Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Gentoo>
  3. Hardened
Can't get fully functional (kde) desktop with SELinux
f.p.barile at gmail
Aug 21, 2012, 12:14 AM
Post #1 of 19 (9356 views)
Permalink
Hello to all the list. I need your help to understand what's wrong here.
I tried to convert my laptop to a selinux profile (targeted) several
times following the documentation step by step.
Now, the last time I tried, I'm using 2.20120725-r3 policies from the
hardened-dev overlay, but I found the same problems with every version
of policies I try.. The system is mainly amd64 (not ~amd64).
The problems I find are:
1) it seems like some part of hardware can't be revealed in enforcing
mode: Pulseaudio can't see the soundcard, powerdevil can't see power
statistics, newly atttached usb drives are ingored. Obviously
selinux-consolekit, selinux-policykit and selinux-dbus are installed.
2) I use partitions encryption (with cryptsetup) and if booting in
enforcing mode it complains about a temporary file that is already
there, but then it goes straight.
3) Logging in root with su or kdesu (in X environment) takes too long:
if the password I write is ok, it takes even some minute to give me the
root shell.

Thank you in advance for your help.


This is my emerge --info:

Portage 2.1.11.9 (default/linux/amd64/10.0/selinux, gcc-4.5.3,
glibc-2.15-r2, 3.3.8-gentoo x86_64)
=================================================================
System uname:
Linux-3.3.8-gentoo-x86_64-Intel-R-_Core-TM-2_Duo_CPU_P8600_@_2.40GHz-with-gentoo-2.1
Timestamp of tree: Sun, 19 Aug 2012 12:45:01 +0000
app-shells/bash: 4.2_p37
dev-java/java-config: 2.1.11-r3
dev-lang/python: 2.7.3-r2, 3.2.3
dev-util/cmake: 2.8.8-r3
dev-util/pkgconfig: 0.27
sys-apps/baselayout: 2.1-r1
sys-apps/openrc: 0.9.8.4
sys-apps/sandbox: 2.5
sys-devel/autoconf: 2.13, 2.68
sys-devel/automake: 1.11.6
sys-devel/binutils: 2.22-r1
sys-devel/gcc: 4.5.3-r2
sys-devel/gcc-config: 1.7.3
sys-devel/libtool: 2.4-r1
sys-devel/make: 3.82-r3
sys-kernel/linux-headers: 3.4-r2 (virtual/os-headers)
sys-libs/glibc: 2.15-r2
Repositories: gentoo mozilla hardened-dev lcd-filtering
ACCEPT_KEYWORDS="amd64"
ACCEPT_LICENSE="*"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-O2 -pipe -march=core2 -msse4.1 --param l1-cache-size=32 --param
l1-cache-line-size=64 --param l2-cache-size=3072 -mtune=generic"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/config /usr/share/gnupg/qualified.txt
/usr/share/themes/oxygen-gtk/gtk-2.0"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d
/etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release
/etc/revdep-rebuild /etc/sandbox.d /etc/terminfo"
CXXFLAGS="-O2 -pipe -march=core2 -msse4.1 --param l1-cache-size=32
--param l1-cache-line-size=64 --param l2-cache-size=3072 -mtune=generic"
DISTDIR="/home/portage/distfiles"
FCFLAGS="-O2 -pipe"
FEATURES="assume-digests binpkg-logs config-protect-if-modified
distlocks ebuild-locks fixlafiles news parallel-fetch
parse-eapi-ebuild-head protect-owned sandbox selinux sesandbox sfperms
strict unknown-features-warn unmerge-logs unmerge-orphans userfetch"
FFLAGS="-O2 -pipe"
GENTOO_MIRRORS="ftp://de-mirror.org/gentoo/"
LANG="it_IT.UTF-8"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
LINGUAS="it"
MAKEOPTS="-j3"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times
--compress --force --whole-file --delete --stats --human-readable
--timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/var/lib/layman/mozilla
/var/lib/layman/hardened-development /var/lib/layman/lcd-filtering"
SYNC="rsync://rsync.de.gentoo.org/gentoo-portage"
USE="X a52 aac aac+ acl acpi alsa amd64 audit auto-hinter berkdb bzip2
cairo cdda cdio cdr cli consolekit corefonts cracklib crypt cups
custom-cflags custom-optimization cxx dbus dirac dri dts dvd encode exif
extras faac fam flac fortran g3dvl gdbm gif gles2 gpm gudev hwdb iconv
jit jpeg kde keymap lcdfilter lcms libnotify lzma mad mmx mng modules
mp3 mpeg mudflap multilib multimedia ncurses nls nptl ogg open_perms
opengl openmp pam pcre pdf phonon pic png policykit pppd pulseaudio
python qt3support qt4 readline schroedinger sdl selinux session sse sse2
sse3 sse4_1 ssl ssse3 startup-notification svg tcpd theora threads
thumbnail tiff truetype type1 udev unicode usb v4l vorbis wavpack x264
xa xft xml xv xvid xvmc zlib" ALSA_CARDS="ali5451 als4000 atiixp
atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968
fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx
via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare
dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter
mmap_emul mulaw multi null plug rate route share shm softvol"
APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon
authn_dbm authn_default authn_file authz_dbm authz_default
authz_groupfile authz_host authz_owner authz_user autoindex cache cgi
cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter
file_cache filter headers include info log_config logio mem_cache mime
mime_magic negotiation rewrite setenvif speling status unique_id userdir
usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets
stage tables krita karbon braindump" CAMERAS="ptp2" COLLECTD_PLUGINS="df
interface irq load memory rrdtool swap syslog" ELIBC="glibc"
GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt
gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore
rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx"
INPUT_DEVICES="evdev synaptics" KERNEL="linux" LCD_DEVICES="bayrad
cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text"
LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer"
LINGUAS="it" PHP_TARGETS="php5-3" PYTHON_TARGETS="python3_2 python2_7"
RUBY_TARGETS="ruby18 ruby19" USERLAND="GNU" VIDEO_CARDS="radeon"
XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p
iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark
dhcpmac delude chaos account"
Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL,
PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS,
PORTAGE_RSYNC_EXTRA_OPTS, USE_PYTHON



This is my avc.log of the last boot up:

Aug 21 08:45:49 dell-studio kernel: [ 7.848157] type=1400
audit(1345538717.847:3): avc: denied { search } for pid=1452
comm="alsactl" name="root" dev="sda5" ino=1308163
scontext=system_u:system_r:alsa_t tcontext=system_u:object_r:default_t
tclass=dir
Aug 21 08:45:49 dell-studio kernel: [ 8.588561] type=1400
audit(1345538718.587:4): avc: denied { read } for pid=1450
comm="alsactl" name="urandom" dev="tmpfs" ino=3255
scontext=system_u:system_r:alsa_t
tcontext=system_u:object_r:urandom_device_t tclass=chr_file
Aug 21 08:45:49 dell-studio kernel: [ 8.588576] type=1400
audit(1345538718.587:6): avc: denied { open } for pid=1450
comm="alsactl" name="urandom" dev="tmpfs" ino=3255
scontext=system_u:system_r:alsa_t
tcontext=system_u:object_r:urandom_device_t tclass=chr_file
Aug 21 08:45:49 dell-studio kernel: [ 8.588579] type=1400
audit(1345538718.587:7): avc: denied { open } for pid=1452
comm="alsactl" name="urandom" dev="tmpfs" ino=3255
scontext=system_u:system_r:alsa_t
tcontext=system_u:object_r:urandom_device_t tclass=chr_file
Aug 21 08:45:49 dell-studio kernel: [ 8.588621] type=1400
audit(1345538718.587:8): avc: denied { getattr } for pid=1450
comm="alsactl" name="/" dev="tmpfs" ino=2980
scontext=system_u:system_r:alsa_t tcontext=system_u:object_r:tmpfs_t
tclass=filesystem
Aug 21 08:45:49 dell-studio kernel: [ 8.588625] type=1400
audit(1345538718.587:9): avc: denied { getattr } for pid=1452
comm="alsactl" name="/" dev="tmpfs" ino=2980
scontext=system_u:system_r:alsa_t tcontext=system_u:object_r:tmpfs_t
tclass=filesystem
Aug 21 08:45:49 dell-studio kernel: [ 8.588644] type=1400
audit(1345538718.587:10): avc: denied { write } for pid=1452
comm="alsactl" name="shm" dev="tmpfs" ino=2984
scontext=system_u:system_r:alsa_t tcontext=system_u:object_r:device_t
tclass=dir
Aug 21 08:45:49 dell-studio kernel: [ 8.588652] type=1400
audit(1345538718.587:11): avc: denied { add_name } for pid=1452
comm="alsactl" name="pulse-shm-1979112542"
scontext=system_u:system_r:alsa_t tcontext=system_u:object_r:device_t
tclass=dir
Aug 21 08:45:49 dell-studio kernel: [ 28.881908] type=1400
audit(1345531540.026:21): avc: denied { module_request } for pid=1524
comm="cryptsetup" kmod="cbc(aes)" scontext=system_u:system_r:lvm_t
tcontext=system_u:system_r:kernel_t tclass=system
Aug 21 08:45:49 dell-studio kernel: [ 38.142682] type=1400
audit(1345531549.287:22): avc: denied { setrlimit } for pid=1983
comm="dbus-daemon" scontext=system_u:system_r:system_dbusd_t
tcontext=system_u:system_r:system_dbusd_t tclass=process
Aug 21 08:45:49 dell-studio kernel: [ 38.743819] type=1400
audit(1345531549.888:23): avc: denied { getattr } for pid=2013
comm="console-kit-dae" path="/run/ConsoleKit" dev="tmpfs" ino=5240
scontext=system_u:system_r:consolekit_t
tcontext=system_u:object_r:initrc_var_run_t tclass=dir
Aug 21 08:45:49 dell-studio kernel: [ 38.743833] type=1400
audit(1345531549.888:24): avc: denied { search } for pid=2013
comm="console-kit-dae" name="ConsoleKit" dev="tmpfs" ino=5240
scontext=system_u:system_r:consolekit_t
tcontext=system_u:object_r:initrc_var_run_t tclass=dir
Aug 21 08:45:49 dell-studio kernel: [ 38.743845] type=1400
audit(1345531549.888:25): avc: denied { write } for pid=2013
comm="console-kit-dae" name="ConsoleKit" dev="tmpfs" ino=5240
scontext=system_u:system_r:consolekit_t
tcontext=system_u:object_r:initrc_var_run_t tclass=dir
Aug 21 08:45:49 dell-studio kernel: [ 38.743854] type=1400
audit(1345531549.888:26): avc: denied { add_name } for pid=2013
comm="console-kit-dae" name="database~"
scontext=system_u:system_r:consolekit_t
tcontext=system_u:object_r:initrc_var_run_t tclass=dir
Aug 21 08:45:49 dell-studio kernel: [ 38.743875] type=1400
audit(1345531549.888:27): avc: denied { create } for pid=2013
comm="console-kit-dae" name="database~"
scontext=system_u:system_r:consolekit_t
tcontext=system_u:object_r:initrc_var_run_t tclass=file
Aug 21 08:45:49 dell-studio kernel: [ 38.743939] type=1400
audit(1345531549.888:28): avc: denied { remove_name } for pid=2013
comm="console-kit-dae" name="database~" dev="tmpfs" ino=5251
scontext=system_u:system_r:consolekit_t
tcontext=system_u:object_r:initrc_var_run_t tclass=dir
Aug 21 08:45:49 dell-studio kernel: [ 38.743948] type=1400
audit(1345531549.888:29): avc: denied { rename } for pid=2013
comm="console-kit-dae" name="database~" dev="tmpfs" ino=5251
scontext=system_u:system_r:consolekit_t
tcontext=system_u:object_r:initrc_var_run_t tclass=file
Aug 21 08:45:50 dell-studio kernel: [ 39.000295] type=1400
audit(1345531550.145:30): avc: denied { read } for pid=2089
comm="crond" name="root" dev="sda7" ino=12796
scontext=system_u:system_r:crond_t tcontext=system_u:object_r:file_t
tclass=file
Aug 21 08:45:55 dell-studio kernel: [ 44.775964] type=1400
audit(1345531555.920:51): avc: denied { read } for pid=2912 comm="sh"
name="meminfo" dev="proc" ino=4026532031
scontext=system_u:system_r:wpa_cli_t tcontext=system_u:object_r:proc_t
tclass=file
Aug 21 08:45:55 dell-studio kernel: [ 44.775974] type=1400
audit(1345531555.920:52): avc: denied { open } for pid=2912 comm="sh"
name="meminfo" dev="proc" ino=4026532031
scontext=system_u:system_r:wpa_cli_t tcontext=system_u:object_r:proc_t
tclass=file
Aug 21 08:45:55 dell-studio kernel: [ 44.775991] type=1400
audit(1345531555.920:53): avc: denied { getattr } for pid=2912
comm="sh" path="/proc/meminfo" dev="proc" ino=4026532031
scontext=system_u:system_r:wpa_cli_t tcontext=system_u:object_r:proc_t
tclass=file
Aug 21 08:45:56 dell-studio kernel: [ 44.975326] type=1400
audit(1345531556.120:54): avc: denied { read write } for pid=2956
comm="ifconfig" path="socket:[5638]" dev="sockfs" ino=5638
scontext=system_u:system_r:ifconfig_t
tcontext=system_u:system_r:wpa_cli_t tclass=unix_dgram_socket
Aug 21 08:45:56 dell-studio kernel: [ 45.229495] type=1400
audit(1345531556.374:55): avc: denied { use } for pid=3088
comm="mount" path="/dev/null" dev="tmpfs" ino=2982
scontext=system_u:system_r:mount_t tcontext=system_u:system_r:wpa_cli_t
tclass=fd
Aug 21 08:45:56 dell-studio kernel: [ 45.229516] type=1400
audit(1345531556.374:56): avc: denied { read write } for pid=3088
comm="mount" path="socket:[5638]" dev="sockfs" ino=5638
scontext=system_u:system_r:mount_t tcontext=system_u:system_r:wpa_cli_t
tclass=unix_dgram_socket
Aug 21 08:46:05 dell-studio kernel: [ 54.833228] type=1400
audit(1345531565.978:57): avc: denied { read } for pid=2013
comm="console-kit-dae" name="machine-id" dev="sda7" ino=184383
scontext=system_u:system_r:consolekit_t
tcontext=system_u:object_r:system_dbusd_var_lib_t tclass=lnk_file
Aug 21 08:46:06 dell-studio kernel: [ 54.866726] type=1400
audit(1345531566.011:58): avc: denied { create } for pid=2013
comm="console-kit-dae" name="database~"
scontext=system_u:system_r:consolekit_t
tcontext=system_u:object_r:initrc_var_run_t tclass=file
Aug 21 08:46:06 dell-studio kernel: [ 54.866889] type=1400
audit(1345531566.011:59): avc: denied { remove_name } for pid=2013
comm="console-kit-dae" name="database~" dev="tmpfs" ino=6008
scontext=system_u:system_r:consolekit_t
tcontext=system_u:object_r:initrc_var_run_t tclass=dir
Aug 21 08:46:06 dell-studio kernel: [ 54.866898] type=1400
audit(1345531566.011:60): avc: denied { rename } for pid=2013
comm="console-kit-dae" name="database~" dev="tmpfs" ino=6008
scontext=system_u:system_r:consolekit_t
tcontext=system_u:object_r:initrc_var_run_t tclass=file
Aug 21 08:46:06 dell-studio kernel: [ 54.866907] type=1400
audit(1345531566.011:61): avc: denied { unlink } for pid=2013
comm="console-kit-dae" name="database" dev="tmpfs" ino=5251
scontext=system_u:system_r:consolekit_t
tcontext=system_u:object_r:initrc_var_run_t tclass=file
Aug 21 08:46:06 dell-studio kernel: [ 54.939435] type=1400
audit(1345531566.084:62): avc: denied { read } for pid=3111
comm="udev-acl.ck" name="udev-acl" dev="tmpfs" ino=3056
scontext=system_u:system_r:consolekit_t
tcontext=system_u:object_r:udev_var_run_t tclass=dir
Aug 21 08:46:06 dell-studio kernel: [ 54.939920] type=1400
audit(1345531566.084:63): avc: denied { getattr } for pid=3111
comm="udev-acl.ck" name="card0" dev="tmpfs" ino=3051
scontext=system_u:system_r:consolekit_t
tcontext=system_u:object_r:dri_device_t tclass=chr_file
Aug 21 08:46:06 dell-studio kernel: [ 54.939945] type=1400
audit(1345531566.084:64): avc: denied { setattr } for pid=3111
comm="udev-acl.ck" name="card0" dev="tmpfs" ino=3051
scontext=system_u:system_r:consolekit_t
tcontext=system_u:object_r:dri_device_t tclass=chr_file
Aug 21 08:46:06 dell-studio kernel: [ 54.940052] type=1400
audit(1345531566.085:65): avc: denied { getattr } for pid=3111
comm="udev-acl.ck" name="hwC1D0" dev="tmpfs" ino=3733
scontext=system_u:system_r:consolekit_t
tcontext=system_u:object_r:sound_device_t tclass=chr_file
Aug 21 08:46:06 dell-studio kernel: [ 54.940067] type=1400
audit(1345531566.085:66): avc: denied { setattr } for pid=3111
comm="udev-acl.ck" name="hwC1D0" dev="tmpfs" ino=3733
scontext=system_u:system_r:consolekit_t
tcontext=system_u:object_r:sound_device_t tclass=chr_file
Aug 21 08:46:11 dell-studio kernel: [ 60.117720] type=1400
audit(1345531571.262:74): avc: denied { execute } for pid=3184
comm="dbus-daemon-lau" name="upowerd" dev="sda5" ino=939375
scontext=system_u:system_r:system_dbusd_t
tcontext=system_u:object_r:bin_t tclass=file
Aug 21 08:46:11 dell-studio kernel: [ 60.117729] type=1400
audit(1345531571.262:75): avc: denied { read open } for pid=3184
comm="dbus-daemon-lau" name="upowerd" dev="sda5" ino=939375
scontext=system_u:system_r:system_dbusd_t
tcontext=system_u:object_r:bin_t tclass=file
Aug 21 08:46:11 dell-studio kernel: [ 60.117750] type=1400
audit(1345531571.262:76): avc: denied { execute_no_trans } for
pid=3184 comm="dbus-daemon-lau" path="/usr/libexec/upowerd" dev="sda5"
ino=939375 scontext=system_u:system_r:system_dbusd_t
tcontext=system_u:object_r:bin_t tclass=file
Aug 21 08:46:11 dell-studio kernel: [ 60.184184] type=1400
audit(1345531571.329:77): avc: denied { write } for pid=3184
comm="upowerd" name="cpu_dma_latency" dev="tmpfs" ino=3263
scontext=system_u:system_r:system_dbusd_t
tcontext=system_u:object_r:netcontrol_device_t tclass=chr_file
Aug 21 08:46:11 dell-studio kernel: [ 60.184195] type=1400
audit(1345531571.329:78): avc: denied { open } for pid=3184
comm="upowerd" name="cpu_dma_latency" dev="tmpfs" ino=3263
scontext=system_u:system_r:system_dbusd_t
tcontext=system_u:object_r:netcontrol_device_t tclass=chr_file
Aug 21 08:46:11 dell-studio kernel: [ 60.223810] type=1400
audit(1345531571.368:79): avc: denied { read } for pid=3188
comm="upowerd" name="sh" dev="sda5" ino=1706629
scontext=system_u:system_r:system_dbusd_t
tcontext=system_u:object_r:bin_t tclass=lnk_file
Aug 21 08:46:11 dell-studio kernel: [ 60.223838] type=1400
audit(1345531571.368:80): avc: denied { execute } for pid=3188
comm="upowerd" name="bash" dev="sda5" ino=1700702
scontext=system_u:system_r:system_dbusd_t
tcontext=system_u:object_r:shell_exec_t tclass=file
Aug 21 08:46:11 dell-studio kernel: [ 60.223848] type=1400
audit(1345531571.368:81): avc: denied { read open } for pid=3188
comm="upowerd" name="bash" dev="sda5" ino=1700702
scontext=system_u:system_r:system_dbusd_t
tcontext=system_u:object_r:shell_exec_t tclass=file
Aug 21 08:46:11 dell-studio kernel: [ 60.225529] type=1400
audit(1345531571.370:82): avc: denied { ioctl } for pid=3188
comm="pm-is-supported" path="/usr/bin/pm-is-supported" dev="sda5"
ino=815434 scontext=system_u:system_r:system_dbusd_t
tcontext=system_u:object_r:bin_t tclass=file
Aug 21 08:46:11 dell-studio kernel: [ 60.225555] type=1400
audit(1345531571.370:83): avc: denied { getattr } for pid=3188
comm="pm-is-supported" path="/usr/bin/pm-is-supported" dev="sda5"
ino=815434 scontext=system_u:system_r:system_dbusd_t
tcontext=system_u:object_r:bin_t tclass=file
Aug 21 08:46:16 dell-studio kernel: [ 65.194471] type=1400
audit(1345531576.339:148): avc: denied { write } for pid=3260
comm="mount" name="/" dev="dm-1" ino=2
scontext=system_u:system_r:system_dbusd_t
tcontext=system_u:object_r:home_root_t tclass=dir
Aug 21 08:46:16 dell-studio kernel: [ 65.449862] type=1400
audit(1345531576.594:149): avc: denied { search } for pid=3268
comm="laptop-mode" name="vm" dev="proc" ino=5312
scontext=system_u:system_r:system_dbusd_t
tcontext=system_u:object_r:sysctl_vm_t tclass=dir
Aug 21 08:46:16 dell-studio kernel: [ 65.449879] type=1400
audit(1345531576.594:150): avc: denied { write } for pid=3268
comm="laptop-mode" name="laptop_mode" dev="proc" ino=5313
scontext=system_u:system_r:system_dbusd_t
tcontext=system_u:object_r:sysctl_vm_t tclass=file
Aug 21 08:46:16 dell-studio kernel: [ 65.450458] type=1400
audit(1345531576.595:151): avc: denied { read } for pid=3269
comm="laptop-mode" name="laptop_mode" dev="proc" ino=5313
scontext=system_u:system_r:system_dbusd_t
tcontext=system_u:object_r:sysctl_vm_t tclass=file
Aug 21 08:46:16 dell-studio kernel: [ 65.451314] type=1400
audit(1345531576.596:152): avc: denied { open } for pid=3271
comm="cat" name="laptop_mode" dev="proc" ino=5313
scontext=system_u:system_r:system_dbusd_t
tcontext=system_u:object_r:sysctl_vm_t tclass=file
Aug 21 08:46:16 dell-studio kernel: [ 65.451327] type=1400
audit(1345531576.596:153): avc: denied { getattr } for pid=3271
comm="cat" path="/proc/sys/vm/laptop_mode" dev="proc" ino=5313
scontext=system_u:system_r:system_dbusd_t
tcontext=system_u:object_r:sysctl_vm_t tclass=file
Aug 21 08:46:16 dell-studio kernel: [ 65.460034] type=1400
audit(1345531576.604:154): avc: denied { execute } for pid=3277
comm="readahead" name="blockdev" dev="sda5" ino=416349
scontext=system_u:system_r:system_dbusd_t
tcontext=system_u:object_r:fsadm_exec_t tclass=file
Aug 21 08:46:16 dell-studio kernel: [ 65.462069] type=1400
audit(1345531576.607:155): avc: denied { read open } for pid=3280
comm="readahead" name="blockdev" dev="sda5" ino=416349
scontext=system_u:system_r:system_dbusd_t
tcontext=system_u:object_r:fsadm_exec_t tclass=file
Aug 21 08:46:16 dell-studio kernel: [ 65.462103] type=1400
audit(1345531576.607:156): avc: denied { execute_no_trans } for
pid=3280 comm="readahead" path="/sbin/blockdev" dev="sda5" ino=416349
scontext=system_u:system_r:system_dbusd_t
tcontext=system_u:object_r:fsadm_exec_t tclass=file
Aug 21 08:46:16 dell-studio kernel: [ 65.494153] type=1400
audit(1345531576.639:157): avc: denied { getattr } for pid=3287
comm="which" path="/sbin/iwconfig" dev="sda5" ino=416869
scontext=system_u:system_r:system_dbusd_t
tcontext=system_u:object_r:ifconfig_exec_t tclass=file
Aug 21 08:46:24 dell-studio kernel: [ 73.269671] type=1400
audit(1345531584.414:159): avc: denied { search } for pid=1983
comm="dbus-daemon" name="console" dev="tmpfs" ino=6011
scontext=system_u:system_r:system_dbusd_t
tcontext=system_u:object_r:consolekit_var_run_t tclass=dir
Aug 21 08:46:26 dell-studio kernel: [ 75.002090] type=1400
audit(1345531586.147:160): avc: denied { read } for pid=3238
comm="udisks-daemon" name="sr0" dev="tmpfs" ino=3539
scontext=system_u:system_r:system_dbusd_t
tcontext=system_u:object_r:removable_device_t tclass=blk_file
Aug 21 08:46:26 dell-studio kernel: [ 75.002101] type=1400
audit(1345531586.147:161): avc: denied { open } for pid=3238
comm="udisks-daemon" name="sr0" dev="tmpfs" ino=3539
scontext=system_u:system_r:system_dbusd_t
tcontext=system_u:object_r:removable_device_t tclass=blk_file
Aug 21 08:46:48 dell-studio kernel: [ 97.234376] type=1400
audit(1345531608.230:162): avc: denied { execstack } for pid=3659
comm="chrome" scontext=unconfined_u:unconfined_r:unconfined_t
tcontext=unconfined_u:unconfined_r:unconfined_t tclass=process
Aug 21 08:50:01 dell-studio kernel: [ 290.083336] type=1400
audit(1345531801.079:163): avc: denied { execute } for pid=4630
comm="sh" name="run-crons" dev="sda5" ino=922129
scontext=system_u:system_r:crond_t tcontext=system_u:object_r:bin_t
tclass=file
Aug 21 08:50:01 dell-studio kernel: [ 290.083888] type=1400
audit(1345531801.079:164): avc: denied { read open } for pid=4631
comm="sh" name="run-crons" dev="sda5" ino=922129
scontext=system_u:system_r:crond_t tcontext=system_u:object_r:bin_t
tclass=file
Aug 21 08:50:01 dell-studio kernel: [ 290.083965] type=1400
audit(1345531801.079:165): avc: denied { execute_no_trans } for
pid=4631 comm="sh" path="/usr/sbin/run-crons" dev="sda5" ino=922129
scontext=system_u:system_r:crond_t tcontext=system_u:object_r:bin_t
tclass=file
Aug 21 08:50:01 dell-studio kernel: [ 290.110392] type=1400
audit(1345531801.106:166): avc: denied { ioctl } for pid=4631
comm="run-crons" path="/usr/sbin/run-crons" dev="sda5" ino=922129
scontext=system_u:system_r:crond_t tcontext=system_u:object_r:bin_t
tclass=file
Aug 21 08:50:01 dell-studio kernel: [ 290.110414] type=1400
audit(1345531801.106:167): avc: denied { getattr } for pid=4631
comm="run-crons" path="/usr/sbin/run-crons" dev="sda5" ino=922129
scontext=system_u:system_r:crond_t tcontext=system_u:object_r:bin_t
tclass=file
Aug 21 08:50:01 dell-studio kernel: [ 290.161144] type=1400
audit(1345531801.157:168): avc: denied { create } for pid=4633
comm="ln" name="lock" scontext=system_u:system_r:crond_t
tcontext=system_u:object_r:crond_tmp_t tclass=lnk_file
Aug 21 08:50:01 dell-studio kernel: [ 290.168642] type=1400
audit(1345531801.164:169): avc: denied { getattr } for pid=4631
comm="run-crons" path="/var/spool/cron/lastrun/lock" dev="sda7"
ino=12547 scontext=system_u:system_r:crond_t
tcontext=system_u:object_r:crond_tmp_t tclass=lnk_file
Aug 21 08:50:01 dell-studio kernel: [ 290.170178] type=1400
audit(1345531801.166:170): avc: denied { read } for pid=4634
comm="find" name="root" dev="sda5" ino=1308163
scontext=system_u:system_r:crond_t tcontext=system_u:object_r:default_t
tclass=dir
Aug 21 08:50:01 dell-studio kernel: [ 290.180507] type=1400
audit(1345531801.176:171): avc: denied { getattr } for pid=4634
comm="find" path="/var/spool/cron/lastrun/.keep_sys-process_cronbase-0"
dev="sda7" ino=45164 scontext=system_u:system_r:crond_t
tcontext=system_u:object_r:file_t tclass=file
Aug 21 08:50:09 dell-studio kernel: [ 298.361777] type=1400
audit(1345531809.356:173): avc: denied { unlink } for pid=4704
comm="rm" name="lock" dev="sda7" ino=12547
scontext=system_u:system_r:crond_t
tcontext=system_u:object_r:crond_tmp_t tclass=lnk_file

