more than reading the directory |
19 |
(as this is just the first step). |
20 |
|
21 |
> Aug 29 18:10:14 dell-studio kernel: [ 183.307019] type=1400 |
22 |
> audit(1346256614.546:69): avc: denied { getattr } for pid=3233 |
23 |
> comm="pm-is-supported" path="/dev/snapshot" dev="tmpfs" ino=3438 |
24 |
> scontext=system_u:system_r:devicekit_power_t |
25 |
> tcontext=system_u:object_r:apm_bios_t tclass=chr_file |
26 |
> Aug 29 18:10:14 dell-studio kernel: [ 183.318766] type=1400 |
27 |
> audit(1346256614.558:70): avc: denied { getattr } for pid=3252 |
28 |
> comm="pm-is-supported" path="/dev/snapshot" dev="tmpfs" ino=3438 |
29 |
> scontext=system_u:system_r:devicekit_power_t |
30 |
> tcontext=system_u:object_r:apm_bios_t tclass=chr_file |
31 |
> Aug 29 18:10:14 dell-studio kernel: [ 183.717762] type=1400 |
32 |
> audit(1346256614.957:71): avc: denied { getattr } for pid=3276 |
33 |
> comm="pm-powersave" path="/dev/snapshot" dev="tmpfs" ino=3438 |
34 |
> scontext=system_u:system_r:devicekit_power_t |
35 |
> tcontext=system_u:object_r:apm_bios_t tclass=chr_file |
36 |
> Aug 29 18:10:14 dell-studio kernel: [ 183.721637] type=1400 |
37 |
> audit(1346256614.961:72): avc: denied { write } for pid=3281 |
38 |
> comm="mkdir" name="/" dev="tmpfs" ino=1059 |
39 |
> scontext=system_u:system_r:devicekit_power_t |
40 |
> tcontext=system_u:object_r:var_run_t tclass=dir |
41 |
[...] |
42 |
|
43 |
This one we need to work out further. I'm okay with allowing |
44 |
devicekit_power_t to get the attributes of apm_bios_t, but for some reason I |
45 |
don't think that'll be enough. |
46 |
|
47 |
Care to add in something like: |
48 |
|
49 |
#v+ |
50 |
policy_module(localdevicekit, 1.0) |
51 |
|
52 |
gen_require(` |
53 |
type devicekit_power_t; |
54 |
') |
55 |
|
56 |
dev_getattr_apm_bios_dev(devicekit_power_t) |
57 |
#v- |
58 |
|
59 |
and then see what happens next? If it wants to read or write to it, add in: |
60 |
|
61 |
#v+ |
62 |
dev_rw_apm_bios(devicekit_power_t) |
63 |
#v- |
64 |
|
65 |
For the rest, I've put in quite a few changes in the policy for the other |
66 |
denials shown earlier. They will definitely be in revision 5, but if you |
67 |
know how to work with live ebuilds, you can use the SELinux live ebuilds as |
68 |
well (since the changes are in the policy repository). |
69 |
|
70 |
An overview of all changes: |
71 |
http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=summary |
72 |
|
73 |
Wkr, |
74 |
Sven Vermeulen |