On 28/08/2012 19:27, Sven Vermeulen wrote:
> On Mon, Aug 27, 2012 at 08:28:20PM +0200, Paolo Barile wrote:
>> Well I only had a policykit crash window. But It disappeared when,
>> following your suggestion, I've made a rule with audit2allow only on
>> the execute denials. But even with that rule the problems of audio card
>> and powerdevil weren't solved.
> [...]
>
> Okay. I'll take a look at the AVCs earlier and draft up a possible fix for
> you to try out (you can use audit2allow but I'm not sure yet if the result
> is correct or not).
Thank you very much. As for your question about error messages, i
noticed that starting kmix from shell gives me:
QDBusConnection: session D-Bus connection created before
QCoreApplication. Application may misbehave.
And kmix doesn't start.
>
>>> What does "semanage login -l" say?
>> Semanage login -l outputs only:
>> __default__ unconfined_u
>> system_u system_u
>>
>> Anyway I think that I "solved" this problem (probably it's rather a
>> workaround) using the context you wrote: "semanage fcontext -a -t
>> user_home_dir_t /root". In fact the su delay disappeared.
> Looks like we need to declare the root user for unconfined_u anyhow. You
> might want to run the following to do so:
>
> ~# semanage login -a -s unconfined_u root
>
> It seems that genhomedircon (well, it's now part of the semodule command but
> the genhomedircon command still works) only looks at users with a UID of 500
> and more. By not explicitly declaring root as an interactive user, the tools
> just ignore it (and as a result don't generate the proper contexts).
>
> If you do that, then genhomedircon and then look at the output of the
> following command again, I hope you get enough output?
>
> ~# grep root /etc/selinux/*/contexts/files/file_contexts.homedirs
Oh well, even too much perhaps now! ;) I mean it contains strings like:
/root/\.mozilla(/.*)? unconfined_u:object_r:mozilla_home_t
But I don't know why the root user should have rights for X
applications. Is that normal? If so, I think we can consider it solved!
Do you suggest to map to unconfined_u the other users too? I'm asking it
because I noticed a slowness in openening folders (in X) for the first
time after the login.
>
>> There is one more problem. As I wrote in the previous mail two folders
>> in /run are mislabeled: /run/ConsoleKit and /run/console. For the first,
>> the mislabeling was solved by using the script for the initramfs users
>> (of course addin restorecon -R /run). But I couldn't relabel permanently
>> the second dir. I think it's because it belongs to pam, so perhaps it is
>> created after a login, but the script runs before it. Am I right?
> Sounds probable. We'll need to figure out what is creating the console
> directory. From the label (consolekit_var_run_t) I imagine it is something
> of ConsoleKit.
>
> I can probably create a named file transition for this. The ConsoleKit stuff
> is acknowledged already, perhaps the /run/console is solved with something
> like the following?
>
> #v+
> policy_module(localconsolekit, 1.0)
>
> gen_require(`
> type pam_var_console_t;
> type consolekit_t;
> ')
>
> files_pid_filetrans(consolekit_t, pam_var_console_t, dir, "console")
> #v-
>
> This basically sais that, if a domain "consolekit_t" creates a
> dir(ectory) with name "console" in a location with label var_run_t ("pid"),
> then that directory would be labeled "pam_var_console_t" immediately.
>
> It is possible however that consolekit_t doesn't hold the rights to do so,
> so you might need to add in:
>
> #v+
> create_dirs_pattern(consolekit_t, pam_var_console_t, pam_var_console_t)
> #v-
>
> Thanks for your patience on this so far ;-)
>
> Wkr,
> Sven Vermeulen
>
Well thanks to you for the yours!
Anyway with that module (but the creat_dirs_pattern rule is necessary),
the /run/console situation is solved too.
Now let's try to summarize all the denials I have now at this point.