This is my /etc/fstab (I found that the /selinux mountpoint is no more
needed):

/dev/sda1 /boot ext2 noauto,noatime 1 2
/dev/sda5 / ext4 noatime 0 1
/dev/mapper/swap none swap sw 0 0
/dev/sda7 /var jfs
defaults,rootcontext=system_u:object_r:var_t 0 1
/dev/mapper/home /home ext4 noatime 0 1
/dev/cdrom /mnt/cdrom auto noauto,ro 0 0

tmpfs /run tmpfs
mode=0755,nosuid,nodev,rootcontext=system_u:object_r:var_run_t 0 0

Lastly this is my sestatus -v:

Password:
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: permissive
Mode from config file: permissive
Policy MLS status: disabled
Policy deny_unknown status: denied
Max kernel policy version: 26

Process contexts:
Current context: unconfined_u:unconfined_r:unconfined_t
Init context: system_u:system_r:init_t
/sbin/agetty system_u:system_r:getty_t

File contexts:
Controlling terminal: unconfined_u:object_r:user_devpts_t
/sbin/init system_u:object_r:init_exec_t
/sbin/agetty system_u:object_r:getty_exec_t
/bin/login system_u:object_r:login_exec_t
/sbin/rc system_u:object_r:rc_exec_t
/usr/sbin/sshd system_u:object_r:sshd_exec_t
/sbin/unix_chkpwd system_u:object_r:chkpwd_exec_t
/etc/passwd system_u:object_r:etc_t
/etc/shadow system_u:object_r:shadow_t
/bin/sh system_u:object_r:bin_t ->
system_u:object_r:shell_exec_t
/bin/bash system_u:object_r:shell_exec_t
/usr/bin/newrole system_u:object_r:newrole_exec_t
/lib/libc.so.6 system_u:object_r:lib_t ->
system_u:object_r:lib_t
/lib/ld-linux.so.2 system_u:object_r:lib_t ->
system_u:object_r:ld_so_t
Re: Can't get fully functional (kde) desktop with SELinux [ In reply to ]
swift at gentoo
Aug 21, 2012, 11:03 AM
Post #2 of 19 (9206 views)
Permalink
On Tue, Aug 21, 2012 at 09:14:39AM +0200, f.p.barile@gmail.com2 wrote:
> Hello to all the list. I need your help to understand what's wrong here.
> I tried to convert my laptop to a selinux profile (targeted) several
> times following the documentation step by step.

Hi F.P.

First of all, thanks for trying the SELinux stuff out. I'm pretty sure we
can help you further and fix things so that others don't get the same
problems.

> 1) it seems like some part of hardware can't be revealed in enforcing
> mode: Pulseaudio can't see the soundcard, powerdevil can't see power
> statistics, newly atttached usb drives are ingored. Obviously
> selinux-consolekit, selinux-policykit and selinux-dbus are installed.

It is best to look at the AVC denials that come up when you launch
pulseaudio, powerdevel etc. one by one. Providing all possible denials will
make it much more difficult to fine-tune the problems.

What I usually do to debug issues is to do:

~# tail -f /var/log/avc.log

Then perform one activity (1) that doesn't work. For instance, try to play
an MP3/OGG file which fails. Then look at the denials that came up right
when you did that action.

> 3) Logging in root with su or kdesu (in X environment) takes too long:
> if the password I write is ok, it takes even some minute to give me the
> root shell.

Here too looking at the AVC denials that come up right then would be
interesting. However, in this case it is best to also provide the output of
"id -Z" right before you switch root, and right after.

Wkr,
Sven Vermeulen
Re: Can't get fully functional (kde) desktop with SELinux [ In reply to ]
f.p.barile at gmail
Aug 22, 2012, 12:12 AM
Post #3 of 19 (9242 views)
Permalink
Hi Sven, nice to meet you again and thank you for your work in SELinux
and for your help.

I did as you suggested reading the denials step by step. Anyway I didn't
find a way to start pulseaudio seprately, but I don't think it's really
pulseaudio related. I beleave it's hardware revealing related because
nor pulsaudio, nor kmix, nor systemsettings can see the audio card, they
can only use the "output dummy" card.

