Le 13/01/17 à 16:43, Russell Coker a écrit :
I find it difficult to think of situations where a SEGV in a program is anything
other than a bug in the program or a library it uses. If the program is
prevented from doing something it wants to do (by SE Linux, Unix permissions,
a filesystem error, lack of disk space, etc) it should log an error so that the
sysadmin can fix the problem.
Did you check the user_avc's too? I see some denials of dbus
communication here.
With all the new allow rules in the attached files, I can get gdm
running and I can open a session too in enforcing. (I had to set the
boolean allow_execmem to on also).
All these rules are probably not needed, but that can be used as a base
I guess.
Cheers,
Laurent Bigonville
module local_dbus2 1.0;
require {
type event_device_t;
type system_dbusd_t;
class chr_file { read write };
}
#============= system_dbusd_t ==============
allow system_dbusd_t event_device_t:chr_file { read write };
module local_dbus 1.0;
require {
type system_dbusd_t;
type dri_device_t;
type event_device_t;
class chr_file { read write };
}
#============= system_dbusd_t ==============
allow system_dbusd_t dri_device_t:chr_file { read write };
#============= system_dbusd_t ==============
allow system_dbusd_t event_device_t:chr_file { read write };
module local_rtkit 1.0;
require {
type rtkit_daemon_t;
type xdm_t;
class process setsched;
class dbus send_msg;
}
#============= rtkit_daemon_t ==============
allow rtkit_daemon_t xdm_t:dbus send_msg;
#!!!! This avc is allowed in the current policy
allow rtkit_daemon_t xdm_t:process setsched;
module local_systemd 1.0;
require {
type systemd_logind_t;
type NetworkManager_t;
type tty_device_t;
type user_runtime_t;
class chr_file setattr;
class fd use;
class file unlink;
}
#============= NetworkManager_t ==============
allow NetworkManager_t systemd_logind_t:fd use;
#============= systemd_logind_t ==============
#!!!! This avc is allowed in the current policy
allow systemd_logind_t tty_device_t:chr_file setattr;
#!!!! This avc is allowed in the current policy
allow systemd_logind_t user_runtime_t:file unlink;
module local_udev 1.0;
require {
type alsa_t;
type kernel_t;
type initrc_var_run_t;
type udev_t;
class capability sys_tty_config;
class key search;
class dir { add_name getattr search write };
class process { noatsecure rlimitinh siginh };
class file { create write };
}
#============= udev_t ==============
allow udev_t alsa_t:process { noatsecure rlimitinh siginh };
#!!!! This avc is allowed in the current policy
allow udev_t initrc_var_run_t:dir { add_name getattr search write };
#!!!! This avc is allowed in the current policy
allow udev_t initrc_var_run_t:file create;
allow udev_t initrc_var_run_t:file write;
allow udev_t kernel_t:key search;
allow udev_t self:capability sys_tty_config;
module local_user 1.0;
require {
type init_var_run_t;
type colord_t;
type rtkit_daemon_t;
type realmd_t;
type xdm_t;
type avahi_t;
type NetworkManager_t;
type policykit_t;
type modemmanager_t;
type unconfined_t;
type systemd_locale_t;
type systemd_logind_t;
type systemd_hostnamed_t;
type devicekit_disk_t;
type accountsd_t;
type apt_t;
type init_t;
type initrc_t;
class service status;
class system status;
class dbus send_msg;
}
#============= NetworkManager_t ==============
allow NetworkManager_t apt_t:dbus send_msg;
#!!!! This avc is allowed in the current policy
allow NetworkManager_t init_t:dbus send_msg;
allow NetworkManager_t unconfined_t:dbus send_msg;
allow NetworkManager_t xdm_t:dbus send_msg;
#============= accountsd_t ==============
allow accountsd_t unconfined_t:dbus send_msg;
#============= apt_t ==============
allow apt_t unconfined_t:dbus send_msg;
#============= avahi_t ==============
allow avahi_t colord_t:dbus send_msg;
#!!!! This avc is allowed in the current policy
allow avahi_t init_t:dbus send_msg;
#============= colord_t ==============
allow colord_t avahi_t:dbus send_msg;
allow colord_t unconfined_t:dbus send_msg;
#============= devicekit_disk_t ==============
allow devicekit_disk_t initrc_t:dbus send_msg;
#============= init_t ==============
#!!!! This avc is allowed in the current policy
allow init_t unconfined_t:dbus send_msg;
#============= modemmanager_t ==============
#!!!! This avc is allowed in the current policy
allow modemmanager_t init_t:dbus send_msg;
allow modemmanager_t systemd_logind_t:dbus send_msg;
allow modemmanager_t unconfined_t:dbus send_msg;
#============= policykit_t ==============
allow policykit_t apt_t:dbus send_msg;
allow policykit_t xdm_t:dbus send_msg;
#============= realmd_t ==============
allow realmd_t xdm_t:dbus send_msg;
#============= rtkit_daemon_t ==============
#!!!! This avc is allowed in the current policy
allow rtkit_daemon_t xdm_t:dbus send_msg;
#============= systemd_hostnamed_t ==============
allow systemd_hostnamed_t unconfined_t:dbus send_msg;
allow systemd_hostnamed_t xdm_t:dbus send_msg;
#============= systemd_locale_t ==============
allow systemd_locale_t init_t:dbus send_msg;
allow systemd_locale_t unconfined_t:dbus send_msg;
allow systemd_locale_t xdm_t:dbus send_msg;
#============= systemd_logind_t ==============
allow systemd_logind_t apt_t:dbus send_msg;
allow systemd_logind_t modemmanager_t:dbus send_msg;
#============= unconfined_t ==============
#!!!! This avc is allowed in the current policy
allow unconfined_t init_var_run_t:service status;
#============= xdm_t ==============
allow xdm_t init_t:system status;