On boot I have:
Aug 29 18:07:34 dell-studio kernel: [ 8.446914] type=1400
audit(1346263638.445:4): avc: denied { getattr } for pid=1454
comm="alsactl" name="/" dev="tmpfs" ino=3130
scontext=system_u:system_r:alsa_t tcontext=system_u:object_r:tmpfs_t
tclass=filesystem
Aug 29 18:07:34 dell-studio kernel: [ 8.446939] type=1400
audit(1346263638.445:5): avc: denied { write } for pid=1454
comm="alsactl" name="shm" dev="tmpfs" ino=1124
scontext=system_u:system_r:alsa_t tcontext=system_u:object_r:device_t
tclass=dir
Aug 29 18:07:34 dell-studio kernel: [ 8.446947] type=1400
audit(1346263638.445:6): avc: denied { add_name } for pid=1454
comm="alsactl" name="pulse-shm-688087777"
scontext=system_u:system_r:alsa_t tcontext=system_u:object_r:device_t
tclass=dir
Aug 29 18:07:34 dell-studio kernel: [ 8.446963] type=1400
audit(1346263638.445:7): avc: denied { create } for pid=1454
comm="alsactl" name="pulse-shm-688087777"
scontext=system_u:system_r:alsa_t tcontext=system_u:object_r:device_t
tclass=file
Aug 29 18:07:34 dell-studio kernel: [ 8.446976] type=1400
audit(1346263638.445:8): avc: denied { read write open } for pid=1454
comm="alsactl" name="pulse-shm-688087777" dev="tmpfs" ino=3801
scontext=system_u:system_r:alsa_t tcontext=system_u:object_r:device_t
tclass=file
Aug 29 18:07:34 dell-studio kernel: [ 8.466988] type=1400
audit(1346263638.465:9): avc: denied { remove_name } for pid=1456
comm="alsactl" name="pulse-shm-2524473597" dev="tmpfs" ino=4125
scontext=system_u:system_r:alsa_t tcontext=system_u:object_r:device_t
tclass=dir
Aug 29 18:07:34 dell-studio kernel: [ 8.467011] type=1400
audit(1346263638.465:10): avc: denied { unlink } for pid=1456
comm="alsactl" name="pulse-shm-2524473597" dev="tmpfs" ino=4125
scontext=system_u:system_r:alsa_t tcontext=system_u:object_r:device_t
tclass=file
Aug 29 18:07:34 dell-studio kernel: [ 8.984725] type=1400
audit(1346256440.202:11): avc: denied { getattr } for pid=1538
comm="cryptsetup" name="/" dev="tmpfs" ino=3130
scontext=system_u:system_r:lvm_t tcontext=system_u:object_r:tmpfs_t
tclass=filesystem
Aug 29 18:07:34 dell-studio kernel: [ 14.683311] type=1400
audit(1346256445.900:15): avc: denied { module_request } for pid=1543
comm="cryptsetup" kmod="cbc(aes)" scontext=system_u:system_r:lvm_t
tcontext=system_u:system_r:kernel_t tclass=system
Aug 29 18:07:34 dell-studio kernel: [ 23.000643] type=1400
audit(1346256454.217:16): avc: denied { setrlimit } for pid=2008
comm="dbus-daemon" scontext=system_u:system_r:system_dbusd_t
tcontext=system_u:system_r:system_dbusd_t tclass=process
Aug 29 18:07:34 dell-studio kernel: [ 23.230831] type=1400
audit(1346256454.447:17): avc: denied { read } for pid=2024
comm="syslog-ng" name="syslog-ng.persist" dev="sda7" ino=73732
scontext=system_u:system_r:syslogd_t
tcontext=system_u:object_r:var_lib_t tclass=file
Aug 29 18:07:34 dell-studio kernel: [ 23.230847] type=1400
audit(1346256454.447:18): avc: denied { open } for pid=2024
comm="syslog-ng" name="syslog-ng.persist" dev="sda7" ino=73732