Now the step by step denials.
I firstly removed the xdm initscript from the default runlevel and I
started it manually. After starting xdm these were the denials:

Aug 22 08:39:03 dell-studio kernel: [ 162.895575] type=1400
audit(1345617543.503:121): avc: denied { getattr } for pid=2010
comm="console-kit-dae" path="/run/ConsoleKit" dev="tmpfs" ino=4632
scontext=system_u:system_r:consolekit_t
tcontext=system_u:object_r:initrc_var_run_t tclass=dir
Aug 22 08:39:27 dell-studio kernel: [ 187.237204] type=1400
audit(1345617567.845:122): avc: denied { getattr } for pid=2010
comm="console-kit-dae" path="/run/ConsoleKit" dev="tmpfs" ino=4632
scontext=system_u:system_r:consolekit_t
tcontext=system_u:object_r:initrc_var_run_t tclass=dir
Aug 22 08:39:27 dell-studio kernel: [ 187.239432] type=1400
audit(1345617567.847:123): avc: denied { search } for pid=3086
comm="udev-acl.ck" name="ConsoleKit" dev="tmpfs" ino=4632
scontext=system_u:system_r:consolekit_t
tcontext=system_u:object_r:initrc_var_run_t tclass=dir
Aug 22 08:39:27 dell-studio kernel: [ 187.239574] type=1400
audit(1345617567.847:124): avc: denied { read } for pid=3086
comm="udev-acl.ck" name="udev-acl" dev="tmpfs" ino=1427
scontext=system_u:system_r:consolekit_t
tcontext=system_u:object_r:udev_var_run_t tclass=dir
Aug 22 08:39:34 dell-studio kernel: [ 193.781500] type=1400
audit(1345617574.389:125): avc: denied { getattr } for pid=2010
comm="console-kit-dae" path="/run/ConsoleKit" dev="tmpfs" ino=4632
scontext=system_u:system_r:consolekit_t
tcontext=system_u:object_r:initrc_var_run_t tclass=dir
Aug 22 08:39:34 dell-studio kernel: [ 193.785181] type=1400
audit(1345617574.393:126): avc: denied { read } for pid=3101
comm="udev-acl.ck" name="udev-acl" dev="tmpfs" ino=1427
scontext=system_u:system_r:consolekit_t
tcontext=system_u:object_r:udev_var_run_t tclass=dir

After logging in kdm I read:

Aug 22 08:40:04 dell-studio kernel: [ 223.565209] type=1400
audit(1345617604.173:127): avc: denied { getattr } for pid=2010
comm="console-kit-dae" path="/run/ConsoleKit" dev="tmpfs" ino=4632
scontext=system_u:system_r:consolekit_t
tcontext=system_u:object_r:initrc_var_run_t tclass=dir
Aug 22 08:40:06 dell-studio kernel: [ 226.166311] type=1400
audit(1345617606.774:128): avc: denied { getattr } for pid=2010
comm="console-kit-dae" path="/run/ConsoleKit" dev="tmpfs" ino=4632
scontext=system_u:system_r:consolekit_t
tcontext=system_u:object_r:initrc_var_run_t tclass=dir
Aug 22 08:40:06 dell-studio kernel: [ 226.172123] type=1400
audit(1345617606.780:129): avc: denied { search } for pid=3106
comm="udev-acl.ck" name="ConsoleKit" dev="tmpfs" ino=4632
scontext=system_u:system_r:consolekit_t
tcontext=system_u:object_r:initrc_var_run_t tclass=dir
Aug 22 08:40:06 dell-studio kernel: [ 226.172508] type=1400
audit(1345617606.780:130): avc: denied { read } for pid=3106
comm="udev-acl.ck" name="udev-acl" dev="tmpfs" ino=1427
scontext=system_u:system_r:consolekit_t
tcontext=system_u:object_r:udev_var_run_t tclass=dir
Aug 22 08:40:15 dell-studio kernel: [ 234.411908] type=1400
audit(1345617615.019:131): avc: denied { getattr } for pid=2010
comm="console-kit-dae" path="/run/ConsoleKit" dev="tmpfs" ino=4632
scontext=system_u:system_r:consolekit_t
tcontext=system_u:object_r:initrc_var_run_t tclass=dir
Aug 22 08:40:15 dell-studio kernel: [ 234.415286] type=1400
audit(1345617615.023:132): avc: denied { read } for pid=3109
comm="udev-acl.ck" name="udev-acl" dev="tmpfs" ino=1427
scontext=system_u:system_r:consolekit_t
tcontext=system_u:object_r:udev_var_run_t tclass=dir
Aug 22 08:40:34 dell-studio kernel: [ 253.639780] type=1400
audit(1345617634.247:133): avc: denied { getattr } for pid=2010
comm="console-kit-dae" path="/run/ConsoleKit" dev="tmpfs" ino=4632
scontext=system_u:system_r:consolekit_t
tcontext=system_u:object_r:initrc_var_run_t tclass=dir
Aug 22 08:40:34 dell-studio kernel: [ 253.645402] type=1400
audit(1345617634.253:134): avc: denied { search } for pid=3111
comm="udev-acl.ck" name="ConsoleKit" dev="tmpfs" ino=4632
scontext=system_u:system_r:consolekit_t
tcontext=system_u:object_r:initrc_var_run_t tclass=dir
Aug 22 08:40:34 dell-studio kernel: [ 253.645790] type=1400
audit(1345617634.253:135): avc: denied { read } for pid=3111
comm="udev-acl.ck" name="udev-acl" dev="tmpfs" ino=1427
scontext=system_u:system_r:consolekit_t
tcontext=system_u:object_r:udev_var_run_t tclass=dir
Aug 22 08:40:35 dell-studio kernel: [ 254.527065] type=1400
audit(1345617635.135:136): avc: denied { search } for pid=1980
comm="dbus-daemon" name="console" dev="tmpfs" ino=6314
scontext=system_u:system_r:system_dbusd_t
tcontext=system_u:object_r:consolekit_var_run_t tclass=dir
Aug 22 08:40:35 dell-studio kernel: [ 254.527789] type=1400
audit(1345617635.135:137): avc: denied { read } for pid=2010
comm="console-kit-dae" name="machine-id" dev="sda7" ino=184383
scontext=system_u:system_r:consolekit_t
tcontext=system_u:object_r:system_dbusd_var_lib_t tclass=lnk_file
Aug 22 08:40:35 dell-studio kernel: [ 254.530276] type=1400
audit(1345617635.138:138): avc: denied { getattr } for pid=2010
comm="console-kit-dae" path="/run/ConsoleKit" dev="tmpfs" ino=4632
scontext=system_u:system_r:consolekit_t
tcontext=system_u:object_r:initrc_var_run_t tclass=dir
Aug 22 08:40:35 dell-studio kernel: [ 254.535883] type=1400
audit(1345617635.143:139): avc: denied { getattr } for pid=2010
comm="console-kit-dae" path="/run/ConsoleKit" dev="tmpfs" ino=4632
scontext=system_u:system_r:consolekit_t
tcontext=system_u:object_r:initrc_var_run_t tclass=dir
Aug 22 08:40:35 dell-studio kernel: [ 254.537701] type=1400
audit(1345617635.145:140): avc: denied { read } for pid=3121
comm="udev-acl.ck" name="udev-acl" dev="tmpfs" ino=1427
scontext=system_u:system_r:consolekit_t
tcontext=system_u:object_r:udev_var_run_t tclass=dir
Aug 22 08:40:36 dell-studio kernel: [ 255.550398] type=1400
audit(1345617636.158:141): avc: denied { search } for pid=1980
comm="dbus-daemon" name="console" dev="tmpfs" ino=6314
scontext=system_u:system_r:system_dbusd_t
tcontext=system_u:object_r:consolekit_var_run_t tclass=dir
Aug 22 08:40:36 dell-studio kernel: [ 255.554058] type=1400
audit(1345617636.162:142): avc: denied { search } for pid=1980
comm="dbus-daemon" name="console" dev="tmpfs" ino=6314
scontext=system_u:system_r:system_dbusd_t
tcontext=system_u:object_r:consolekit_var_run_t tclass=dir
Aug 22 08:40:40 dell-studio kernel: [ 259.566581] type=1400
audit(1345617640.174:143): avc: denied { search } for pid=1980
comm="dbus-daemon" name="console" dev="tmpfs" ino=6314
scontext=system_u:system_r:system_dbusd_t
tcontext=system_u:object_r:consolekit_var_run_t tclass=dir
Aug 22 08:40:40 dell-studio kernel: [ 259.569518] type=1400
audit(1345617640.177:144): avc: denied { execute } for pid=3194
comm="dbus-daemon-lau" name="upowerd" dev="sda5" ino=939375
scontext=system_u:system_r:system_dbusd_t
tcontext=system_u:object_r:bin_t tclass=file
Aug 22 08:40:40 dell-studio kernel: [ 259.572229] type=1400
audit(1345617640.180:145): avc: denied { execute } for pid=3197
comm="dbus-daemon-lau" name="upowerd" dev="sda5" ino=939375
scontext=system_u:system_r:system_dbusd_t
tcontext=system_u:object_r:bin_t tclass=file
Aug 22 08:40:40 dell-studio kernel: [ 259.574665] type=1400
audit(1345617640.182:146): avc: denied { execute } for pid=3199
comm="dbus-daemon-lau" name="udisks-daemon" dev="sda5" ino=939378
scontext=system_u:system_r:system_dbusd_t
tcontext=system_u:object_r:bin_t tclass=file
Aug 22 08:40:40 dell-studio kernel: [ 259.577151] type=1400
audit(1345617640.185:147): avc: denied { execute } for pid=3201
comm="dbus-daemon-lau" name="udisks-daemon" dev="sda5" ino=939378
scontext=system_u:system_r:system_dbusd_t
tcontext=system_u:object_r:bin_t tclass=file
Aug 22 08:40:40 dell-studio kernel: [ 259.579385] type=1400
audit(1345617640.187:148): avc: denied { execute } for pid=3203
comm="dbus-daemon-lau" name="udisks-daemon" dev="sda5" ino=939378
scontext=system_u:system_r:system_dbusd_t
tcontext=system_u:object_r:bin_t tclass=file
Aug 22 08:40:40 dell-studio kernel: [ 259.581693] type=1400
audit(1345617640.189:149): avc: denied { execute } for pid=3205
comm="dbus-daemon-lau" name="udisks-daemon" dev="sda5" ino=939378
scontext=system_u:system_r:system_dbusd_t
tcontext=system_u:object_r:bin_t tclass=file
Aug 22 08:40:40 dell-studio kernel: [ 259.583959] type=1400
audit(1345617640.191:150): avc: denied { execute } for pid=3207
comm="dbus-daemon-lau" name="udisks-daemon" dev="sda5" ino=939378
scontext=system_u:system_r:system_dbusd_t
tcontext=system_u:object_r:bin_t tclass=file
Aug 22 08:40:40 dell-studio kernel: [ 260.191675] type=1400
audit(1345617640.799:151): avc: denied { execmem } for pid=3214
comm="kwin_opengl_tes" scontext=unconfined_u:unconfined_r:unconfined_t
tcontext=unconfined_u:unconfined_r:unconfined_t tclass=process
Aug 22 08:40:44 dell-studio kernel: [ 263.474683] type=1400
audit(1345617644.082:152): avc: denied { search } for pid=1980
comm="dbus-daemon" name="console" dev="tmpfs" ino=6314
scontext=system_u:system_r:system_dbusd_t
tcontext=system_u:object_r:consolekit_var_run_t tclass=dir
Aug 22 08:40:57 dell-studio kernel: [ 276.731494] type=1400
audit(1345617657.339:162): avc: denied { search } for pid=1980
comm="dbus-daemon" name="console" dev="tmpfs" ino=6314
scontext=system_u:system_r:system_dbusd_t
tcontext=system_u:object_r:consolekit_var_run_t tclass=dir
Aug 22 08:40:57 dell-studio kernel: [ 276.733813] type=1400
audit(1345617657.341:163): avc: denied { execute } for pid=3284
comm="dbus-daemon-lau" name="upowerd" dev="sda5" ino=939375
scontext=system_u:system_r:system_dbusd_t
tcontext=system_u:object_r:bin_t tclass=file
Aug 22 08:40:57 dell-studio kernel: [ 276.736414] type=1400
audit(1345617657.344:164): avc: denied { execute } for pid=3286
comm="dbus-daemon-lau" name="upowerd" dev="sda5" ino=939375
scontext=system_u:system_r:system_dbusd_t
tcontext=system_u:object_r:bin_t tclass=file
Aug 22 08:40:57 dell-studio kernel: [ 276.738821] type=1400
audit(1345617657.346:165): avc: denied { execute } for pid=3288
comm="dbus-daemon-lau" name="udisks-daemon" dev="sda5" ino=939378
scontext=system_u:system_r:system_dbusd_t
tcontext=system_u:object_r:bin_t tclass=file
Aug 22 08:40:57 dell-studio kernel: [ 276.741286] type=1400
audit(1345617657.349:166): avc: denied { execute } for pid=3290
comm="dbus-daemon-lau" name="udisks-daemon" dev="sda5" ino=939378
scontext=system_u:system_r:system_dbusd_t
tcontext=system_u:object_r:bin_t tclass=file
Aug 22 08:40:57 dell-studio kernel: [ 276.743700] type=1400
audit(1345617657.351:167): avc: denied { execute } for pid=3292
comm="dbus-daemon-lau" name="upowerd" dev="sda5" ino=939375
scontext=system_u:system_r:system_dbusd_t
tcontext=system_u:object_r:bin_t tclass=file
Aug 22 08:40:57 dell-studio kernel: [ 276.745985] type=1400
audit(1345617657.353:168): avc: denied { execute } for pid=3294
comm="dbus-daemon-lau" name="upowerd" dev="sda5" ino=939375
scontext=system_u:system_r:system_dbusd_t
tcontext=system_u:object_r:bin_t tclass=file
Aug 22 08:40:58 dell-studio kernel: [ 277.491022] type=1400
audit(1345617658.099:169): avc: denied { execute } for pid=3309
comm="dbus-daemon-lau" name="udisks-daemon" dev="sda5" ino=939378
scontext=system_u:system_r:system_dbusd_t
tcontext=system_u:object_r:bin_t tclass=file
Aug 22 08:40:58 dell-studio kernel: [ 277.493490] type=1400
audit(1345617658.101:170): avc: denied { execute } for pid=3311
comm="dbus-daemon-lau" name="udisks-daemon" dev="sda5" ino=939378
scontext=system_u:system_r:system_dbusd_t
tcontext=system_u:object_r:bin_t tclass=file
Aug 22 08:40:58 dell-studio kernel: [ 277.495741] type=1400
audit(1345617658.103:171): avc: denied { execute } for pid=3313
comm="dbus-daemon-lau" name="udisks-daemon" dev="sda5" ino=939378
scontext=system_u:system_r:system_dbusd_t
tcontext=system_u:object_r:bin_t tclass=file
Aug 22 08:41:03 dell-studio kernel: [ 283.169479] type=1400
audit(1345617663.776:178): avc: denied { search } for pid=1980
comm="dbus-daemon" name="console" dev="tmpfs" ino=6314
scontext=system_u:system_r:system_dbusd_t
tcontext=system_u:object_r:consolekit_var_run_t tclass=dir
Aug 22 08:41:03 dell-studio kernel: [ 283.171841] type=1400
audit(1345617663.778:179): avc: denied { execute } for pid=3343
comm="dbus-daemon-lau" name="upowerd" dev="sda5" ino=939375
scontext=system_u:system_r:system_dbusd_t
tcontext=system_u:object_r:bin_t tclass=file
Aug 22 08:41:03 dell-studio kernel: [ 283.174291] type=1400
audit(1345617663.781:180): avc: denied { execute } for pid=3345
comm="dbus-daemon-lau" name="upowerd" dev="sda5" ino=939375
scontext=system_u:system_r:system_dbusd_t
tcontext=system_u:object_r:bin_t tclass=file
Aug 22 08:41:03 dell-studio kernel: [ 283.176853] type=1400
audit(1345617663.783:181): avc: denied { execute } for pid=3347
comm="dbus-daemon-lau" name="udisks-daemon" dev="sda5" ino=939378
scontext=system_u:system_r:system_dbusd_t
tcontext=system_u:object_r:bin_t tclass=file
Aug 22 08:41:03 dell-studio kernel: [ 283.179307] type=1400
audit(1345617663.786:182): avc: denied { execute } for pid=3349
comm="dbus-daemon-lau" name="udisks-daemon" dev="sda5" ino=939378
scontext=system_u:system_r:system_dbusd_t
tcontext=system_u:object_r:bin_t tclass=file
Aug 22 08:41:04 dell-studio kernel: [ 283.549112] type=1400
audit(1345617664.156:183): avc: denied { search } for pid=1980
comm="dbus-daemon" name="console" dev="tmpfs" ino=6314
scontext=system_u:system_r:system_dbusd_t
tcontext=system_u:object_r:consolekit_var_run_t tclass=dir
Aug 22 08:41:04 dell-studio kernel: [ 283.880610] type=1400
audit(1345617664.487:184): avc: denied { search } for pid=1980
comm="dbus-daemon" name="console" dev="tmpfs" ino=6314
scontext=system_u:system_r:system_dbusd_t
tcontext=system_u:object_r:consolekit_var_run_t tclass=dir
Aug 22 08:41:06 dell-studio kernel: [ 285.409187] type=1400
audit(1345617666.016:185): avc: denied { execute } for pid=3391
comm="dbus-daemon-lau" name="udisks-daemon" dev="sda5" ino=939378
scontext=system_u:system_r:system_dbusd_t
tcontext=system_u:object_r:bin_t tclass=file
Aug 22 08:41:06 dell-studio kernel: [ 285.412221] type=1400
audit(1345617666.019:186): avc: denied { execute } for pid=3393
comm="dbus-daemon-lau" name="udisks-daemon" dev="sda5" ino=939378
scontext=system_u:system_r:system_dbusd_t
tcontext=system_u:object_r:bin_t tclass=file
Aug 22 08:41:06 dell-studio kernel: [ 285.415310] type=1400
audit(1345617666.022:187): avc: denied { execute } for pid=3396
comm="dbus-daemon-lau" name="udisks-daemon" dev="sda5" ino=939378
scontext=system_u:system_r:system_dbusd_t
tcontext=system_u:object_r:bin_t tclass=file
Aug 22 08:41:08 dell-studio kernel: [ 288.179455] type=1400
audit(1345617668.786:219): avc: denied { execute } for pid=3516
comm="dbus-daemon-lau" name="polkitd" dev="sda5" ino=922900
scontext=system_u:system_r:system_dbusd_t
tcontext=system_u:object_r:policykit_exec_t tclass=file
Aug 22 08:41:37 dell-studio kernel: [ 317.293037] type=1400
audit(1345617697.900:220): avc: denied { getattr } for pid=2010
comm="console-kit-dae" path="/run/ConsoleKit" dev="tmpfs" ino=4632
scontext=system_u:system_r:consolekit_t
tcontext=system_u:object_r:initrc_var_run_t tclass=dir
Aug 22 08:41:37 dell-studio kernel: [ 317.296511] type=1400
audit(1345617697.904:221): avc: denied { search } for pid=3666
comm="udev-acl.ck" name="ConsoleKit" dev="tmpfs" ino=4632
scontext=system_u:system_r:consolekit_t
tcontext=system_u:object_r:initrc_var_run_t tclass=dir
Aug 22 08:41:37 dell-studio kernel: [ 317.296674] type=1400
audit(1345617697.904:222): avc: denied { read } for pid=3666
comm="udev-acl.ck" name="udev-acl" dev="tmpfs" ino=1427
scontext=system_u:system_r:consolekit_t
tcontext=system_u:object_r:udev_var_run_t tclass=dir
Aug 22 08:41:37 dell-studio kernel: [ 317.296710] type=1400
audit(1345617697.904:223): avc: denied { read } for pid=3666
comm="udev-acl.ck" name="udev-acl" dev="tmpfs" ino=1427
scontext=system_u:system_r:consolekit_t
tcontext=system_u:object_r:udev_var_run_t tclass=dir

