Running strict/enforcing, latest rawhide.
Rebooting after updating to latest policy (selinux-policy-strict-1.19.15-7), noticed the following AVCs:
Dec 24 11:48:23 fedora kernel: audit(1103917703.356:0): avc: denied { connect } for pid=2679 exe=/usr/sbin/hal_lpadmin scontext=system_u:system_r:cupsd_config_t tcontext=system_u:system_r:cupsd_config_t tclass=tcp_socket and Dec 24 11:50:52 fedora kernel: audit(1103917852.996:0): avc: denied { connect } for pid=3070 exe=/usr/bin/lpoptions scontext=system_u:system_r:cupsd_config_t tcontext=system_u:system_r:cupsd_config_t tclass=tcp_socket
Adding the following seems to fix it: allow cupsd_config_t self:tcp_socket connect;
Also: Dec 24 11:47:51 fedora kernel: IPv6 over IPv4 tunneling driver Dec 24 11:47:51 fedora kernel: audit(1103888840.733:0): avc: denied { read } for pid=1112 exe=/sbin/pam_console_apply name=mnt dev=hda2 ino=1114113 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:mnt_t tclass=dir Dec 24 11:47:51 fedora kernel: audit(1103888840.736:0): avc: denied { read } for pid=1112 exe=/sbin/pam_console_apply name=mnt dev=hda2 ino=1114113 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:mnt_t tclass=dir Dec 24 11:47:51 fedora kernel: audit(1103888840.737:0): avc: denied { read } for pid=1112 exe=/sbin/pam_console_apply name=mnt dev=hda2 ino=1114113 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:mnt_t tclass=dir Dec 24 11:47:51 fedora last message repeated 3 times Dec 24 11:47:51 fedora kernel: audit(1103888840.738:0): avc: denied { read } for pid=1112 exe=/sbin/pam_console_apply name=mnt dev=hda2 ino=1114113 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:mnt_t tclass=dir Dec 24 11:47:51 fedora last message repeated 4 times Dec 24 11:47:51 fedora kernel: ACPI: Power Button (FF) [PWRF]
The following change seems to fix: allow udev_t mnt_t:dir search; to allow udev_t mnt_t:dir r_dir_perms; But I'm not sure why pam_console_apply wants to read /mnt. Should this be a dontaudit?
tom
On Saturday 25 December 2004 07:00, Tom London selinux@gmail.com wrote:
Dec 24 11:48:23 fedora kernel: audit(1103917703.356:0): avc: denied { connect } for pid=2679 exe=/usr/sbin/hal_lpadmin scontext=system_u:system_r:cupsd_config_t tcontext=system_u:system_r:cupsd_config_t tclass=tcp_socket
can_network_server_tcp(cupsd_config_t) It looks like we need to change the above to the below: can_network_tcp(cupsd_config_t)
Also I suggest the change in the attached file net.diff to remove redundancy in the policy.conf file.
Dec 24 11:47:51 fedora kernel: audit(1103888840.733:0): avc: denied { read } for pid=1112 exe=/sbin/pam_console_apply name=mnt dev=hda2 ino=1114113 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:mnt_t tclass=dir
The attached patch udev.diff (which I sent to the SE Linux mailing list at about the same time as your message was posted) should fix this.
The following change seems to fix: allow udev_t mnt_t:dir search; to allow udev_t mnt_t:dir r_dir_perms; But I'm not sure why pam_console_apply wants to read /mnt. Should this be a dontaudit?
We could have done that. But I think that pam_console_apply should run in domain pam_console_t when launched by udev.
On Sat, 25 Dec 2004 12:31:40 +1100, Russell Coker russell@coker.com.au wrote:
On Saturday 25 December 2004 07:00, Tom London selinux@gmail.com wrote:
can_network_server_tcp(cupsd_config_t) It looks like we need to change the above to the below: can_network_tcp(cupsd_config_t)
Also I suggest the change in the attached file net.diff to remove redundancy in the policy.conf file.
The attached patch udev.diff (which I sent to the SE Linux mailing list at about the same time as your message was posted) should fix this.
We could have done that. But I think that pam_console_apply should run in domain pam_console_t when launched by udev.
--
Russell,
Thanks. These work.
tom
selinux@lists.fedoraproject.org