scontext=system_u:system_r:syslogd_t
tcontext=system_u:object_r:var_lib_t tclass=file
Aug 29 18:07:34 dell-studio kernel: [ 23.230869] type=1400
audit(1346256454.447:19): avc: denied { getattr } for pid=2024
comm="syslog-ng" path="/var/lib/misc/syslog-ng.persist" dev="sda7"
ino=73732 scontext=system_u:system_r:syslogd_t
tcontext=system_u:object_r:var_lib_t tclass=file
Aug 29 18:07:34 dell-studio kernel: [ 23.240312] type=1400
audit(1346256454.457:20): avc: denied { unlink } for pid=2024
comm="syslog-ng" name="syslog-ng.persist" dev="sda7" ino=73732
scontext=system_u:system_r:syslogd_t
tcontext=system_u:object_r:var_lib_t tclass=file
Aug 29 18:07:34 dell-studio kernel: [ 23.593562] type=1400
audit(1346256454.810:21): avc: denied { getattr } for pid=2038
comm="console-kit-dae" path="/run/ConsoleKit" dev="tmpfs" ino=5404
scontext=system_u:system_r:consolekit_t
tcontext=system_u:object_r:initrc_var_run_t tclass=dir
Aug 29 18:07:34 dell-studio kernel: [ 23.593583] type=1400
audit(1346256454.810:22): avc: denied { search } for pid=2038
comm="console-kit-dae" name="ConsoleKit" dev="tmpfs" ino=5404
scontext=system_u:system_r:consolekit_t
tcontext=system_u:object_r:initrc_var_run_t tclass=dir
Aug 29 18:07:34 dell-studio kernel: [ 23.593600] type=1400
audit(1346256454.810:23): avc: denied { write } for pid=2038
comm="console-kit-dae" name="ConsoleKit" dev="tmpfs" ino=5404
scontext=system_u:system_r:consolekit_t
tcontext=system_u:object_r:initrc_var_run_t tclass=dir
Aug 29 18:07:34 dell-studio kernel: [ 23.593608] type=1400
audit(1346256454.810:24): avc: denied { add_name } for pid=2038
comm="console-kit-dae" name="database~"
scontext=system_u:system_r:consolekit_t
tcontext=system_u:object_r:initrc_var_run_t tclass=dir
Aug 29 18:07:40 dell-studio kernel: [ 29.589769] type=1400
audit(1346256460.806:49): avc: denied { read } for pid=2782 comm="sh"
name="meminfo" dev="proc" ino=4026532031
scontext=system_u:system_r:wpa_cli_t tcontext=system_u:object_r:proc_t
tclass=file
Aug 29 18:07:40 dell-studio kernel: [ 29.589778] type=1400
audit(1346256460.806:50): avc: denied { open } for pid=2782 comm="sh"
name="meminfo" dev="proc" ino=4026532031
scontext=system_u:system_r:wpa_cli_t tcontext=system_u:object_r:proc_t
tclass=file
Aug 29 18:07:40 dell-studio kernel: [ 29.589797] type=1400
audit(1346256460.806:51): avc: denied { getattr } for pid=2782
comm="sh" path="/proc/meminfo" dev="proc" ino=4026532031
scontext=system_u:system_r:wpa_cli_t tcontext=system_u:object_r:proc_t
tclass=file
Aug 29 18:07:41 dell-studio kernel: [ 29.823183] type=1400
audit(1346256461.040:52): avc: denied { read write } for pid=2826
comm="ifconfig" path="socket:[5036]" dev="sockfs" ino=5036
scontext=system_u:system_r:ifconfig_t
tcontext=system_u:system_r:wpa_cli_t tclass=unix_dgram_socket
Aug 29 18:07:41 dell-studio kernel: [ 30.120105] type=1400
audit(1346256461.337:53): avc: denied { use } for pid=2955
comm="mount" path="/dev/null" dev="tmpfs" ino=1122