Then I tried to start powerdevil in kde systemsettings and these were
the denials:

Aug 22 08:47:14 dell-studio kernel: [ 653.535413] type=1400
audit(1345618034.143:239): avc: denied { execute } for pid=5378
comm="dbus-daemon-lau" name="upowerd" dev="sda5" ino=939375
scontext=system_u:system_r:system_dbusd_t
tcontext=system_u:object_r:bin_t tclass=file
Aug 22 08:47:14 dell-studio kernel: [ 653.538755] type=1400
audit(1345618034.146:240): avc: denied { execute } for pid=5380
comm="dbus-daemon-lau" name="upowerd" dev="sda5" ino=939375
scontext=system_u:system_r:system_dbusd_t
tcontext=system_u:object_r:bin_t tclass=file
Aug 22 08:47:14 dell-studio kernel: [ 653.542123] type=1400
audit(1345618034.150:241): avc: denied { execute } for pid=5382
comm="dbus-daemon-lau" name="upowerd" dev="sda5" ino=939375
scontext=system_u:system_r:system_dbusd_t
tcontext=system_u:object_r:bin_t tclass=file
Aug 22 08:47:14 dell-studio kernel: [ 653.545562] type=1400
audit(1345618034.153:242): avc: denied { execute } for pid=5385
comm="dbus-daemon-lau" name="upowerd" dev="sda5" ino=939375
scontext=system_u:system_r:system_dbusd_t
tcontext=system_u:object_r:bin_t tclass=file
Aug 22 08:47:14 dell-studio kernel: [ 653.550155] type=1400
audit(1345618034.158:243): avc: denied { execute } for pid=5387
comm="dbus-daemon-lau" name="upowerd" dev="sda5" ino=939375
scontext=system_u:system_r:system_dbusd_t
tcontext=system_u:object_r:bin_t tclass=file
Aug 22 08:47:14 dell-studio kernel: [ 653.553430] type=1400
audit(1345618034.161:244): avc: denied { execute } for pid=5389
comm="dbus-daemon-lau" name="upowerd" dev="sda5" ino=939375
scontext=system_u:system_r:system_dbusd_t
tcontext=system_u:object_r:bin_t tclass=file
Aug 22 08:47:14 dell-studio kernel: [ 653.680410] type=1400
audit(1345618034.288:245): avc: denied { search } for pid=1980
comm="dbus-daemon" name="console" dev="tmpfs" ino=6314
scontext=system_u:system_r:system_dbusd_t
tcontext=system_u:object_r:consolekit_var_run_t tclass=dir
Aug 22 08:47:14 dell-studio kernel: [ 653.683357] type=1400
audit(1345618034.291:246): avc: denied { execute } for pid=5393
comm="dbus-daemon-lau" name="polkitd" dev="sda5" ino=922900
scontext=system_u:system_r:system_dbusd_t
tcontext=system_u:object_r:policykit_exec_t tclass=file
Aug 22 08:47:16 dell-studio kernel: [ 655.718026] type=1400
audit(1345618036.325:247): avc: denied { execute } for pid=5407
comm="dbus-daemon-lau" name="upowerd" dev="sda5" ino=939375
scontext=system_u:system_r:system_dbusd_t
tcontext=system_u:object_r:bin_t tclass=file
Aug 22 08:47:16 dell-studio kernel: [ 655.724292] type=1400
audit(1345618036.332:248): avc: denied { execute } for pid=5409
comm="dbus-daemon-lau" name="upowerd" dev="sda5" ino=939375
scontext=system_u:system_r:system_dbusd_t
tcontext=system_u:object_r:bin_t tclass=file


About the su question, before and after logging in su the context is
unconfined_u:unconfined_r:unconfined_t, while the denials are:

Aug 22 08:43:53 dell-studio kernel: [ 452.789311] type=1400
audit(1345617833.396:228): avc: denied { search } for pid=4358
comm="xauth" name="root" dev="sda5" ino=1308163
scontext=unconfined_u:unconfined_r:xauth_t
tcontext=system_u:object_r:default_t tclass=dir
Aug 22 08:43:53 dell-studio kernel: [ 452.789325] type=1400
audit(1345617833.396:229): avc: denied { search } for pid=4358
comm="xauth" name="root" dev="sda5" ino=1308163
scontext=unconfined_u:unconfined_r:xauth_t
tcontext=system_u:object_r:default_t tclass=dir
Aug 22 08:43:55 dell-studio kernel: [ 454.789483] type=1400
audit(1345617835.396:230): avc: denied { search } for pid=4358
comm="xauth" name="root" dev="sda5" ino=1308163
scontext=unconfined_u:unconfined_r:xauth_t
tcontext=system_u:object_r:default_t tclass=dir
Aug 22 08:43:57 dell-studio kernel: [ 456.789663] type=1400
audit(1345617837.397:231): avc: denied { search } for pid=4358
comm="xauth" name="root" dev="sda5" ino=1308163
scontext=unconfined_u:unconfined_r:xauth_t
tcontext=system_u:object_r:default_t tclass=dir
Aug 22 08:43:59 dell-studio kernel: [ 458.789842] type=1400
audit(1345617839.397:232): avc: denied { search } for pid=4358
comm="xauth" name="root" dev="sda5" ino=1308163
scontext=unconfined_u:unconfined_r:xauth_t
tcontext=system_u:object_r:default_t tclass=dir
Aug 22 08:44:01 dell-studio kernel: [ 460.790069] type=1400
audit(1345617841.398:233): avc: denied { search } for pid=4358
comm="xauth" name="root" dev="sda5" ino=1308163
scontext=unconfined_u:unconfined_r:xauth_t
tcontext=system_u:object_r:default_t tclass=dir
Aug 22 08:44:03 dell-studio kernel: [ 462.790251] type=1400
audit(1345617843.398:234): avc: denied { search } for pid=4358
comm="xauth" name="root" dev="sda5" ino=1308163
scontext=unconfined_u:unconfined_r:xauth_t
tcontext=system_u:object_r:default_t tclass=dir
Aug 22 08:44:05 dell-studio kernel: [ 464.790430] type=1400
audit(1345617845.398:235): avc: denied { search } for pid=4358
comm="xauth" name="root" dev="sda5" ino=1308163
scontext=unconfined_u:unconfined_r:xauth_t
tcontext=system_u:object_r:default_t tclass=dir
Aug 22 08:44:07 dell-studio kernel: [ 466.790614] type=1400
audit(1345617847.398:236): avc: denied { search } for pid=4358
comm="xauth" name="root" dev="sda5" ino=1308163
scontext=unconfined_u:unconfined_r:xauth_t
tcontext=system_u:object_r:default_t tclass=dir
Aug 22 08:44:09 dell-studio kernel: [ 468.790797] type=1400
audit(1345617849.398:237): avc: denied { search } for pid=4358
comm="xauth" name="root" dev="sda5" ino=1308163
scontext=unconfined_u:unconfined_r:xauth_t
tcontext=system_u:object_r:default_t tclass=dir
Aug 22 08:44:11 dell-studio kernel: [ 470.791079] type=1400
audit(1345617851.399:238): avc: denied { search } for pid=4358
comm="xauth" name="root" dev="sda5" ino=1308163
scontext=unconfined_u:unconfined_r:xauth_t
tcontext=system_u:object_r:default_t tclass=dir

Of course, as I wrote in the past email the sda5 who the denials are
complaining about is my / (ext4) partition.

Thank you again.


On 21/08/2012 20:03, Sven Vermeulen wrote:
> On Tue, Aug 21, 2012 at 09:14:39AM +0200, f.p.barile@gmail.com2 wrote:
>> Hello to all the list. I need your help to understand what's wrong here.
>> I tried to convert my laptop to a selinux profile (targeted) several
>> times following the documentation step by step.
> Hi F.P.
>
> First of all, thanks for trying the SELinux stuff out. I'm pretty sure we
> can help you further and fix things so that others don't get the same
> problems.
>
>> 1) it seems like some part of hardware can't be revealed in enforcing
>> mode: Pulseaudio can't see the soundcard, powerdevil can't see power
>> statistics, newly atttached usb drives are ingored. Obviously
>> selinux-consolekit, selinux-policykit and selinux-dbus are installed.
> It is best to look at the AVC denials that come up when you launch
> pulseaudio, powerdevel etc. one by one. Providing all possible denials will
> make it much more difficult to fine-tune the problems.
>
> What I usually do to debug issues is to do:
>
> ~# tail -f /var/log/avc.log
>
> Then perform one activity (1) that doesn't work. For instance, try to play
> an MP3/OGG file which fails. Then look at the denials that came up right
> when you did that action.
>
>> 3) Logging in root with su or kdesu (in X environment) takes too long:
>> if the password I write is ok, it takes even some minute to give me the
>> root shell.
> Here too looking at the AVC denials that come up right then would be
> interesting. However, in this case it is best to also provide the output of
> "id -Z" right before you switch root, and right after.
>
> Wkr,
> Sven Vermeulen
>
Re: Can't get fully functional (kde) desktop with SELinux [ In reply to ]
h.v.bruinehsen at fu-berlin
Aug 22, 2012, 12:34 AM
Post #4 of 19 (9197 views)
Permalink
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 22.08.2012 09:12, f.p.barile@gmail.com2 wrote:
> Hi Sven, nice to meet you again and thank you for your work in
> SELinux and for your help.
>
> I did as you suggested reading the denials step by step. Anyway I
> didn't find a way to start pulseaudio seprately, but I don't think
> it's really pulseaudio related. I beleave it's hardware revealing
> related because nor pulsaudio, nor kmix, nor systemsettings can see
> the audio card, they can only use the "output dummy" card.
>
> Now the step by step denials. I firstly removed the xdm initscript
> from the default runlevel and I started it manually. After starting
> xdm these were the denials:
>
<SNIP>
>>
>
>

Hi,

you could try to kill pulseaudio (open a Konsole and use pulseaudio
- -k) and restart it afterwards via pulseaudio.
It may change some AVCs, though, because I'm not sure from which
user/role/type pulseaudio ist started by default.

WKR
Hinnerk
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJQNIudAAoJEJwwOFaNFkYcCoIH/04PM0Ps0KwCV/mPk+W4jnVa
UTiNrEUrTYro9GhhjGnDZFVrYePuTpwGbjkOplJ55UK96cq9+4sLPza0TmURWfJb
xPUOKcPMs84ULybJl0yJOcuk0n/ClwOWzwTYZCPxEokaloG7/cVaQ9W5rUrxIQ9/
85XweNEGY3u9v/K45Qlfg3mPl93H5CGnUJHAVauUM93qzQQv5DjmlD4CYIh8gUxQ
wZ2tgqa5S2RulOKQECUFzPPjunL+xJX5/nUwx0cbg4rRYpjHDtOKmpUUIpTWuzLV
EfWiiH0XPo3vLuygB+VEmX6MAWoBVWVeucHSqmBmDLKMwaR50FxHH3JJLCnQdQE=
=W8Aa
-----END PGP SIGNATURE-----
Re: Can't get fully functional (kde) desktop with SELinux [ In reply to ]
f.p.barile at gmail
Aug 22, 2012, 5:01 AM
Post #5 of 19 (9206 views)
Permalink
Thank you for your help, but I already tried "pulseaudio -k" and
"pulseaudio --kill", but it didn't stop pulseaudio because ps still
showed it. Moreover when restarting pulseaudio with "pulseaudio -vv" I
read "E: [pulseaudio] pid.c: Daemon already running.".


On 22/08/2012 09:34, Hinnerk van Bruinehsen wrote:
> On 22.08.2012 09:12, f.p.barile@gmail.com2 wrote:
> > Hi Sven, nice to meet you again and thank you for your work in
> > SELinux and for your help.
>
> > I did as you suggested reading the denials step by step. Anyway I
> > didn't find a way to start pulseaudio seprately, but I don't think
> > it's really pulseaudio related. I beleave it's hardware revealing
> > related because nor pulsaudio, nor kmix, nor systemsettings can see
> > the audio card, they can only use the "output dummy" card.
>
> > Now the step by step denials. I firstly removed the xdm initscript
> > from the default runlevel and I started it manually. After starting
> > xdm these were the denials:
>
> <SNIP>
> >>
>
>
>
> Hi,
>
> you could try to kill pulseaudio (open a Konsole and use pulseaudio
> -k) and restart it afterwards via pulseaudio.
> It may change some AVCs, though, because I'm not sure from which
> user/role/type pulseaudio ist started by default.
>
> WKR
> Hinnerk
>
Re: Can't get fully functional (kde) desktop with SELinux [ In reply to ]
swift at gentoo
Aug 22, 2012, 11:43 AM
Post #6 of 19 (9198 views)
Permalink
On Wed, Aug 22, 2012 at 09:12:52AM +0200, f.p.barile@gmail.com2 wrote:
> Now the step by step denials.
> I firstly removed the xdm initscript from the default runlevel and I
> started it manually. After starting xdm these were the denials:
>
> Aug 22 08:39:03 dell-studio kernel: [ 162.895575] type=1400
> audit(1345617543.503:121): avc: denied { getattr } for pid=2010
> comm="console-kit-dae" path="/run/ConsoleKit" dev="tmpfs" ino=4632
> scontext=system_u:system_r:consolekit_t
> tcontext=system_u:object_r:initrc_var_run_t tclass=dir

This first one is an interesting one to immediately look at. It seems that
the console-kit-dae(mon?) uses /run/ConsoleKit, and I guess (from the
initrc_var_run_t domain) that its init script creates it, not?

If that's indeed the case, I'll need to update the policy to reflect this,
allowing initrc_t to create /run/ConsoleKit but with a good file transition
(in this case, to consolekit_var_run_t).

Skipping a few other denials related to this, and then we get:

> Aug 22 08:39:34 dell-studio kernel: [ 193.785181] type=1400
> audit(1345617574.393:126): avc: denied { read } for pid=3101
> comm="udev-acl.ck" name="udev-acl" dev="tmpfs" ino=1427
> scontext=system_u:system_r:consolekit_t
> tcontext=system_u:object_r:udev_var_run_t tclass=dir

I don't know consolekit, but I assume there is some udev rule somewhere that
creates a file for consolekit?

The consolekit_t domain has the rights to read udev_tbl_t stuff (which I
find a stupid name for a domain). Where is this udev-acl.ck file located?
You can find it through its inode number (ino=1427) if you haven't rebooted
yet (since it is on a tmpfs within a *_var_run_t so very likely to be within
/run/udev somewhere).

Usually, I ignore the remainder of denials (especially if it is in
permissive mode) until I fixed the first ones, because those can be a
trigger for other behavior (and I don't want to update the policy for things
that aren't needed).

> Then I tried to start powerdevil in kde systemsettings and these were
> the denials:
>
> Aug 22 08:47:14 dell-studio kernel: [ 653.535413] type=1400
> audit(1345618034.143:239): avc: denied { execute } for pid=5378
> comm="dbus-daemon-lau" name="upowerd" dev="sda5" ino=939375
> scontext=system_u:system_r:system_dbusd_t
> tcontext=system_u:object_r:bin_t tclass=file

I had (still have actually) a bug open for udisks which is launched by dbus.
From what I can tell, everything dbus launches should be in its own domain
(otherwise it'll run in the permissions of system_dbusd_t, which we want to
keep as limited as they are).

So most of the remainder of the denials I'll have to ignore until we can get
a policy for it.

It looks like the devicekit policy is a match for it, but I haven't created
an ebuild for it yet. I'll do so soon (with the rev4 release) so you can
test this out.

> About the su question, before and after logging in su the context is
> unconfined_u:unconfined_r:unconfined_t, while the denials are:
>
> Aug 22 08:43:53 dell-studio kernel: [ 452.789311] type=1400
> audit(1345617833.396:228): avc: denied { search } for pid=4358
> comm="xauth" name="root" dev="sda5" ino=1308163
> scontext=unconfined_u:unconfined_r:xauth_t
> tcontext=system_u:object_r:default_t tclass=dir

That's not good. default_t means that there is a directory not labeled
properly (most likely root's home directory). Run "rlpkg -a -r" to relabel
the entire system and see if that removes any traces of default_t (you
should never encounter default_t iirc).

Wkr,
Sven Vermeulen
Re: Can't get fully functional (kde) desktop with SELinux [ In reply to ]
f.p.barile at gmail
Aug 22, 2012, 11:51 PM
Post #7 of 19 (9203 views)
Permalink
On 22/08/2012 20:43, Sven Vermeulen wrote:
> On Wed, Aug 22, 2012 at 09:12:52AM +0200, f.p.barile@gmail.com2 wrote:
>> Now the step by step denials.
>> I firstly removed the xdm initscript from the default runlevel and I
>> started it manually. After starting xdm these were the denials:
>>
>> Aug 22 08:39:03 dell-studio kernel: [ 162.895575] type=1400
>> audit(1345617543.503:121): avc: denied { getattr } for pid=2010
>> comm="console-kit-dae" path="/run/ConsoleKit" dev="tmpfs" ino=4632
>> scontext=system_u:system_r:consolekit_t
>> tcontext=system_u:object_r:initrc_var_run_t tclass=dir
> This first one is an interesting one to immediately look at. It seems that
> the console-kit-dae(mon?) uses /run/ConsoleKit, and I guess (from the
> initrc_var_run_t domain) that its init script creates it, not?
In /etc/init.d/consolekit I read "checkpath -q -d -m 0755
/var/run/ConsoleKit" and being /var/run symlinked to /run, it seems
you're right.
>
> If that's indeed the case, I'll need to update the policy to reflect this,
> allowing initrc_t to create /run/ConsoleKit but with a good file transition
> (in this case, to consolekit_var_run_t).
Excuse me for the stupid question... In that case, will consolekit_t
have rights over consolekit_var_run_t? Will it be in rev4?
>
> Skipping a few other denials related to this, and then we get:
>
>> Aug 22 08:39:34 dell-studio kernel: [ 193.785181] type=1400
>> audit(1345617574.393:126): avc: denied { read } for pid=3101
>> comm="udev-acl.ck" name="udev-acl" dev="tmpfs" ino=1427
>> scontext=system_u:system_r:consolekit_t
>> tcontext=system_u:object_r:udev_var_run_t tclass=dir
> I don't know consolekit, but I assume there is some udev rule somewhere that
> creates a file for consolekit?
>
> The consolekit_t domain has the rights to read udev_tbl_t stuff (which I
> find a stupid name for a domain). Where is this udev-acl.ck file located?
> You can find it through its inode number (ino=1427) if you haven't rebooted
> yet (since it is on a tmpfs within a *_var_run_t so very likely to be within
> /run/udev somewhere).
Searching from inode I located a folder (/run/udev/tags/udev-acl)
containing files called bXXX:X or cXXX:X, but there is no trace of any
udev-acl.ck file.

>
> Usually, I ignore the remainder of denials (especially if it is in
> permissive mode) until I fixed the first ones, because those can be a
> trigger for other behavior (and I don't want to update the policy for things
> that aren't needed).
I completely agree with you.
>
>> Then I tried to start powerdevil in kde systemsettings and these were
>> the denials:
>>
>> Aug 22 08:47:14 dell-studio kernel: [ 653.535413] type=1400
>> audit(1345618034.143:239): avc: denied { execute } for pid=5378
>> comm="dbus-daemon-lau" name="upowerd" dev="sda5" ino=939375
>> scontext=system_u:system_r:system_dbusd_t
>> tcontext=system_u:object_r:bin_t tclass=file
> I had (still have actually) a bug open for udisks which is launched by dbus.
> From what I can tell, everything dbus launches should be in its own domain
> (otherwise it'll run in the permissions of system_dbusd_t, which we want to
> keep as limited as they are).
>
> So most of the remainder of the denials I'll have to ignore until we can get
> a policy for it.
>
> It looks like the devicekit policy is a match for it, but I haven't created
> an ebuild for it yet. I'll do so soon (with the rev4 release) so you can
> test this out.
>
>> About the su question, before and after logging in su the context is
>> unconfined_u:unconfined_r:unconfined_t, while the denials are:
>>
>> Aug 22 08:43:53 dell-studio kernel: [ 452.789311] type=1400
>> audit(1345617833.396:228): avc: denied { search } for pid=4358
>> comm="xauth" name="root" dev="sda5" ino=1308163
>> scontext=unconfined_u:unconfined_r:xauth_t
>> tcontext=system_u:object_r:default_t tclass=dir
> That's not good. default_t means that there is a directory not labeled
> properly (most likely root's home directory). Run "rlpkg -a -r" to relabel
> the entire system and see if that removes any traces of default_t (you
> should never encounter default_t iirc).
I tried rlpkg but /root still remains in system_u:object_r:default_t
context. Moreover in /etc/selinux/targeted/contexts/files/file_contexts
the only thing related to that folder is
"/root/\.default_contexts --
system_u:object_r:default_context_t".
>
> Wkr,
> Sven Vermeulen
>
Thank you again, Sven. Paolo.
Re: Can't get fully functional (kde) desktop with SELinux [ In reply to ]
f.p.barile at gmail
Aug 25, 2012, 10:00 AM
Post #8 of 19 (9209 views)
Permalink
Hi Sven, thank you for rev4, but it didn't conclusively solve my
problems. Sone denial has gone, but many of them remain.

So let's see again all the step by step denial, I'll avoid redundancies.

As I boot (whithout starting xdm) I obtain:

Aug 25 18:06:05 dell-studio kernel: [ 8.028595] type=1400
audit(1345917944.027:3): avc: denied { search } for pid=1433
comm="alsactl" name="root" dev="sda5" ino=1308163
scontext=system_u:system_r:alsa_t tcontext=system_u:object_r:default_t
tclass=dir
Aug 25 18:06:05 dell-studio kernel: [ 8.707035] type=1400
audit(1345917944.706:7): avc: denied { read } for pid=1431
comm="alsactl" name="urandom" dev="tmpfs" ino=3356
scontext=system_u:system_r:alsa_t
tcontext=system_u:object_r:urandom_device_t tclass=chr_file
Aug 25 18:06:05 dell-studio kernel: [ 8.707053] type=1400
audit(1345917944.706:9): avc: denied { read } for pid=1431
comm="alsactl" name="random" dev="tmpfs" ino=1642
scontext=system_u:system_r:alsa_t
tcontext=system_u:object_r:random_device_t tclass=chr_file
Aug 25 18:06:05 dell-studio kernel: [ 8.707089] type=1400
audit(1345917944.706:11): avc: denied { getattr } for pid=1431
comm="alsactl" name="/" dev="tmpfs" ino=2970
scontext=system_u:system_r:alsa_t tcontext=system_u:object_r:tmpfs_t
tclass=filesystem
Aug 25 18:06:05 dell-studio kernel: [ 16.930444] type=1400
audit(1345910753.814:32): avc: denied { module_request } for pid=1517
comm="cryptsetup" kmod="cbc(aes)" scontext=system_u:system_r:lvm_t
tcontext=system_u:system_r:kernel_t tclass=system
Aug 25 18:06:05 dell-studio kernel: [ 16.930452] type=1400
audit(1345910753.814:33): avc: denied { module_request } for pid=1517
comm="cryptsetup" kmod="cbc(aes)-all" scontext=system_u:system_r:lvm_t
tcontext=system_u:system_r:kernel_t tclass=system
Aug 25 18:06:05 dell-studio kernel: [ 16.930505] type=1400
audit(1345910753.814:34): avc: denied { module_request } for pid=1517
comm="cryptsetup" kmod="cbc(aes-asm)" scontext=system_u:system_r:lvm_t
tcontext=system_u:system_r:kernel_t tclass=system
Aug 25 18:06:05 dell-studio kernel: [ 16.930512] type=1400
audit(1345910753.814:35): avc: denied { module_request } for pid=1517
comm="cryptsetup" kmod="cbc(aes-asm)-all"
scontext=system_u:system_r:lvm_t tcontext=system_u:system_r:kernel_t
tclass=system
Aug 25 18:06:05 dell-studio kernel: [ 16.936081] type=1400
audit(1345910753.820:36): avc: denied { getattr } for pid=1517
comm="cryptsetup" name="/" dev="tmpfs" ino=2970
scontext=system_u:system_r:lvm_t tcontext=system_u:object_r:tmpfs_t
tclass=filesystem
Aug 25 18:06:05 dell-studio kernel: [ 17.138342] type=1400
audit(1345910754.022:38): avc: denied { read } for pid=1538
comm="cryptsetup" name="queue.bin" dev="tmpfs" ino=4265
scontext=system_u:system_r:lvm_t
tcontext=system_u:object_r:udev_var_run_t tclass=file
Aug 25 18:06:05 dell-studio kernel: [ 27.701565] type=1400
audit(1345910764.585:45): avc: denied { setrlimit } for pid=1968
comm="dbus-daemon" scontext=system_u:system_r:system_dbusd_t
tcontext=system_u:system_r:system_dbusd_t tclass=process
Aug 25 18:06:05 dell-studio kernel: [ 28.235761] type=1400
audit(1345910765.120:46): avc: denied { getattr } for pid=1998
comm="console-kit-dae" path="/run/ConsoleKit" dev="tmpfs" ino=5251
scontext=system_u:system_r:consolekit_t
tcontext=system_u:object_r:initrc_var_run_t tclass=dir
Aug 25 18:06:05 dell-studio kernel: [ 28.417954] type=1400
audit(1345910765.302:47): avc: denied { read } for pid=2074
comm="crond" name="root" dev="sda7" ino=12796
scontext=system_u:system_r:crond_t tcontext=system_u:object_r:file_t
tclass=file
Aug 25 18:06:05 dell-studio kernel: [ 28.632129] type=1400
audit(1345910765.516:48): avc: denied { execute } for pid=2089
comm="dbus-daemon-lau" name="polkitd" dev="sda5" ino=922900
scontext=system_u:system_r:system_dbusd_t
tcontext=system_u:object_r:policykit_exec_t tclass=file
Aug 25 18:06:05 dell-studio kernel: [ 28.633786] type=1400
audit(1345910765.517:49): avc: denied { search } for pid=1998
comm="console-kit-dae" name="ConsoleKit" dev="tmpfs" ino=5251
scontext=system_u:system_r:consolekit_t
tcontext=system_u:object_r:initrc_var_run_t tclass=dir
Aug 25 18:06:05 dell-studio kernel: [ 28.633811] type=1400
audit(1345910765.517:50): avc: denied { getattr } for pid=1998
comm="console-kit-dae" path="/run/ConsoleKit" dev="tmpfs" ino=5251
scontext=system_u:system_r:consolekit_t
tcontext=system_u:object_r:initrc_var_run_t tclass=dir
Aug 25 18:06:05 dell-studio kernel: [ 28.633842] type=1400
audit(1345910765.517:51): avc: denied { search } for pid=1998
comm="console-kit-dae" name="ConsoleKit" dev="tmpfs" ino=5251
scontext=system_u:system_r:consolekit_t
tcontext=system_u:object_r:initrc_var_run_t tclass=dir
Aug 25 18:06:06 dell-studio kernel: [ 29.168487] type=1400
audit(1345910766.052:52): avc: denied { write } for pid=2222
comm="mii-tool" path="/run/lock/lmt-req.lock" dev="tmpfs" ino=5314
scontext=system_u:system_r:ifconfig_t
tcontext=system_u:object_r:var_lock_t tclass=file
Aug 25 18:06:06 dell-studio kernel: [ 29.168499] type=1400
audit(1345910766.052:53): avc: denied { write } for pid=2222
comm="mii-tool" path="/run/lock/lmt-invoc.lock" dev="tmpfs" ino=4776
scontext=system_u:system_r:ifconfig_t
tcontext=system_u:object_r:var_lock_t tclass=file
Aug 25 18:06:10 dell-studio kernel: [ 33.586645] type=1400
audit(1345910770.470:87): avc: denied { read } for pid=2851 comm="sh"
name="meminfo" dev="proc" ino=4026532031
scontext=system_u:system_r:wpa_cli_t tcontext=system_u:object_r:proc_t
tclass=file
Aug 25 18:06:10 dell-studio kernel: [ 33.613072] type=1400
audit(1345910770.497:88): avc: denied { read } for pid=2851
comm="wpa_cli.sh" name="meminfo" dev="proc" ino=4026532031
scontext=system_u:system_r:wpa_cli_t tcontext=system_u:object_r:proc_t
tclass=file
Aug 25 18:06:10 dell-studio kernel: [ 33.893591] type=1400
audit(1345910770.777:89): avc: denied { use } for pid=3024
comm="mount" path="/dev/null" dev="tmpfs" ino=1278
scontext=system_u:system_r:mount_t tcontext=system_u:system_r:wpa_cli_t
tclass=fd
Aug 25 18:06:10 dell-studio kernel: [ 33.893637] type=1400
audit(1345910770.777:92): avc: denied { use } for pid=3024
comm="mount" path="socket:[5617]" dev="sockfs" ino=5617
scontext=system_u:system_r:mount_t tcontext=system_u:system_r:wpa_cli_t
tclass=fd
Aug 25 18:06:59 dell-studio kernel: [ 83.022406] type=1400
audit(1345910819.922:97): avc: denied { search } for pid=3031
comm="login" name="root" dev="sda5" ino=1308163
scontext=system_u:system_r:local_login_t
tcontext=system_u:object_r:default_t tclass=dir
Aug 25 18:06:59 dell-studio kernel: [ 83.068589] type=1400
audit(1345910819.969:100): avc: denied { read } for pid=1998
comm="console-kit-dae" name="machine-id" dev="sda7" ino=184383
scontext=system_u:system_r:consolekit_t
tcontext=system_u:object_r:system_dbusd_var_lib_t tclass=lnk_file
Aug 25 18:07:00 dell-studio kernel: [ 83.165783] type=1400
audit(1345910820.065:103): avc: denied { read } for pid=3046
comm="udev-acl.ck" name="udev-acl" dev="tmpfs" ino=3175
scontext=system_u:system_r:consolekit_t
tcontext=system_u:object_r:udev_var_run_t tclass=dir

After starting kdm (with xdm initscript):
Aug 25 18:08:47 dell-studio kernel: [ 190.122045] type=1400
audit(1345910927.023:107): avc: denied { read } for pid=3054
comm="rc" name="profile.env" dev="sda5" ino=663502
scontext=unconfined_u:unconfined_r:run_init_t
tcontext=system_u:object_r:etc_runtime_t tclass=file
Aug 25 18:08:55 dell-studio kernel: [ 199.069675] type=1400
audit(1345910935.970:109): avc: denied { search } for pid=3099
comm="udev-acl.ck" name="ConsoleKit" dev="tmpfs" ino=5251
scontext=system_u:system_r:consolekit_t
tcontext=system_u:object_r:initrc_var_run_t tclass=dir

After logging in, apart all the same mentioned above that repeat
themselves, I get a lot of:
Aug 25 18:10:25 dell-studio kernel: [ 289.004361] type=1400
audit(1345911025.905:163): avc: denied { search } for pid=1968
comm="dbus-daemon" name="console" dev="tmpfs" ino=5945
scontext=system_u:system_r:system_dbusd_t
tcontext=system_u:object_r:consolekit_var_run_t tclass=dir

I hope I wrote all.
Paolo.
Re: Can't get fully functional (kde) desktop with SELinux [ In reply to ]
swift at gentoo
Aug 25, 2012, 10:24 AM
Post #9 of 19 (9205 views)
Permalink
On Sat, Aug 25, 2012 at 07:00:09PM +0200, Paolo Barile wrote:
> Hi Sven, thank you for rev4, but it didn't conclusively solve my
> problems. Sone denial has gone, but many of them remain.
>
> So let's see again all the step by step denial, I'll avoid redundancies.
>
> As I boot (whithout starting xdm) I obtain:
>
> Aug 25 18:06:05 dell-studio kernel: [ 8.028595] type=1400
> audit(1345917944.027:3): avc: denied { search } for pid=1433
> comm="alsactl" name="root" dev="sda5" ino=1308163
> scontext=system_u:system_r:alsa_t tcontext=system_u:object_r:default_t
> tclass=dir

This sais /root is default_t again. Mine sais:

~ # matchpathcon /root
/root root:object_r:user_home_dir_t

~ # grep '/root' /etc/selinux/strict/contexts/files/file_contexts* | grep user_home_dir_t
/etc/selinux/strict/contexts/files/file_contexts.homedirs:/root -d root:object_r:user_home_dir_t

It is because /root is marked as a home directory of a user that a hole set
of contexts is generated for it. Perhaps for a targeted system this is
different, but I don't think so.

Whenever you hit a denial with file_t or default_t in it, it means there is
something awry with the contexts on the system.

You might be able to fix it by running genhomedircon (without options). It
should regenerate the file context as mentioned in my grep result above.

> Aug 25 18:06:05 dell-studio kernel: [ 8.707035] type=1400
> audit(1345917944.706:7): avc: denied { read } for pid=1431
> comm="alsactl" name="urandom" dev="tmpfs" ino=3356
> scontext=system_u:system_r:alsa_t
> tcontext=system_u:object_r:urandom_device_t tclass=chr_file

Did you enable global_ssp (or are you not running a hardened system, just
SELinux)? By enabling the global_ssp boolean, all domains get access to the
urandom_device_t chr_file:

~ # sesearch -s alsa_t -t urandom_device_t -A -C
Found 2 semantic av rules:
DT allow nsswitch_domain urandom_device_t : chr_file { ioctl read getattr lock open } ; [ authlogin_nsswitch_use_ldap ]
ET allow domain urandom_device_t : chr_file { ioctl read getattr lock open } ; [ global_ssp ]

> Aug 25 18:06:05 dell-studio kernel: [ 8.707053] type=1400
> audit(1345917944.706:9): avc: denied { read } for pid=1431
> comm="alsactl" name="random" dev="tmpfs" ino=1642
> scontext=system_u:system_r:alsa_t
> tcontext=system_u:object_r:random_device_t tclass=chr_file

This one is new for me. If it is prohibiting alsa to work, we'll need to
allow this, but I think you're booting in permissive mode, so we can't know
for sure if the denial is cosmetic or not.

> Aug 25 18:06:05 dell-studio kernel: [ 8.707089] type=1400
> audit(1345917944.706:11): avc: denied { getattr } for pid=1431
> comm="alsactl" name="/" dev="tmpfs" ino=2970
> scontext=system_u:system_r:alsa_t tcontext=system_u:object_r:tmpfs_t
> tclass=filesystem

Which file system is it trying to get attributes from here?

