Re: pulseaudio, policykit - works in permissive, fails in enforcing

From: Tom London <selinux_at_nospam>
Date: Tue Dec 04 2007 - 18:16:50 GMT
To: fedora-selinux <fedora-selinux-list@redhat.com>

On Dec 3, 2007 3:54 PM, Tom London <selinux@gmail.com> wrote:
>
> On Dec 3, 2007 3:50 PM, Tom London <selinux@gmail.com> wrote:
> > Forgot to attach the AVCs......
> >
> > Does this one look suspicious?
> >
> > type=AVC msg=audit(1196722543.811:703): avc: denied { search } for
> > pid=2746 comm="ck-get-x11-disp" name="2719" dev=proc ino=9484
> > scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
> > tcontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 tclass=dir
> > type=SYSCALL msg=audit(1196722543.811:703): arch=40000003 syscall=5
> > success=no exit=-13 a0=8299418 a1=8000 a2=0 a3=8000 items=0 ppid=2715
> > pid=2746 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> > sgid=0 fsgid=0 tty=(none) comm="ck-get-x11-disp"
> > exe="/usr/libexec/ck-get-x11-display-device"
> > subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
> >
>
> Attached compressed....sigh
>

Reran the above in permissive mode. This seemed suspicious:

type=AVC msg=audit(1196779565.801:132): avc: denied { search } for pid=2614 comm="ck-get-x11-disp" name="2587" dev=proc ino=9642 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 tclass=dir type=AVC msg=audit(1196779565.801:132): avc: denied { read } for pid=2614 comm="ck-get-x11-disp" name="stat" dev=proc ino=9861 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 tclass=file type=SYSCALL msg=audit(1196779565.801:132): arch=40000003 syscall=5 success=yes exit=4 a0=8d27418 a1=8000 a2=0 a3=8000 items=0 ppid=2585 pid=2614 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="ck-get-x11-disp" exe="/usr/libexec/ck-get-x11-display-device" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1196779565.802:133): avc: denied { getattr } for pid=2614 comm="ck-get-x11-disp" path="/proc/2587/stat" dev=proc ino=9861 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 tclass=file type=SYSCALL msg=audit(1196779565.802:133): arch=40000003 syscall=197 success=yes exit=0 a0=4 a1=bff4cfc8 a2=bdcff4 a3=8d27418 items=0 ppid=2585 pid=2614 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="ck-get-x11-disp" exe="/usr/libexec/ck-get-x11-display-device" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)

So, I did a 'audit2allow -M localpulse2' on the above.

Here is the .te file:

module localpulse2 1.0;

require { type xdm_xserver_t; type xdm_t; class dir search; class file { read getattr };
}

#============= xdm_t ==============
allow xdm_t xdm_xserver_t:dir search;
allow xdm_t xdm_xserver_t:file { read getattr };

'semodule -i localpulse2.pp' makes pulseaudio work.

Should this be added?

tom -- Tom London -- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list

This message: [ Message body ]
Next message: Shintaro Fujiwara: "Re: [Bug] about the bug with semanage"
Previous message: Aleksander Adamowski: "Re: AW: RHEL5 + strict policy: Unprivileged user cron - "Unauthorized SELinux context""
In reply to: Tom London: "Re: pulseaudio, policykit - works in permissive, fails in enforcing"
Next in thread: Daniel J Walsh: "Re: pulseaudio, policykit - works in permissive, fails in enforcing"
Reply: Daniel J Walsh: "Re: pulseaudio, policykit - works in permissive, fails in enforcing"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ]