On Thu, 1 Oct 2015 08:00:45 AM Michael Biebl wrote:
> On Sun, 18 Jan 2015 11:07:40 +1100 Russell Coker <russ...@coker.com.au>
> wrote:
> > Package: systemd
> > Version: 215-9
> > Severity: normal
> >
> >
> > type=AVC msg=audit(1421538903.417:232): avc: denied { use } for
> > pid=23546 comm="kded4" path="/run/systemd/inhibit/1.ref" dev="tmpfs"
> > ino=91124 scontext=rjc:user_r:user_t:s0-s0:c0.c1023
> > tcontext=system_u:system_r:systemd_logind_t:s0 tclass=fd permissive=0
> >
> > When I login via kdm the KDE user processes (and presumably user
> > processes from any other desktop environment) inherit
> > /run/systemd/inhibit/1.ref.
> >
> > Is this desired? If so why? I have SE Linux preventing it and
> > everything works.
>
> I'm not sure what the problem is here.
> Can you elaborate?
If a socket or pipe is inherited from a system process to a process running as
a user there is a possibility of a security problem. Generally if there is no
reason for such access to be granted then it should not be granted. The file
handle could be closed before exec or it could be set to close on exec.
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