> Aug 25 18:06:05 dell-studio kernel: [ 16.930444] type=1400
> audit(1345910753.814:32): avc: denied { module_request } for pid=1517
> comm="cryptsetup" kmod="cbc(aes)" scontext=system_u:system_r:lvm_t
> tcontext=system_u:system_r:kernel_t tclass=system
> Aug 25 18:06:05 dell-studio kernel: [ 16.930452] type=1400
> audit(1345910753.814:33): avc: denied { module_request } for pid=1517
> comm="cryptsetup" kmod="cbc(aes)-all" scontext=system_u:system_r:lvm_t
> tcontext=system_u:system_r:kernel_t tclass=system
> Aug 25 18:06:05 dell-studio kernel: [ 16.930505] type=1400
> audit(1345910753.814:34): avc: denied { module_request } for pid=1517
> comm="cryptsetup" kmod="cbc(aes-asm)" scontext=system_u:system_r:lvm_t
> tcontext=system_u:system_r:kernel_t tclass=system
> Aug 25 18:06:05 dell-studio kernel: [ 16.930512] type=1400
> audit(1345910753.814:35): avc: denied { module_request } for pid=1517
> comm="cryptsetup" kmod="cbc(aes-asm)-all"
> scontext=system_u:system_r:lvm_t tcontext=system_u:system_r:kernel_t
> tclass=system
> Aug 25 18:06:05 dell-studio kernel: [ 16.936081] type=1400
> audit(1345910753.820:36): avc: denied { getattr } for pid=1517
> comm="cryptsetup" name="/" dev="tmpfs" ino=2970
> scontext=system_u:system_r:lvm_t tcontext=system_u:object_r:tmpfs_t
> tclass=filesystem
> Aug 25 18:06:05 dell-studio kernel: [ 17.138342] type=1400
> audit(1345910754.022:38): avc: denied { read } for pid=1538
> comm="cryptsetup" name="queue.bin" dev="tmpfs" ino=4265
> scontext=system_u:system_r:lvm_t
> tcontext=system_u:object_r:udev_var_run_t tclass=file
> Aug 25 18:06:05 dell-studio kernel: [ 27.701565] type=1400

The cryptsetup stuff might need some more updates, I only use cryptsetup for
a small encrypted partition (and not a system partition) and I have most of
the stuff in-kernel anyway, so no module requests here...

We'll need to look at this when you boot in enforcing mode, since I need the
error message(s) as well in order to update the policy.

Same is true for most of the remaining denials btw. Some of them definitely
need to be looked at in advance, like the next set, but most of them will
need to be reproduced with enforcing mode...

> audit(1345910765.120:46): avc: denied { getattr } for pid=1998
> comm="console-kit-dae" path="/run/ConsoleKit" dev="tmpfs" ino=5251
> scontext=system_u:system_r:consolekit_t
> tcontext=system_u:object_r:initrc_var_run_t tclass=dir

Need to add in this run directory, haven't done that yet.

> Aug 25 18:06:05 dell-studio kernel: [ 28.632129] type=1400
> audit(1345910765.516:48): avc: denied { execute } for pid=2089
> comm="dbus-daemon-lau" name="polkitd" dev="sda5" ino=922900
> scontext=system_u:system_r:system_dbusd_t
> tcontext=system_u:object_r:policykit_exec_t tclass=file

Probably needs to be made a dbus domain.

> Aug 25 18:06:06 dell-studio kernel: [ 29.168487] type=1400
> audit(1345910766.052:52): avc: denied { write } for pid=2222
> comm="mii-tool" path="/run/lock/lmt-req.lock" dev="tmpfs" ino=5314
> scontext=system_u:system_r:ifconfig_t
> tcontext=system_u:object_r:var_lock_t tclass=file
> Aug 25 18:06:06 dell-studio kernel: [ 29.168499] type=1400
> audit(1345910766.052:53): avc: denied { write } for pid=2222
> comm="mii-tool" path="/run/lock/lmt-invoc.lock" dev="tmpfs" ino=4776
> scontext=system_u:system_r:ifconfig_t
> tcontext=system_u:object_r:var_lock_t tclass=file

Probably legit, but I'm not sure if I need to create an ifconfig_lock_t type
for this, or just grant in var_lock_t access. Probably the former.

> After logging in, apart all the same mentioned above that repeat
> themselves, I get a lot of:
> Aug 25 18:10:25 dell-studio kernel: [ 289.004361] type=1400
> audit(1345911025.905:163): avc: denied { search } for pid=1968
> comm="dbus-daemon" name="console" dev="tmpfs" ino=5945
> scontext=system_u:system_r:system_dbusd_t
> tcontext=system_u:object_r:consolekit_var_run_t tclass=dir

What does the console dir contain? It's probably in /var/run/ConsoleKit
(although from your earlier denials I get the impression /var/run/ConsoleKit
is not correctly labeled, whereas in this denial it is - did you relabel the
system or some parts of it in between?).

I recommend to first work on the default_t and file_t stuff. That shouldn't
be broken. Then in the denials, look at any denials for "execute", they
almost always need to be fixed (whereas getattr/read's can often be ignored,
especially in the beginning).

Then, when booted and logged in, clear the denial log and switch to
enforcing mode and see what stuff breaks. Then look in the denial log for
the denials, and give the error messages for the broken applications.

When we fixed that, we should then look at the cryptsetup stuff, since you
need that in order to boot succesfully I guess. Only then can we try to boot
in enforcing mode (once, until it boots fully).

Wkr,
Sven Vermeulen
Re: Can't get fully functional (kde) desktop with SELinux [ In reply to ]
f.p.barile at gmail
Aug 26, 2012, 2:57 AM
Post #10 of 19 (9201 views)
Permalink
Hello Sven, first of all, all the denials I wrote here are from
enforcing mode.

On 25/08/2012 19:24, Sven Vermeulen wrote:
> On Sat, Aug 25, 2012 at 07:00:09PM +0200, Paolo Barile wrote:
>> Hi Sven, thank you for rev4, but it didn't conclusively solve my
>> problems. Sone denial has gone, but many of them remain.
>>
>> So let's see again all the step by step denial, I'll avoid redundancies.
>>
>> As I boot (whithout starting xdm) I obtain:
>>
>> Aug 25 18:06:05 dell-studio kernel: [ 8.028595] type=1400
>> audit(1345917944.027:3): avc: denied { search } for pid=1433
>> comm="alsactl" name="root" dev="sda5" ino=1308163
>> scontext=system_u:system_r:alsa_t tcontext=system_u:object_r:default_t
>> tclass=dir
> This sais /root is default_t again. Mine sais:
>
> ~ # matchpathcon /root
> /root root:object_r:user_home_dir_t
>
> ~ # grep '/root' /etc/selinux/strict/contexts/files/file_contexts* | grep user_home_dir_t
> /etc/selinux/strict/contexts/files/file_contexts.homedirs:/root -d root:object_r:user_home_dir_t

The same gives me nothing.

>
> It is because /root is marked as a home directory of a user that a hole set
> of contexts is generated for it. Perhaps for a targeted system this is
> different, but I don't think so.
>
> Whenever you hit a denial with file_t or default_t in it, it means there is
> something awry with the contexts on the system.
>
> You might be able to fix it by running genhomedircon (without options). It
> should regenerate the file context as mentioned in my grep result above.
genhomedircon doesn't change anything.

>
>> Aug 25 18:06:05 dell-studio kernel: [ 8.707035] type=1400
>> audit(1345917944.706:7): avc: denied { read } for pid=1431
>> comm="alsactl" name="urandom" dev="tmpfs" ino=3356
>> scontext=system_u:system_r:alsa_t
>> tcontext=system_u:object_r:urandom_device_t tclass=chr_file
> Did you enable global_ssp (or are you not running a hardened system, just
> SELinux)? By enabling the global_ssp boolean, all domains get access to the
> urandom_device_t chr_file:
>
> ~ # sesearch -s alsa_t -t urandom_device_t -A -C
> Found 2 semantic av rules:
> DT allow nsswitch_domain urandom_device_t : chr_file { ioctl read getattr lock open } ; [ authlogin_nsswitch_use_ldap ]
> ET allow domain urandom_device_t : chr_file { ioctl read getattr lock open } ; [ global_ssp ]
No, it isn't. I did not enabled it because I'm still not in hardened
because I'd want let selinux comletely work before the conversion.

>
>> Aug 25 18:06:05 dell-studio kernel: [ 8.707053] type=1400
>> audit(1345917944.706:9): avc: denied { read } for pid=1431
>> comm="alsactl" name="random" dev="tmpfs" ino=1642
>> scontext=system_u:system_r:alsa_t
>> tcontext=system_u:object_r:random_device_t tclass=chr_file
> This one is new for me. If it is prohibiting alsa to work, we'll need to
> allow this, but I think you're booting in permissive mode, so we can't know
> for sure if the denial is cosmetic or not.
As I wrote, everything is already in enforcing moe.
>
>> Aug 25 18:06:05 dell-studio kernel: [ 8.707089] type=1400
>> audit(1345917944.706:11): avc: denied { getattr } for pid=1431
>> comm="alsactl" name="/" dev="tmpfs" ino=2970
>> scontext=system_u:system_r:alsa_t tcontext=system_u:object_r:tmpfs_t
>> tclass=filesystem
> Which file system is it trying to get attributes from here?
>
>> Aug 25 18:06:05 dell-studio kernel: [ 16.930444] type=1400
>> audit(1345910753.814:32): avc: denied { module_request } for pid=1517
>> comm="cryptsetup" kmod="cbc(aes)" scontext=system_u:system_r:lvm_t
>> tcontext=system_u:system_r:kernel_t tclass=system
>> Aug 25 18:06:05 dell-studio kernel: [ 16.930452] type=1400
>> audit(1345910753.814:33): avc: denied { module_request } for pid=1517
>> comm="cryptsetup" kmod="cbc(aes)-all" scontext=system_u:system_r:lvm_t
>> tcontext=system_u:system_r:kernel_t tclass=system
>> Aug 25 18:06:05 dell-studio kernel: [ 16.930505] type=1400
>> audit(1345910753.814:34): avc: denied { module_request } for pid=1517
>> comm="cryptsetup" kmod="cbc(aes-asm)" scontext=system_u:system_r:lvm_t
>> tcontext=system_u:system_r:kernel_t tclass=system
>> Aug 25 18:06:05 dell-studio kernel: [ 16.930512] type=1400
>> audit(1345910753.814:35): avc: denied { module_request } for pid=1517
>> comm="cryptsetup" kmod="cbc(aes-asm)-all"
>> scontext=system_u:system_r:lvm_t tcontext=system_u:system_r:kernel_t
>> tclass=system
>> Aug 25 18:06:05 dell-studio kernel: [ 16.936081] type=1400
>> audit(1345910753.820:36): avc: denied { getattr } for pid=1517
>> comm="cryptsetup" name="/" dev="tmpfs" ino=2970
>> scontext=system_u:system_r:lvm_t tcontext=system_u:object_r:tmpfs_t
>> tclass=filesystem
>> Aug 25 18:06:05 dell-studio kernel: [ 17.138342] type=1400
>> audit(1345910754.022:38): avc: denied { read } for pid=1538
>> comm="cryptsetup" name="queue.bin" dev="tmpfs" ino=4265
>> scontext=system_u:system_r:lvm_t
>> tcontext=system_u:object_r:udev_var_run_t tclass=file
>> Aug 25 18:06:05 dell-studio kernel: [ 27.701565] type=1400
> The cryptsetup stuff might need some more updates, I only use cryptsetup for
> a small encrypted partition (and not a system partition) and I have most of
> the stuff in-kernel anyway, so no module requests here...
>
> We'll need to look at this when you boot in enforcing mode, since I need the
> error message(s) as well in order to update the policy.
>
> Same is true for most of the remaining denials btw. Some of them definitely
> need to be looked at in advance, like the next set, but most of them will
> need to be reproduced with enforcing mode...
>
>> audit(1345910765.120:46): avc: denied { getattr } for pid=1998
>> comm="console-kit-dae" path="/run/ConsoleKit" dev="tmpfs" ino=5251
>> scontext=system_u:system_r:consolekit_t
>> tcontext=system_u:object_r:initrc_var_run_t tclass=dir
> Need to add in this run directory, haven't done that yet.
>
>> Aug 25 18:06:05 dell-studio kernel: [ 28.632129] type=1400
>> audit(1345910765.516:48): avc: denied { execute } for pid=2089
>> comm="dbus-daemon-lau" name="polkitd" dev="sda5" ino=922900
>> scontext=system_u:system_r:system_dbusd_t
>> tcontext=system_u:object_r:policykit_exec_t tclass=file
> Probably needs to be made a dbus domain.
>
>> Aug 25 18:06:06 dell-studio kernel: [ 29.168487] type=1400
>> audit(1345910766.052:52): avc: denied { write } for pid=2222
>> comm="mii-tool" path="/run/lock/lmt-req.lock" dev="tmpfs" ino=5314
>> scontext=system_u:system_r:ifconfig_t
>> tcontext=system_u:object_r:var_lock_t tclass=file
>> Aug 25 18:06:06 dell-studio kernel: [ 29.168499] type=1400
>> audit(1345910766.052:53): avc: denied { write } for pid=2222
>> comm="mii-tool" path="/run/lock/lmt-invoc.lock" dev="tmpfs" ino=4776
>> scontext=system_u:system_r:ifconfig_t
>> tcontext=system_u:object_r:var_lock_t tclass=file
> Probably legit, but I'm not sure if I need to create an ifconfig_lock_t type
> for this, or just grant in var_lock_t access. Probably the former.
>
>> After logging in, apart all the same mentioned above that repeat
>> themselves, I get a lot of:
>> Aug 25 18:10:25 dell-studio kernel: [ 289.004361] type=1400
>> audit(1345911025.905:163): avc: denied { search } for pid=1968
>> comm="dbus-daemon" name="console" dev="tmpfs" ino=5945
>> scontext=system_u:system_r:system_dbusd_t
>> tcontext=system_u:object_r:consolekit_var_run_t tclass=dir
> What does the console dir contain? It's probably in /var/run/ConsoleKit
> (although from your earlier denials I get the impression /var/run/ConsoleKit
> is not correctly labeled, whereas in this denial it is - did you relabel the
> system or some parts of it in between?).

The console dir is outside ConsoleKit:

drwxr-xr-x. 2 root root system_u:object_r:initrc_var_run_t 80
26 ago 11.32 ConsoleKit
drwxr-xr-x. 2 root root system_u:object_r:consolekit_var_run_t 60
26 ago 11.32 console

It contains... nothing!

Anyway a restorecon -R /run changed contexts inside it:

drwxr-xr-x. 2 root root system_u:object_r:consolekit_var_run_t 80
26 ago 11.32 ConsoleKit
drwxr-xr-x. 2 root root system_u:object_r:pam_var_console_t 60
26 ago 11.32 console

Of course after the policies upgrade I relabeld all the system
(twice!)... But since the /run is a tmpfs dir, and since its contexts
are wrong, should I use the initramfs approach (restorecon before
switching to enforcing)?


>
> I recommend to first work on the default_t and file_t stuff. That shouldn't
> be broken. Then in the denials, look at any denials for "execute", they
> almost always need to be fixed (whereas getattr/read's can often be ignored,
> especially in the beginning).
>
> Then, when booted and logged in, clear the denial log and switch to
> enforcing mode and see what stuff breaks. Then look in the denial log for
> the denials, and give the error messages for the broken applications.
It's exactly what I did in the previous email, after every step I
cleared the log file
>
> When we fixed that, we should then look at the cryptsetup stuff, since you
> need that in order to boot succesfully I guess. Only then can we try to boot
> in enforcing mode (once, until it boots fully).
>
> Wkr,
> Sven Vermeulen
>
Thank you again Sven. Paolo.
Re: Can't get fully functional (kde) desktop with SELinux [ In reply to ]
swift at gentoo
Aug 27, 2012, 10:38 AM
Post #11 of 19 (9172 views)
Permalink
On Sun, Aug 26, 2012 at 11:57:46AM +0200, Paolo Barile wrote:
> Hello Sven, first of all, all the denials I wrote here are from
> enforcing mode.

Oh that's good then. Would you also happen to get any failures from the
applications themselves (or error messages you get)?

Or, in other words, why shouldn't I just dontaudit everything ;)

Getting the error messages is a very important and often misunderstood part.
It helps identify the reason why something needs to be allowed (since for
SELinux policies, we have several interfaces that allow something, but
depending on the reason why it needs to be allowed, we might need to use a
different interface) and also document the problem so the fix is easier to
submit upstream.

> >> Aug 25 18:06:05 dell-studio kernel: [ 8.028595] type=1400
> >> audit(1345917944.027:3): avc: denied { search } for pid=1433
> >> comm="alsactl" name="root" dev="sda5" ino=1308163
> >> scontext=system_u:system_r:alsa_t tcontext=system_u:object_r:default_t
> >> tclass=dir
> > This sais /root is default_t again. Mine sais:
> >
> > ~ # matchpathcon /root
> > /root root:object_r:user_home_dir_t
> >
> > ~ # grep '/root' /etc/selinux/strict/contexts/files/file_contexts* | grep user_home_dir_t
> > /etc/selinux/strict/contexts/files/file_contexts.homedirs:/root -d root:object_r:user_home_dir_t
>
> The same gives me nothing.

You'll need to change the directory from strict to targeted in your case.

The root users' home directory should definitely be mentioned here (just
checked on a targeted system at work). Is the root user mapped to a
particular SELinux user?

What does "semanage login -l" say?

[... Allowing global_ssp to allow domains access to urandom ...]
> No, it isn't. I did not enabled it because I'm still not in hardened
> because I'd want let selinux comletely work before the conversion.

That's okay. At least we now know that the domain probably needs it. Do you
only get the denials or also an error?

