On Mon, Aug 27, 2012 at 08:28:20PM +0200, Paolo Barile wrote:
> Well I only had a policykit crash window. But It disappeared when,
> following your suggestion, I've made a rule with audit2allow only on
> the execute denials. But even with that rule the problems of audio card
> and powerdevil weren't solved.
[...]
Okay. I'll take a look at the AVCs earlier and draft up a possible fix for
you to try out (you can use audit2allow but I'm not sure yet if the result
is correct or not).
> > What does "semanage login -l" say?
> Semanage login -l outputs only:
> __default__ unconfined_u
> system_u system_u
>
> Anyway I think that I "solved" this problem (probably it's rather a
> workaround) using the context you wrote: "semanage fcontext -a -t
> user_home_dir_t /root". In fact the su delay disappeared.
Looks like we need to declare the root user for unconfined_u anyhow. You
might want to run the following to do so:
~# semanage login -a -s unconfined_u root
It seems that genhomedircon (well, it's now part of the semodule command but
the genhomedircon command still works) only looks at users with a UID of 500
and more. By not explicitly declaring root as an interactive user, the tools
just ignore it (and as a result don't generate the proper contexts).
If you do that, then genhomedircon and then look at the output of the
following command again, I hope you get enough output?
~# grep root /etc/selinux/*/contexts/files/file_contexts.homedirs
> There is one more problem. As I wrote in the previous mail two folders
> in /run are mislabeled: /run/ConsoleKit and /run/console. For the first,
> the mislabeling was solved by using the script for the initramfs users
> (of course addin restorecon -R /run). But I couldn't relabel permanently
> the second dir. I think it's because it belongs to pam, so perhaps it is
> created after a login, but the script runs before it. Am I right?
Sounds probable. We'll need to figure out what is creating the console
directory. From the label (consolekit_var_run_t) I imagine it is something
of ConsoleKit.
I can probably create a named file transition for this. The ConsoleKit stuff
is acknowledged already, perhaps the /run/console is solved with something
like the following?
#v+
policy_module(localconsolekit, 1.0)
gen_require(`
type pam_var_console_t;
type consolekit_t;
')
files_pid_filetrans(consolekit_t, pam_var_console_t, dir, "console")
#v-
This basically sais that, if a domain "consolekit_t" creates a
dir(ectory) with name "console" in a location with label var_run_t ("pid"),
then that directory would be labeled "pam_var_console_t" immediately.
It is possible however that consolekit_t doesn't hold the rights to do so,
so you might need to add in:
#v+
create_dirs_pattern(consolekit_t, pam_var_console_t, pam_var_console_t)
#v-
Thanks for your patience on this so far ;-)
Wkr,
Sven Vermeulen
