Re: [gentoo-hardened] Can't get fully functional (kde) desktop with SELinux - gentoo-hardened

From:	Paolo Barile <f.p.barile@×××××.com>
To:	gentoo-hardened@l.g.o
Subject:	Re: [gentoo-hardened] Can't get fully functional (kde) desktop with SELinux
Date:	Fri, 31 Aug 2012 18:02:30
Message-Id:	`5040F31A.5080408@gmail.com`
In Reply to:	Re: [gentoo-hardened] Can't get fully functional (kde) desktop with SELinux by Sven Vermeulen

1

I tried the live ebuilds and something changed, but the problems didn't

2

go away.

3

Except the every present alsactl denials I have these related to cryptsetup:

4

5

Aug 31 17:48:56 dell-studio kernel: [   10.300271] type=1400

6

audit(1346428122.197:11): avc:  denied  { getattr } for  pid=1540

7

comm="cryptsetup" name="/" dev="tmpfs" ino=1149

8

scontext=system_u:system_r:lvm_t tcontext=system_u:object_r:tmpfs_t

9

tclass=filesystem

10

Aug 31 17:48:56 dell-studio kernel: [   10.315780] type=1400

11

audit(1346428122.212:12): avc:  denied  { read } for  pid=1540

12

comm="cryptsetup" name="queue.bin" dev="tmpfs" ino=1876

13

scontext=system_u:system_r:lvm_t

14

tcontext=system_u:object_r:udev_var_run_t tclass=file

15

16

The following for syslog-ng:

17

18

Aug 31 17:48:56 dell-studio kernel: [   23.588852] type=1400

19

audit(1346428135.485:15): avc:  denied  { read } for  pid=2013

20

comm="syslog-ng" name="syslog-ng.persist" dev="sda7" ino=73729

21

scontext=system_u:system_r:syslogd_t

22

tcontext=system_u:object_r:var_lib_t tclass=file

23

Aug 31 17:48:56 dell-studio kernel: [   23.588861] type=1400

24

audit(1346428135.485:16): avc:  denied  { open } for  pid=2013

25

comm="syslog-ng" name="syslog-ng.persist" dev="sda7" ino=73729

26

scontext=system_u:system_r:syslogd_t

27

tcontext=system_u:object_r:var_lib_t tclass=file

28

Aug 31 17:48:56 dell-studio kernel: [   23.588878] type=1400

29

audit(1346428135.485:17): avc:  denied  { getattr } for  pid=2013

30

comm="syslog-ng" path="/var/lib/misc/syslog-ng.persist" dev="sda7"

31

ino=73729 scontext=system_u:system_r:syslogd_t

32

tcontext=system_u:object_r:var_lib_t tclass=file

33

Aug 31 17:48:56 dell-studio kernel: [   23.597238] type=1400

34

audit(1346428135.494:18): avc:  denied  { unlink } for  pid=2013

35

comm="syslog-ng" name="syslog-ng.persist" dev="sda7" ino=73729

36

scontext=system_u:system_r:syslogd_t

37

tcontext=system_u:object_r:var_lib_t tclass=file

38

39

40

Again consolekit with policykit:

41

42

Aug 31 17:48:56 dell-studio kernel: [   23.872708] type=1400

43

audit(1346428135.769:19): avc:  denied  { read } for  pid=2101

44

comm="console-kit-dae" name="udev-acl.ck" dev="sda5" ino=1057310

45

scontext=system_u:system_r:consolekit_t

46

tcontext=system_u:object_r:udev_exec_t tclass=lnk_file

47

Aug 31 17:48:56 dell-studio kernel: [   24.322689] type=1400

48

audit(1346428136.219:24): avc:  denied  { execute_no_trans } for 

49

pid=2119 comm="dbus-daemon-lau" path="/usr/libexec/polkitd" dev="sda5"

50

ino=922900 scontext=system_u:system_r:system_dbusd_t

51

tcontext=system_u:object_r:policykit_exec_t tclass=file

52

Aug 31 17:50:21 dell-studio kernel: [  110.007624] type=1400

53

audit(1346428221.949:50): avc:  denied  { search } for  pid=2119

54

comm="polkitd" name="ConsoleKit" dev="tmpfs" ino=4520

55

scontext=system_u:system_r:system_dbusd_t

56

tcontext=system_u:object_r:consolekit_var_run_t tclass=dir

57

Aug 31 17:51:41 dell-studio kernel: [  189.862655] type=1400

58

audit(1346428301.804:52): avc:  denied  { search } for  pid=2119

59

comm="polkitd" name="ConsoleKit" dev="tmpfs" ino=4520

60

scontext=system_u:system_r:system_dbusd_t

61

tcontext=system_u:object_r:consolekit_var_run_t tclass=dir

62

63

64

Dbus:

65

66

Aug 31 17:48:56 dell-studio kernel: [   24.322653] type=1400

67

audit(1346428136.219:23): avc:  denied  { read open } for  pid=2119

68

comm="dbus-daemon-lau" name="polkitd" dev="sda5" ino=922900

69

scontext=system_u:system_r:system_dbusd_t

70

tcontext=system_u:object_r:policykit_exec_t tclass=file

71

Aug 31 17:48:56 dell-studio kernel: [   24.322689] type=1400

72

audit(1346428136.219:24): avc:  denied  { execute_no_trans } for 

73

pid=2119 comm="dbus-daemon-lau" path="/usr/libexec/polkitd" dev="sda5"

74

ino=922900 scontext=system_u:system_r:system_dbusd_t

75

tcontext=system_u:object_r:policykit_exec_t tclass=file

76

77

Devicekit:

78

79

Aug 31 17:49:54 dell-studio kernel: [   82.473330] type=1400

80

audit(1346428194.371:44): avc:  denied  { getattr } for  pid=3187

81

comm="udisks-daemon" name="/" dev="sda7" ino=2

82

scontext=system_u:system_r:devicekit_disk_t

83

tcontext=system_u:object_r:fs_t tclass=filesystem

84

Aug 31 17:49:55 dell-studio kernel: [   83.242850] type=1400

85

audit(1346428195.140:45): avc:  denied  { write } for  pid=3232

86

comm="mkdir" name="/" dev="tmpfs" ino=1115

87

scontext=system_u:system_r:devicekit_power_t

88

tcontext=system_u:object_r:var_run_t tclass=dir

89

Aug 31 17:59:55 dell-studio kernel: [  683.103378] type=1400

90

audit(1346428795.045:56): avc:  denied  { getattr } for  pid=3178

91

comm="upowerd" name="/" dev="sda7" ino=2

92

scontext=system_u:system_r:devicekit_power_t

93

tcontext=system_u:object_r:fs_t tclass=filesystem

94

95

96

Cron:

97

98

Aug 31 17:48:56 dell-studio kernel: [   23.951130] type=1400

99

audit(1346428135.848:20): avc:  denied  { read } for  pid=2102

100

comm="crond" name="root" dev="sda7" ino=12796

101

scontext=system_u:system_r:crond_t tcontext=system_u:object_r:file_t

102

tclass=file

103

Aug 31 17:48:56 dell-studio kernel: [   23.951145] type=1400

104

audit(1346428135.848:21): avc:  denied  { open } for  pid=2102

105

comm="crond" name="root" dev="sda7" ino=12796

106

scontext=system_u:system_r:crond_t tcontext=system_u:object_r:file_t

107

tclass=file

108

Aug 31 17:48:56 dell-studio kernel: [   23.951170] type=1400

109

audit(1346428135.848:22): avc:  denied  { getattr } for  pid=2102

110

comm="crond" path="/var/spool/cron/crontabs/root" dev="sda7" ino=12796

111

scontext=system_u:system_r:crond_t tcontext=system_u:object_r:file_t

112

tclass=file

113

Aug 31 17:50:01 dell-studio kernel: [   89.975499] type=1400

114

audit(1346428201.873:46): avc:  denied  { read open } for  pid=3248

115

comm="sh" name="run-crons" dev="sda5" ino=922129

116

scontext=system_u:system_r:crond_t tcontext=system_u:object_r:bin_t

117

tclass=file

118

Aug 31 17:50:01 dell-studio kernel: [   89.975545] type=1400

119

audit(1346428201.873:47): avc:  denied  { getattr } for  pid=3248

120

comm="sh" path="/usr/sbin/run-crons" dev="sda5" ino=922129

121

scontext=system_u:system_r:crond_t tcontext=system_u:object_r:bin_t

122

tclass=file

123

Aug 31 17:50:01 dell-studio kernel: [   90.006658] type=1400

124

audit(1346428201.905:49): avc:  denied  { read } for  pid=3249

125

comm="sendmail"

126

path=2F746D702F63726F6E2E6F384F6E336F2F63726F6E2E726F6F742E33323437202864656C6574656429

127

dev="sda5" ino=2229313 scontext=system_u:system_r:system_mail_t

128

tcontext=system_u:object_r:crond_tmp_t tclass=file

129

Aug 31 17:59:01 dell-studio kernel: [  629.136631] type=1400

130

audit(1346428741.078:53): avc:  denied  { getattr } for  pid=5838

131

comm="sh" path="/bin/rm" dev="sda5" ino=1700617

132

scontext=system_u:system_r:crond_t tcontext=system_u:object_r:bin_t

133

tclass=file

134

135

Thank you.