Wkr,
Sven Vermeulen
Re: Can't get fully functional (kde) desktop with SELinux [ In reply to ]
f.p.barile at gmail
Aug 27, 2012, 11:28 AM
Post #12 of 19 (9180 views)
Permalink
On 27/08/2012 19:38, Sven Vermeulen wrote:
> On Sun, Aug 26, 2012 at 11:57:46AM +0200, Paolo Barile wrote:
>> Hello Sven, first of all, all the denials I wrote here are from
>> enforcing mode.
> Oh that's good then. Would you also happen to get any failures from the
> applications themselves (or error messages you get)?
>
> Or, in other words, why shouldn't I just dontaudit everything ;)
>
> Getting the error messages is a very important and often misunderstood part.
> It helps identify the reason why something needs to be allowed (since for
> SELinux policies, we have several interfaces that allow something, but
> depending on the reason why it needs to be allowed, we might need to use a
> different interface) and also document the problem so the fix is easier to
> submit upstream.
Well I only had a policykit crash window. But It disappeared when,
following your suggestion, I've made a rule with audit2allow only on
the execute denials. But even with that rule the problems of audio card
and powerdevil weren't solved.
This is the rule:
require {
type policykit_exec_t;
type bin_t;
type crond_t;
type system_dbusd_t;
class file { execute execute_no_trans };
}

#============= crond_t ==============
allow crond_t bin_t:file { execute execute_no_trans };

#============= system_dbusd_t ==============
allow system_dbusd_t policykit_exec_t:file execute;

>
>>>> Aug 25 18:06:05 dell-studio kernel: [ 8.028595] type=1400
>>>> audit(1345917944.027:3): avc: denied { search } for pid=1433
>>>> comm="alsactl" name="root" dev="sda5" ino=1308163
>>>> scontext=system_u:system_r:alsa_t tcontext=system_u:object_r:default_t
>>>> tclass=dir
>>> This sais /root is default_t again. Mine sais:
>>>
>>> ~ # matchpathcon /root
>>> /root root:object_r:user_home_dir_t
>>>
>>> ~ # grep '/root' /etc/selinux/strict/contexts/files/file_contexts* | grep user_home_dir_t
>>> /etc/selinux/strict/contexts/files/file_contexts.homedirs:/root -d root:object_r:user_home_dir_t
>> The same gives me nothing.
> You'll need to change the directory from strict to targeted in your case.
>
> The root users' home directory should definitely be mentioned here (just
> checked on a targeted system at work). Is the root user mapped to a
> particular SELinux user?
>
> What does "semanage login -l" say?
Semanage login -l outputs only:
__default__ unconfined_u
system_u system_u

Anyway I think that I "solved" this problem (probably it's rather a
workaround) using the context you wrote: "semanage fcontext -a -t
user_home_dir_t /root". In fact the su delay disappeared.

>
> [... Allowing global_ssp to allow domains access to urandom ...]
>> No, it isn't. I did not enabled it because I'm still not in hardened
>> because I'd want let selinux comletely work before the conversion.
> That's okay. At least we now know that the domain probably needs it. Do you
> only get the denials or also an error?
>
> Wkr,
> Sven Vermeulen
>
Well, no, all what is related to alsactl is (perhaps) the fact that kde
can't see my audio card.

There is one more problem. As I wrote in the previous mail two folders
in /run are mislabeled: /run/ConsoleKit and /run/console. For the first,
the mislabeling was solved by using the script for the initramfs users
(of course addin restorecon -R /run). But I couldn't relabel permanently
the second dir. I think it's because it belongs to pam, so perhaps it is
created after a login, but the script runs before it. Am I right?
So how can it be solved? Why every boot mislabels these two directories?
I think that if we solve it then we can try to summarize the denials I
have at this point.

Paolo.
Re: Can't get fully functional (kde) desktop with SELinux [ In reply to ]
swift at gentoo
Aug 28, 2012, 10:27 AM
Post #13 of 19 (9168 views)
Permalink
On Mon, Aug 27, 2012 at 08:28:20PM +0200, Paolo Barile wrote:
> Well I only had a policykit crash window. But It disappeared when,
> following your suggestion, I've made a rule with audit2allow only on
> the execute denials. But even with that rule the problems of audio card
> and powerdevil weren't solved.
[...]

Okay. I'll take a look at the AVCs earlier and draft up a possible fix for
you to try out (you can use audit2allow but I'm not sure yet if the result
is correct or not).

> > What does "semanage login -l" say?
> Semanage login -l outputs only:
> __default__ unconfined_u
> system_u system_u
>
> Anyway I think that I "solved" this problem (probably it's rather a
> workaround) using the context you wrote: "semanage fcontext -a -t
> user_home_dir_t /root". In fact the su delay disappeared.

Looks like we need to declare the root user for unconfined_u anyhow. You
might want to run the following to do so:

~# semanage login -a -s unconfined_u root

It seems that genhomedircon (well, it's now part of the semodule command but
the genhomedircon command still works) only looks at users with a UID of 500
and more. By not explicitly declaring root as an interactive user, the tools
just ignore it (and as a result don't generate the proper contexts).

If you do that, then genhomedircon and then look at the output of the
following command again, I hope you get enough output?

~# grep root /etc/selinux/*/contexts/files/file_contexts.homedirs

> There is one more problem. As I wrote in the previous mail two folders
> in /run are mislabeled: /run/ConsoleKit and /run/console. For the first,
> the mislabeling was solved by using the script for the initramfs users
> (of course addin restorecon -R /run). But I couldn't relabel permanently
> the second dir. I think it's because it belongs to pam, so perhaps it is
> created after a login, but the script runs before it. Am I right?

Sounds probable. We'll need to figure out what is creating the console
directory. From the label (consolekit_var_run_t) I imagine it is something
of ConsoleKit.

I can probably create a named file transition for this. The ConsoleKit stuff
is acknowledged already, perhaps the /run/console is solved with something
like the following?

#v+
policy_module(localconsolekit, 1.0)

gen_require(`
type pam_var_console_t;
type consolekit_t;
')

files_pid_filetrans(consolekit_t, pam_var_console_t, dir, "console")
#v-

This basically sais that, if a domain "consolekit_t" creates a
dir(ectory) with name "console" in a location with label var_run_t ("pid"),
then that directory would be labeled "pam_var_console_t" immediately.

It is possible however that consolekit_t doesn't hold the rights to do so,
so you might need to add in:

#v+
create_dirs_pattern(consolekit_t, pam_var_console_t, pam_var_console_t)
#v-

Thanks for your patience on this so far ;-)

Wkr,
Sven Vermeulen
Re: Can't get fully functional (kde) desktop with SELinux [ In reply to ]
f.p.barile at gmail
Aug 29, 2012, 9:36 AM
Post #14 of 19 (9191 views)
Permalink
On 28/08/2012 19:27, Sven Vermeulen wrote:
> On Mon, Aug 27, 2012 at 08:28:20PM +0200, Paolo Barile wrote:
>> Well I only had a policykit crash window. But It disappeared when,
>> following your suggestion, I've made a rule with audit2allow only on
>> the execute denials. But even with that rule the problems of audio card
>> and powerdevil weren't solved.
> [...]
>
> Okay. I'll take a look at the AVCs earlier and draft up a possible fix for
> you to try out (you can use audit2allow but I'm not sure yet if the result
> is correct or not).
Thank you very much. As for your question about error messages, i
noticed that starting kmix from shell gives me:

QDBusConnection: session D-Bus connection created before
QCoreApplication. Application may misbehave.

And kmix doesn't start.
>
>>> What does "semanage login -l" say?
>> Semanage login -l outputs only:
>> __default__ unconfined_u
>> system_u system_u
>>
>> Anyway I think that I "solved" this problem (probably it's rather a
>> workaround) using the context you wrote: "semanage fcontext -a -t
>> user_home_dir_t /root". In fact the su delay disappeared.
> Looks like we need to declare the root user for unconfined_u anyhow. You
> might want to run the following to do so:
>
> ~# semanage login -a -s unconfined_u root
>
> It seems that genhomedircon (well, it's now part of the semodule command but
> the genhomedircon command still works) only looks at users with a UID of 500
> and more. By not explicitly declaring root as an interactive user, the tools
> just ignore it (and as a result don't generate the proper contexts).
>
> If you do that, then genhomedircon and then look at the output of the
> following command again, I hope you get enough output?
>
> ~# grep root /etc/selinux/*/contexts/files/file_contexts.homedirs
Oh well, even too much perhaps now! ;) I mean it contains strings like:

/root/\.mozilla(/.*)? unconfined_u:object_r:mozilla_home_t

But I don't know why the root user should have rights for X
applications. Is that normal? If so, I think we can consider it solved!

Do you suggest to map to unconfined_u the other users too? I'm asking it
because I noticed a slowness in openening folders (in X) for the first
time after the login.

>
>> There is one more problem. As I wrote in the previous mail two folders
>> in /run are mislabeled: /run/ConsoleKit and /run/console. For the first,
>> the mislabeling was solved by using the script for the initramfs users
>> (of course addin restorecon -R /run). But I couldn't relabel permanently
>> the second dir. I think it's because it belongs to pam, so perhaps it is
>> created after a login, but the script runs before it. Am I right?
> Sounds probable. We'll need to figure out what is creating the console
> directory. From the label (consolekit_var_run_t) I imagine it is something
> of ConsoleKit.
>
> I can probably create a named file transition for this. The ConsoleKit stuff
> is acknowledged already, perhaps the /run/console is solved with something
> like the following?
>
> #v+
> policy_module(localconsolekit, 1.0)
>
> gen_require(`
> type pam_var_console_t;
> type consolekit_t;
> ')
>
> files_pid_filetrans(consolekit_t, pam_var_console_t, dir, "console")
> #v-
>
> This basically sais that, if a domain "consolekit_t" creates a
> dir(ectory) with name "console" in a location with label var_run_t ("pid"),
> then that directory would be labeled "pam_var_console_t" immediately.
>
> It is possible however that consolekit_t doesn't hold the rights to do so,
> so you might need to add in:
>
> #v+
> create_dirs_pattern(consolekit_t, pam_var_console_t, pam_var_console_t)
> #v-
>
> Thanks for your patience on this so far ;-)
>
> Wkr,
> Sven Vermeulen
>
Well thanks to you for the yours!
Anyway with that module (but the creat_dirs_pattern rule is necessary),
the /run/console situation is solved too.

Now let's try to summarize all the denials I have now at this point.

On boot I have:

Aug 29 18:07:34 dell-studio kernel: [ 8.446914] type=1400
audit(1346263638.445:4): avc: denied { getattr } for pid=1454
comm="alsactl" name="/" dev="tmpfs" ino=3130
scontext=system_u:system_r:alsa_t tcontext=system_u:object_r:tmpfs_t
tclass=filesystem
Aug 29 18:07:34 dell-studio kernel: [ 8.446939] type=1400
audit(1346263638.445:5): avc: denied { write } for pid=1454
comm="alsactl" name="shm" dev="tmpfs" ino=1124
scontext=system_u:system_r:alsa_t tcontext=system_u:object_r:device_t
tclass=dir
Aug 29 18:07:34 dell-studio kernel: [ 8.446947] type=1400
audit(1346263638.445:6): avc: denied { add_name } for pid=1454
comm="alsactl" name="pulse-shm-688087777"
scontext=system_u:system_r:alsa_t tcontext=system_u:object_r:device_t
tclass=dir
Aug 29 18:07:34 dell-studio kernel: [ 8.446963] type=1400
audit(1346263638.445:7): avc: denied { create } for pid=1454
comm="alsactl" name="pulse-shm-688087777"
scontext=system_u:system_r:alsa_t tcontext=system_u:object_r:device_t
tclass=file
Aug 29 18:07:34 dell-studio kernel: [ 8.446976] type=1400
audit(1346263638.445:8): avc: denied { read write open } for pid=1454
comm="alsactl" name="pulse-shm-688087777" dev="tmpfs" ino=3801
scontext=system_u:system_r:alsa_t tcontext=system_u:object_r:device_t
tclass=file
Aug 29 18:07:34 dell-studio kernel: [ 8.466988] type=1400
audit(1346263638.465:9): avc: denied { remove_name } for pid=1456
comm="alsactl" name="pulse-shm-2524473597" dev="tmpfs" ino=4125
scontext=system_u:system_r:alsa_t tcontext=system_u:object_r:device_t
tclass=dir
Aug 29 18:07:34 dell-studio kernel: [ 8.467011] type=1400
audit(1346263638.465:10): avc: denied { unlink } for pid=1456
comm="alsactl" name="pulse-shm-2524473597" dev="tmpfs" ino=4125
scontext=system_u:system_r:alsa_t tcontext=system_u:object_r:device_t
tclass=file
Aug 29 18:07:34 dell-studio kernel: [ 8.984725] type=1400
audit(1346256440.202:11): avc: denied { getattr } for pid=1538
comm="cryptsetup" name="/" dev="tmpfs" ino=3130
scontext=system_u:system_r:lvm_t tcontext=system_u:object_r:tmpfs_t
tclass=filesystem
Aug 29 18:07:34 dell-studio kernel: [ 14.683311] type=1400
audit(1346256445.900:15): avc: denied { module_request } for pid=1543
comm="cryptsetup" kmod="cbc(aes)" scontext=system_u:system_r:lvm_t
tcontext=system_u:system_r:kernel_t tclass=system
Aug 29 18:07:34 dell-studio kernel: [ 23.000643] type=1400
audit(1346256454.217:16): avc: denied { setrlimit } for pid=2008
comm="dbus-daemon" scontext=system_u:system_r:system_dbusd_t
tcontext=system_u:system_r:system_dbusd_t tclass=process
Aug 29 18:07:34 dell-studio kernel: [ 23.230831] type=1400
audit(1346256454.447:17): avc: denied { read } for pid=2024
comm="syslog-ng" name="syslog-ng.persist" dev="sda7" ino=73732
scontext=system_u:system_r:syslogd_t
tcontext=system_u:object_r:var_lib_t tclass=file
Aug 29 18:07:34 dell-studio kernel: [ 23.230847] type=1400
audit(1346256454.447:18): avc: denied { open } for pid=2024
comm="syslog-ng" name="syslog-ng.persist" dev="sda7" ino=73732
scontext=system_u:system_r:syslogd_t
tcontext=system_u:object_r:var_lib_t tclass=file
Aug 29 18:07:34 dell-studio kernel: [ 23.230869] type=1400
audit(1346256454.447:19): avc: denied { getattr } for pid=2024
comm="syslog-ng" path="/var/lib/misc/syslog-ng.persist" dev="sda7"
ino=73732 scontext=system_u:system_r:syslogd_t
tcontext=system_u:object_r:var_lib_t tclass=file
Aug 29 18:07:34 dell-studio kernel: [ 23.240312] type=1400
audit(1346256454.457:20): avc: denied { unlink } for pid=2024
comm="syslog-ng" name="syslog-ng.persist" dev="sda7" ino=73732
scontext=system_u:system_r:syslogd_t
tcontext=system_u:object_r:var_lib_t tclass=file
Aug 29 18:07:34 dell-studio kernel: [ 23.593562] type=1400
audit(1346256454.810:21): avc: denied { getattr } for pid=2038
comm="console-kit-dae" path="/run/ConsoleKit" dev="tmpfs" ino=5404
scontext=system_u:system_r:consolekit_t
tcontext=system_u:object_r:initrc_var_run_t tclass=dir
Aug 29 18:07:34 dell-studio kernel: [ 23.593583] type=1400
audit(1346256454.810:22): avc: denied { search } for pid=2038
comm="console-kit-dae" name="ConsoleKit" dev="tmpfs" ino=5404
scontext=system_u:system_r:consolekit_t
tcontext=system_u:object_r:initrc_var_run_t tclass=dir
Aug 29 18:07:34 dell-studio kernel: [ 23.593600] type=1400
audit(1346256454.810:23): avc: denied { write } for pid=2038
comm="console-kit-dae" name="ConsoleKit" dev="tmpfs" ino=5404
scontext=system_u:system_r:consolekit_t
tcontext=system_u:object_r:initrc_var_run_t tclass=dir
Aug 29 18:07:34 dell-studio kernel: [ 23.593608] type=1400
audit(1346256454.810:24): avc: denied { add_name } for pid=2038
comm="console-kit-dae" name="database~"
scontext=system_u:system_r:consolekit_t
tcontext=system_u:object_r:initrc_var_run_t tclass=dir
Aug 29 18:07:40 dell-studio kernel: [ 29.589769] type=1400
audit(1346256460.806:49): avc: denied { read } for pid=2782 comm="sh"
name="meminfo" dev="proc" ino=4026532031
scontext=system_u:system_r:wpa_cli_t tcontext=system_u:object_r:proc_t
tclass=file
Aug 29 18:07:40 dell-studio kernel: [ 29.589778] type=1400
audit(1346256460.806:50): avc: denied { open } for pid=2782 comm="sh"
name="meminfo" dev="proc" ino=4026532031
scontext=system_u:system_r:wpa_cli_t tcontext=system_u:object_r:proc_t
tclass=file
Aug 29 18:07:40 dell-studio kernel: [ 29.589797] type=1400
audit(1346256460.806:51): avc: denied { getattr } for pid=2782
comm="sh" path="/proc/meminfo" dev="proc" ino=4026532031
scontext=system_u:system_r:wpa_cli_t tcontext=system_u:object_r:proc_t
tclass=file
Aug 29 18:07:41 dell-studio kernel: [ 29.823183] type=1400
audit(1346256461.040:52): avc: denied { read write } for pid=2826
comm="ifconfig" path="socket:[5036]" dev="sockfs" ino=5036
scontext=system_u:system_r:ifconfig_t
tcontext=system_u:system_r:wpa_cli_t tclass=unix_dgram_socket
Aug 29 18:07:41 dell-studio kernel: [ 30.120105] type=1400
audit(1346256461.337:53): avc: denied { use } for pid=2955
comm="mount" path="/dev/null" dev="tmpfs" ino=1122
scontext=system_u:system_r:mount_t tcontext=system_u:system_r:wpa_cli_t
tclass=fd
Aug 29 18:07:41 dell-studio kernel: [ 30.120124] type=1400
audit(1346256461.337:54): avc: denied { read write } for pid=2955
comm="mount" path="socket:[5036]" dev="sockfs" ino=5036
scontext=system_u:system_r:mount_t tcontext=system_u:system_r:wpa_cli_t
tclass=unix_dgram_socket
Aug 29 18:09:04 dell-studio kernel: [ 112.791995] type=1400
audit(1346256544.031:56): avc: denied { read } for pid=2038
comm="console-kit-dae" name="machine-id" dev="sda7" ino=184383
scontext=system_u:system_r:consolekit_t
tcontext=system_u:object_r:system_dbusd_var_lib_t tclass=lnk_file
Aug 29 18:09:04 dell-studio kernel: [ 112.875933] type=1400
audit(1346256544.115:57): avc: denied { read } for pid=3066
comm="udev-acl.ck" name="udev-acl" dev="tmpfs" ino=3219
scontext=system_u:system_r:consolekit_t
tcontext=system_u:object_r:udev_var_run_t tclass=dir