scontext=system_u:system_r:mount_t tcontext=system_u:system_r:wpa_cli_t
tclass=fd
Aug 29 18:07:41 dell-studio kernel: [ 30.120124] type=1400
audit(1346256461.337:54): avc: denied { read write } for pid=2955
comm="mount" path="socket:[5036]" dev="sockfs" ino=5036
scontext=system_u:system_r:mount_t tcontext=system_u:system_r:wpa_cli_t
tclass=unix_dgram_socket
Aug 29 18:09:04 dell-studio kernel: [ 112.791995] type=1400
audit(1346256544.031:56): avc: denied { read } for pid=2038
comm="console-kit-dae" name="machine-id" dev="sda7" ino=184383
scontext=system_u:system_r:consolekit_t
tcontext=system_u:object_r:system_dbusd_var_lib_t tclass=lnk_file
Aug 29 18:09:04 dell-studio kernel: [ 112.875933] type=1400
audit(1346256544.115:57): avc: denied { read } for pid=3066
comm="udev-acl.ck" name="udev-acl" dev="tmpfs" ino=3219
scontext=system_u:system_r:consolekit_t
tcontext=system_u:object_r:udev_var_run_t tclass=dir
After starting xdm:
Aug 29 18:09:34 dell-studio kernel: [ 142.834237] type=1400
audit(1346256574.075:58): avc: denied { read } for pid=3073 comm="rc"
name="profile.env" dev="sda5" ino=663084
scontext=unconfined_u:unconfined_r:run_init_t
tcontext=system_u:object_r:etc_runtime_t tclass=file
Aug 29 18:09:40 dell-studio kernel: [ 149.431140] type=1400
audit(1346256580.672:59): avc: denied { read } for pid=3118
comm="udev-acl.ck" name="udev-acl" dev="tmpfs" ino=3219
scontext=system_u:system_r:consolekit_t
tcontext=system_u:object_r:udev_var_run_t tclass=dir
Aug 29 18:09:46 dell-studio kernel: [ 154.930603] type=1400
audit(1346256586.170:60): avc: denied { read } for pid=3133
comm="udev-acl.ck" name="udev-acl" dev="tmpfs" ino=3219
scontext=system_u:system_r:consolekit_t
tcontext=system_u:object_r:udev_var_run_t tclass=dir
And after the login:
Aug 29 18:10:04 dell-studio kernel: [ 173.755581] type=1400
audit(1346256604.995:65): avc: denied { read } for pid=3140
comm="udev-acl.ck" name="udev-acl" dev="tmpfs" ino=3219
scontext=system_u:system_r:consolekit_t
tcontext=system_u:object_r:udev_var_run_t tclass=dir
Aug 29 18:10:09 dell-studio kernel: [ 177.817507] type=1400
audit(1346256609.057:66): avc: denied { read } for pid=2038
comm="console-kit-dae" name="machine-id" dev="sda7" ino=184383
scontext=system_u:system_r:consolekit_t
tcontext=system_u:object_r:system_dbusd_var_lib_t tclass=lnk_file
Aug 29 18:10:14 dell-studio kernel: [ 182.951425] type=1400
audit(1346256614.192:68): avc: denied { getattr } for pid=3236
comm="udisks-daemon" name="/" dev="sda7" ino=2
scontext=system_u:system_r:devicekit_disk_t
tcontext=system_u:object_r:fs_t tclass=filesystem
Aug 29 18:10:14 dell-studio kernel: [ 183.307019] type=1400
audit(1346256614.546:69): avc: denied { getattr } for pid=3233
comm="pm-is-supported" path="/dev/snapshot" dev="tmpfs" ino=3438
scontext=system_u:system_r:devicekit_power_t
tcontext=system_u:object_r:apm_bios_t tclass=chr_file
Aug 29 18:10:14 dell-studio kernel: [ 183.318766] type=1400
audit(1346256614.558:70): avc: denied { getattr } for pid=3252