136

Paolo.

1	I tried the live ebuilds and something changed, but the problems didn't
2	go away.
3	Except the every present alsactl denials I have these related to cryptsetup:
4
5	Aug 31 17:48:56 dell-studio kernel: [ 10.300271] type=1400
6	audit(1346428122.197:11): avc: denied { getattr } for pid=1540
7	comm="cryptsetup" name="/" dev="tmpfs" ino=1149
8	scontext=system_u:system_r:lvm_t tcontext=system_u:object_r:tmpfs_t
9	tclass=filesystem
10	Aug 31 17:48:56 dell-studio kernel: [ 10.315780] type=1400
11	audit(1346428122.212:12): avc: denied { read } for pid=1540
12	comm="cryptsetup" name="queue.bin" dev="tmpfs" ino=1876
13	scontext=system_u:system_r:lvm_t
14	tcontext=system_u:object_r:udev_var_run_t tclass=file
15
16	The following for syslog-ng:
17
18	Aug 31 17:48:56 dell-studio kernel: [ 23.588852] type=1400
19	audit(1346428135.485:15): avc: denied { read } for pid=2013
20	comm="syslog-ng" name="syslog-ng.persist" dev="sda7" ino=73729
21	scontext=system_u:system_r:syslogd_t
22	tcontext=system_u:object_r:var_lib_t tclass=file
23	Aug 31 17:48:56 dell-studio kernel: [ 23.588861] type=1400
24	audit(1346428135.485:16): avc: denied { open } for pid=2013
25	comm="syslog-ng" name="syslog-ng.persist" dev="sda7" ino=73729
26	scontext=system_u:system_r:syslogd_t
27	tcontext=system_u:object_r:var_lib_t tclass=file
28	Aug 31 17:48:56 dell-studio kernel: [ 23.588878] type=1400
29	audit(1346428135.485:17): avc: denied { getattr } for pid=2013
30	comm="syslog-ng" path="/var/lib/misc/syslog-ng.persist" dev="sda7"
31	ino=73729 scontext=system_u:system_r:syslogd_t
32	tcontext=system_u:object_r:var_lib_t tclass=file
33	Aug 31 17:48:56 dell-studio kernel: [ 23.597238] type=1400
34	audit(1346428135.494:18): avc: denied { unlink } for pid=2013
35	comm="syslog-ng" name="syslog-ng.persist" dev="sda7" ino=73729
36	scontext=system_u:system_r:syslogd_t
37	tcontext=system_u:object_r:var_lib_t tclass=file
38
39
40	Again consolekit with policykit:
41
42	Aug 31 17:48:56 dell-studio kernel: [ 23.872708] type=1400
43	audit(1346428135.769:19): avc: denied { read } for pid=2101
44	comm="console-kit-dae" name="udev-acl.ck" dev="sda5" ino=1057310
45	scontext=system_u:system_r:consolekit_t
46	tcontext=system_u:object_r:udev_exec_t tclass=lnk_file
47	Aug 31 17:48:56 dell-studio kernel: [ 24.322689] type=1400
48	audit(1346428136.219:24): avc: denied { execute_no_trans } for
49	pid=2119 comm="dbus-daemon-lau" path="/usr/libexec/polkitd" dev="sda5"
50	ino=922900 scontext=system_u:system_r:system_dbusd_t
51	tcontext=system_u:object_r:policykit_exec_t tclass=file
52	Aug 31 17:50:21 dell-studio kernel: [ 110.007624] type=1400
53	audit(1346428221.949:50): avc: denied { search } for pid=2119
54	comm="polkitd" name="ConsoleKit" dev="tmpfs" ino=4520
55	scontext=system_u:system_r:system_dbusd_t
56	tcontext=system_u:object_r:consolekit_var_run_t tclass=dir
57	Aug 31 17:51:41 dell-studio kernel: [ 189.862655] type=1400
58	audit(1346428301.804:52): avc: denied { search } for pid=2119
59	comm="polkitd" name="ConsoleKit" dev="tmpfs" ino=4520
60	scontext=system_u:system_r:system_dbusd_t
61	tcontext=system_u:object_r:consolekit_var_run_t tclass=dir
62
63
64	Dbus:
65
66	Aug 31 17:48:56 dell-studio kernel: [ 24.322653] type=1400
67	audit(1346428136.219:23): avc: denied { read open } for pid=2119
68	comm="dbus-daemon-lau" name="polkitd" dev="sda5" ino=922900
69	scontext=system_u:system_r:system_dbusd_t
70	tcontext=system_u:object_r:policykit_exec_t tclass=file
71	Aug 31 17:48:56 dell-studio kernel: [ 24.322689] type=1400
72	audit(1346428136.219:24): avc: denied { execute_no_trans } for
73	pid=2119 comm="dbus-daemon-lau" path="/usr/libexec/polkitd" dev="sda5"
74	ino=922900 scontext=system_u:system_r:system_dbusd_t
75	tcontext=system_u:object_r:policykit_exec_t tclass=file
76
77	Devicekit:
78
79	Aug 31 17:49:54 dell-studio kernel: [ 82.473330] type=1400
80	audit(1346428194.371:44): avc: denied { getattr } for pid=3187
81	comm="udisks-daemon" name="/" dev="sda7" ino=2
82	scontext=system_u:system_r:devicekit_disk_t
83	tcontext=system_u:object_r:fs_t tclass=filesystem
84	Aug 31 17:49:55 dell-studio kernel: [ 83.242850] type=1400
85	audit(1346428195.140:45): avc: denied { write } for pid=3232
86	comm="mkdir" name="/" dev="tmpfs" ino=1115
87	scontext=system_u:system_r:devicekit_power_t
88	tcontext=system_u:object_r:var_run_t tclass=dir
89	Aug 31 17:59:55 dell-studio kernel: [ 683.103378] type=1400
90	audit(1346428795.045:56): avc: denied { getattr } for pid=3178
91	comm="upowerd" name="/" dev="sda7" ino=2
92	scontext=system_u:system_r:devicekit_power_t
93	tcontext=system_u:object_r:fs_t tclass=filesystem
94
95
96	Cron:
97
98	Aug 31 17:48:56 dell-studio kernel: [ 23.951130] type=1400
99	audit(1346428135.848:20): avc: denied { read } for pid=2102
100	comm="crond" name="root" dev="sda7" ino=12796
101	scontext=system_u:system_r:crond_t tcontext=system_u:object_r:file_t
102	tclass=file
103	Aug 31 17:48:56 dell-studio kernel: [ 23.951145] type=1400
104	audit(1346428135.848:21): avc: denied { open } for pid=2102
105	comm="crond" name="root" dev="sda7" ino=12796
106	scontext=system_u:system_r:crond_t tcontext=system_u:object_r:file_t
107	tclass=file
108	Aug 31 17:48:56 dell-studio kernel: [ 23.951170] type=1400
109	audit(1346428135.848:22): avc: denied { getattr } for pid=2102
110	comm="crond" path="/var/spool/cron/crontabs/root" dev="sda7" ino=12796
111	scontext=system_u:system_r:crond_t tcontext=system_u:object_r:file_t
112	tclass=file
113	Aug 31 17:50:01 dell-studio kernel: [ 89.975499] type=1400
114	audit(1346428201.873:46): avc: denied { read open } for pid=3248
115	comm="sh" name="run-crons" dev="sda5" ino=922129
116	scontext=system_u:system_r:crond_t tcontext=system_u:object_r:bin_t
117	tclass=file
118	Aug 31 17:50:01 dell-studio kernel: [ 89.975545] type=1400
119	audit(1346428201.873:47): avc: denied { getattr } for pid=3248
120	comm="sh" path="/usr/sbin/run-crons" dev="sda5" ino=922129
121	scontext=system_u:system_r:crond_t tcontext=system_u:object_r:bin_t
122	tclass=file
123	Aug 31 17:50:01 dell-studio kernel: [ 90.006658] type=1400
124	audit(1346428201.905:49): avc: denied { read } for pid=3249
125	comm="sendmail"
126	path=2F746D702F63726F6E2E6F384F6E336F2F63726F6E2E726F6F742E33323437202864656C6574656429
127	dev="sda5" ino=2229313 scontext=system_u:system_r:system_mail_t
128	tcontext=system_u:object_r:crond_tmp_t tclass=file
129	Aug 31 17:59:01 dell-studio kernel: [ 629.136631] type=1400
130	audit(1346428741.078:53): avc: denied { getattr } for pid=5838
131	comm="sh" path="/bin/rm" dev="sda5" ino=1700617
132	scontext=system_u:system_r:crond_t tcontext=system_u:object_r:bin_t
133	tclass=file
134
135	Thank you.
136	Paolo.

Gentoo Archives: gentoo-hardened