comm="pm-is-supported" path="/dev/snapshot" dev="tmpfs" ino=3438
scontext=system_u:system_r:devicekit_power_t
tcontext=system_u:object_r:apm_bios_t tclass=chr_file
Aug 29 18:10:14 dell-studio kernel: [ 183.717762] type=1400
audit(1346256614.957:71): avc: denied { getattr } for pid=3276
comm="pm-powersave" path="/dev/snapshot" dev="tmpfs" ino=3438
scontext=system_u:system_r:devicekit_power_t
tcontext=system_u:object_r:apm_bios_t tclass=chr_file
Aug 29 18:10:14 dell-studio kernel: [ 183.721637] type=1400
audit(1346256614.961:72): avc: denied { write } for pid=3281
comm="mkdir" name="/" dev="tmpfs" ino=1059
scontext=system_u:system_r:devicekit_power_t
tcontext=system_u:object_r:var_run_t tclass=dir
Aug 29 18:10:41 dell-studio kernel: [ 210.642364] type=1400
audit(1346256641.883:73): avc: denied { search } for pid=2129
comm="polkitd" name="ConsoleKit" dev="tmpfs" ino=5404
scontext=system_u:system_r:system_dbusd_t
tcontext=system_u:object_r:consolekit_var_run_t tclass=dir
Aug 29 18:11:55 dell-studio kernel: [ 283.944883] type=1400
audit(1346256715.185:76): avc: denied { read } for pid=3540
comm="udev-acl.ck" name="udev-acl" dev="tmpfs" ino=3219
scontext=system_u:system_r:consolekit_t
tcontext=system_u:object_r:udev_var_run_t tclass=dir
Aug 29 18:12:01 dell-studio kernel: [ 290.394892] type=1400
audit(1346256721.635:77): avc: denied { search } for pid=2129
comm="polkitd" name="ConsoleKit" dev="tmpfs" ino=5404
scontext=system_u:system_r:system_dbusd_t
tcontext=system_u:object_r:consolekit_var_run_t tclass=dir
Aug 29 18:12:06 dell-studio kernel: [ 295.059511] type=1400
audit(1346256726.300:78): avc: denied { read } for pid=3574
comm="udev-acl.ck" name="udev-acl" dev="tmpfs" ino=3219
scontext=system_u:system_r:consolekit_t
tcontext=system_u:object_r:udev_var_run_t tclass=dir
Aug 29 18:20:01 dell-studio kernel: [ 769.954898] type=1400
audit(1346257201.195:80): avc: denied { read open } for pid=6070
comm="sh" name="run-crons" dev="sda5" ino=922129
scontext=system_u:system_r:crond_t tcontext=system_u:object_r:bin_t
tclass=file
Aug 29 18:20:01 dell-studio kernel: [ 769.954945] type=1400
audit(1346257201.195:81): avc: denied { getattr } for pid=6070
comm="sh" path="/usr/sbin/run-crons" dev="sda5" ino=922129
scontext=system_u:system_r:crond_t tcontext=system_u:object_r:bin_t
tclass=file
Aug 29 18:20:01 dell-studio kernel: [ 769.957780] type=1400
audit(1346257201.198:83): avc: denied { read } for pid=6071
comm="sendmail"
path=2F746D702F63726F6E2E637437754B742F63726F6E2E726F6F742E36303639202864656C6574656429
dev="sda5" ino=2229458 scontext=system_u:system_r:system_mail_t
tcontext=system_u:object_r:crond_tmp_t tclass=file
Aug 29 18:20:15 dell-studio kernel: [ 784.092973] type=1400
audit(1346257215.333:84): avc: denied { getattr } for pid=3227
comm="upowerd" name="/" dev="sda7" ino=2
scontext=system_u:system_r:devicekit_power_t
tcontext=system_u:object_r:fs_t tclass=filesystem
Thank you again for following me.
Paolo.