After starting xdm:

Aug 29 18:09:34 dell-studio kernel: [ 142.834237] type=1400
audit(1346256574.075:58): avc: denied { read } for pid=3073 comm="rc"
name="profile.env" dev="sda5" ino=663084
scontext=unconfined_u:unconfined_r:run_init_t
tcontext=system_u:object_r:etc_runtime_t tclass=file
Aug 29 18:09:40 dell-studio kernel: [ 149.431140] type=1400
audit(1346256580.672:59): avc: denied { read } for pid=3118
comm="udev-acl.ck" name="udev-acl" dev="tmpfs" ino=3219
scontext=system_u:system_r:consolekit_t
tcontext=system_u:object_r:udev_var_run_t tclass=dir
Aug 29 18:09:46 dell-studio kernel: [ 154.930603] type=1400
audit(1346256586.170:60): avc: denied { read } for pid=3133
comm="udev-acl.ck" name="udev-acl" dev="tmpfs" ino=3219
scontext=system_u:system_r:consolekit_t
tcontext=system_u:object_r:udev_var_run_t tclass=dir

And after the login:

Aug 29 18:10:04 dell-studio kernel: [ 173.755581] type=1400
audit(1346256604.995:65): avc: denied { read } for pid=3140
comm="udev-acl.ck" name="udev-acl" dev="tmpfs" ino=3219
scontext=system_u:system_r:consolekit_t
tcontext=system_u:object_r:udev_var_run_t tclass=dir
Aug 29 18:10:09 dell-studio kernel: [ 177.817507] type=1400
audit(1346256609.057:66): avc: denied { read } for pid=2038
comm="console-kit-dae" name="machine-id" dev="sda7" ino=184383
scontext=system_u:system_r:consolekit_t
tcontext=system_u:object_r:system_dbusd_var_lib_t tclass=lnk_file
Aug 29 18:10:14 dell-studio kernel: [ 182.951425] type=1400
audit(1346256614.192:68): avc: denied { getattr } for pid=3236
comm="udisks-daemon" name="/" dev="sda7" ino=2
scontext=system_u:system_r:devicekit_disk_t
tcontext=system_u:object_r:fs_t tclass=filesystem
Aug 29 18:10:14 dell-studio kernel: [ 183.307019] type=1400
audit(1346256614.546:69): avc: denied { getattr } for pid=3233
comm="pm-is-supported" path="/dev/snapshot" dev="tmpfs" ino=3438
scontext=system_u:system_r:devicekit_power_t
tcontext=system_u:object_r:apm_bios_t tclass=chr_file
Aug 29 18:10:14 dell-studio kernel: [ 183.318766] type=1400
audit(1346256614.558:70): avc: denied { getattr } for pid=3252
comm="pm-is-supported" path="/dev/snapshot" dev="tmpfs" ino=3438
scontext=system_u:system_r:devicekit_power_t
tcontext=system_u:object_r:apm_bios_t tclass=chr_file
Aug 29 18:10:14 dell-studio kernel: [ 183.717762] type=1400
audit(1346256614.957:71): avc: denied { getattr } for pid=3276
comm="pm-powersave" path="/dev/snapshot" dev="tmpfs" ino=3438
scontext=system_u:system_r:devicekit_power_t
tcontext=system_u:object_r:apm_bios_t tclass=chr_file
Aug 29 18:10:14 dell-studio kernel: [ 183.721637] type=1400
audit(1346256614.961:72): avc: denied { write } for pid=3281
comm="mkdir" name="/" dev="tmpfs" ino=1059
scontext=system_u:system_r:devicekit_power_t
tcontext=system_u:object_r:var_run_t tclass=dir
Aug 29 18:10:41 dell-studio kernel: [ 210.642364] type=1400
audit(1346256641.883:73): avc: denied { search } for pid=2129
comm="polkitd" name="ConsoleKit" dev="tmpfs" ino=5404
scontext=system_u:system_r:system_dbusd_t
tcontext=system_u:object_r:consolekit_var_run_t tclass=dir
Aug 29 18:11:55 dell-studio kernel: [ 283.944883] type=1400
audit(1346256715.185:76): avc: denied { read } for pid=3540
comm="udev-acl.ck" name="udev-acl" dev="tmpfs" ino=3219
scontext=system_u:system_r:consolekit_t
tcontext=system_u:object_r:udev_var_run_t tclass=dir
Aug 29 18:12:01 dell-studio kernel: [ 290.394892] type=1400
audit(1346256721.635:77): avc: denied { search } for pid=2129
comm="polkitd" name="ConsoleKit" dev="tmpfs" ino=5404
scontext=system_u:system_r:system_dbusd_t
tcontext=system_u:object_r:consolekit_var_run_t tclass=dir
Aug 29 18:12:06 dell-studio kernel: [ 295.059511] type=1400
audit(1346256726.300:78): avc: denied { read } for pid=3574
comm="udev-acl.ck" name="udev-acl" dev="tmpfs" ino=3219
scontext=system_u:system_r:consolekit_t
tcontext=system_u:object_r:udev_var_run_t tclass=dir
Aug 29 18:20:01 dell-studio kernel: [ 769.954898] type=1400
audit(1346257201.195:80): avc: denied { read open } for pid=6070
comm="sh" name="run-crons" dev="sda5" ino=922129
scontext=system_u:system_r:crond_t tcontext=system_u:object_r:bin_t
tclass=file
Aug 29 18:20:01 dell-studio kernel: [ 769.954945] type=1400
audit(1346257201.195:81): avc: denied { getattr } for pid=6070
comm="sh" path="/usr/sbin/run-crons" dev="sda5" ino=922129
scontext=system_u:system_r:crond_t tcontext=system_u:object_r:bin_t
tclass=file
Aug 29 18:20:01 dell-studio kernel: [ 769.957780] type=1400
audit(1346257201.198:83): avc: denied { read } for pid=6071
comm="sendmail"
path=2F746D702F63726F6E2E637437754B742F63726F6E2E726F6F742E36303639202864656C6574656429
dev="sda5" ino=2229458 scontext=system_u:system_r:system_mail_t
tcontext=system_u:object_r:crond_tmp_t tclass=file
Aug 29 18:20:15 dell-studio kernel: [ 784.092973] type=1400
audit(1346257215.333:84): avc: denied { getattr } for pid=3227
comm="upowerd" name="/" dev="sda7" ino=2
scontext=system_u:system_r:devicekit_power_t
tcontext=system_u:object_r:fs_t tclass=filesystem

Thank you again for following me.
Paolo.
Re: Can't get fully functional (kde) desktop with SELinux [ In reply to ]
swift at gentoo
Aug 29, 2012, 9:48 AM
Post #15 of 19 (9179 views)
Permalink
On Wed, Aug 29, 2012 at 06:36:07PM +0200, Paolo Barile wrote:
> > Okay. I'll take a look at the AVCs earlier and draft up a possible fix for
> > you to try out (you can use audit2allow but I'm not sure yet if the result
> > is correct or not).
> Thank you very much.

You're welcome.

> As for your question about error messages, i
> noticed that starting kmix from shell gives me:
>
> QDBusConnection: session D-Bus connection created before
> QCoreApplication. Application may misbehave.
>
> And kmix doesn't start.

Yes. I *think* it is because alsa in the beginning wants to access /dev/shm
(and then create shared memory for interacting with pulseaudio) but because
/dev/shm is mislabeled (in your output, it is device_t, whereas it should be
tmpfs_t) alsa can't do all that. That's probably the cause of this.

See this:

#v+
Aug 21 08:45:49 dell-studio kernel: [ 8.588644] type=1400
audit(1345538718.587:10): avc: denied { write } for pid=1452
comm="alsactl" name="shm" dev="tmpfs" ino=2984
scontext=system_u:system_r:alsa_t tcontext=system_u:object_r:device_t
tclass=dir
Aug 21 08:45:49 dell-studio kernel: [ 8.588652] type=1400
audit(1345538718.587:11): avc: denied { add_name } for pid=1452
comm="alsactl" name="pulse-shm-1979112542"
scontext=system_u:system_r:alsa_t tcontext=system_u:object_r:device_t
tclass=dir
#v-

As you are using cryptsetup, I imagine you are using an initramfs, right? Is
the /dev/shm location mounted in the initramfs or afterwards by openrc?

Is the context corrected later in the boot process (in other words, if you
check the label now with "ls -dZ /dev/shm" is it tmpfs_t now?)

> > following command again, I hope you get enough output?
> >
> > ~# grep root /etc/selinux/*/contexts/files/file_contexts.homedirs
> Oh well, even too much perhaps now! ;) I mean it contains strings like:
>
> /root/\.mozilla(/.*)? unconfined_u:object_r:mozilla_home_t

That's correct.

> But I don't know why the root user should have rights for X
> applications. Is that normal? If so, I think we can consider it solved!

Well, the root user for SELinux is just another unconfined user, so it maps
all contexts it knows for users to the root user location.

> Do you suggest to map to unconfined_u the other users too? I'm asking it
> because I noticed a slowness in openening folders (in X) for the first
> time after the login.

They should already be mapped (because of the "__default__" login mapping).
You can verify that using the same grep command as before:

~# grep yourusername /etc/selinux/*/contexts/files/file_contexts.homedirs

> Well thanks to you for the yours!
> Anyway with that module (but the creat_dirs_pattern rule is necessary),
> the /run/console situation is solved too.

Great. Now all I have to do is find out where exactly the creation is done
(to document it properly), but a grep in the sources will probably help me
with that ;-)

[... many denials ...]
> Thank you again for following me.

You're welcome. I'm going over the denials right now one by one and looking
at the ones I think I can resolve and document already. Some of them I skip
and create a bugreport for, like with bug #433177, as I am not certain they
are cosmetic or needed (but some way to track them through a bugreport is
always a good idea imo).

Wkr,
Sven Vermeulen
Re: Can't get fully functional (kde) desktop with SELinux [ In reply to ]
f.p.barile at gmail
Aug 29, 2012, 11:16 AM
Post #16 of 19 (9170 views)
Permalink
Well I can't check all now since I'm away now, but I can surely say that I
don't use an initramfs because I only encrypted the home and swap
partitions... Tomorrow I'll check the shm related question.
Paolo.
Re: Can't get fully functional (kde) desktop with SELinux [ In reply to ]
swift at gentoo
Aug 29, 2012, 11:49 AM
Post #17 of 19 (9181 views)
Permalink
On Wed, Aug 29, 2012 at 06:36:07PM +0200, Paolo Barile wrote:
> Aug 29 18:09:04 dell-studio kernel: [ 112.875933] type=1400
> audit(1346256544.115:57): avc: denied { read } for pid=3066
> comm="udev-acl.ck" name="udev-acl" dev="tmpfs" ino=3219
> scontext=system_u:system_r:consolekit_t
> tcontext=system_u:object_r:udev_var_run_t tclass=dir

This one is biting me a bit. Could you try labeling udev-acl.ck (wherever it
is) as udev_exec_t and see if that helps?

The udev-acl.ck code tries to iterate over devices, setting the proper
access controls. This is most likely what is causing your USB disks to not
show up (properly). However, I'm not very fond of allowing consolekit_t to
do this if this is a udev-task (and more specifically, udev-acl.c (the
source cde) uses a lot of udev related methods for this.

The alternative (if we don't run it as udev) is to allow all possible rights
on consolekit, but I think that'll be a lot more than reading the directory
(as this is just the first step).

> Aug 29 18:10:14 dell-studio kernel: [ 183.307019] type=1400
> audit(1346256614.546:69): avc: denied { getattr } for pid=3233
> comm="pm-is-supported" path="/dev/snapshot" dev="tmpfs" ino=3438
> scontext=system_u:system_r:devicekit_power_t
> tcontext=system_u:object_r:apm_bios_t tclass=chr_file
> Aug 29 18:10:14 dell-studio kernel: [ 183.318766] type=1400
> audit(1346256614.558:70): avc: denied { getattr } for pid=3252
> comm="pm-is-supported" path="/dev/snapshot" dev="tmpfs" ino=3438
> scontext=system_u:system_r:devicekit_power_t
> tcontext=system_u:object_r:apm_bios_t tclass=chr_file
> Aug 29 18:10:14 dell-studio kernel: [ 183.717762] type=1400
> audit(1346256614.957:71): avc: denied { getattr } for pid=3276
> comm="pm-powersave" path="/dev/snapshot" dev="tmpfs" ino=3438
> scontext=system_u:system_r:devicekit_power_t
> tcontext=system_u:object_r:apm_bios_t tclass=chr_file
> Aug 29 18:10:14 dell-studio kernel: [ 183.721637] type=1400
> audit(1346256614.961:72): avc: denied { write } for pid=3281
> comm="mkdir" name="/" dev="tmpfs" ino=1059
> scontext=system_u:system_r:devicekit_power_t
> tcontext=system_u:object_r:var_run_t tclass=dir
[...]

This one we need to work out further. I'm okay with allowing
devicekit_power_t to get the attributes of apm_bios_t, but for some reason I
don't think that'll be enough.

Care to add in something like:

#v+
policy_module(localdevicekit, 1.0)

gen_require(`
type devicekit_power_t;
')

dev_getattr_apm_bios_dev(devicekit_power_t)
#v-

and then see what happens next? If it wants to read or write to it, add in:

#v+
dev_rw_apm_bios(devicekit_power_t)
#v-

For the rest, I've put in quite a few changes in the policy for the other
denials shown earlier. They will definitely be in revision 5, but if you
know how to work with live ebuilds, you can use the SELinux live ebuilds as
well (since the changes are in the policy repository).

An overview of all changes:
http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=summary

Wkr,
Sven Vermeulen
Re: Can't get fully functional (kde) desktop with SELinux [ In reply to ]
f.p.barile at gmail
Aug 30, 2012, 11:22 AM
Post #18 of 19 (9219 views)
Permalink
On 29/08/2012 20:49, Sven Vermeulen wrote:
> Is the context corrected later in the boot process (in other words, if you
> check the label now with "ls -dZ /dev/shm" is it tmpfs_t now?)
Well in fact /dev/shm was mislabeled even if I don't use initramfs, so I
added the following to fstab:

shm /dev/shm tmpfs
rw,rootcontext=system_u:object_r:tmpfs_t,seclabel,nosuid,nodev,noexec,relatime
0 0

So now (after reboot) it is labeled: system_u:object_r:tmpfs_t /dev/shm.

Anyway alsactl (and kmix) still doesn't work. It is (I think) because
there's something strange in denials:

Aug 30 19:52:15 dell-studio kernel: [ 8.562950] type=1400
audit(1346356301.561:3): avc: denied { getattr } for pid=1461
comm="alsactl" name="/" dev="tmpfs" ino=1232
scontext=system_u:system_r:alsa_t tcontext=system_u:object_r:tmpfs_t
tclass=filesystem
Aug 30 19:52:15 dell-studio kernel: [ 8.562975] type=1400
audit(1346356301.561:5): avc: denied { write } for pid=1461
comm="alsactl" name="shm" dev="tmpfs" ino=1236
scontext=system_u:system_r:alsa_t tcontext=system_u:object_r:device_t
tclass=dir
Aug 30 19:52:15 dell-studio kernel: [ 8.562984] type=1400
audit(1346356301.561:6): avc: denied { add_name } for pid=1461
comm="alsactl" name="pulse-shm-3830975079"
scontext=system_u:system_r:alsa_t tcontext=system_u:object_r:device_t
tclass=dir
Aug 30 19:52:15 dell-studio kernel: [ 8.563014] type=1400
audit(1346356301.561:7): avc: denied { create } for pid=1461
comm="alsactl" name="pulse-shm-3830975079"
scontext=system_u:system_r:alsa_t tcontext=system_u:object_r:device_t
tclass=file
Aug 30 19:52:15 dell-studio kernel: [ 8.563027] type=1400
audit(1346356301.562:8): avc: denied { read write open } for pid=1461
comm="alsactl" name="pulse-shm-3830975079" dev="tmpfs" ino=4239
scontext=system_u:system_r:alsa_t tcontext=system_u:object_r:device_t
tclass=file
Aug 30 19:52:15 dell-studio kernel: [ 8.608145] type=1400
audit(1346356301.607:9): avc: denied { remove_name } for pid=1461
comm="alsactl" name="pulse-shm-3830975079" dev="tmpfs" ino=4239
scontext=system_u:system_r:alsa_t tcontext=system_u:object_r:device_t
tclass=dir
Aug 30 19:52:15 dell-studio kernel: [ 8.608154] type=1400
audit(1346356301.607:10): avc: denied { unlink } for pid=1461
comm="alsactl" name="pulse-shm-3830975079" dev="tmpfs" ino=4239
scontext=system_u:system_r:alsa_t tcontext=system_u:object_r:device_t
tclass=file

As you can see even if the first denial reports shm labeled as tmpfs_t
all the other report it as device_it. How can it be possible?


> On Wed, Aug 29, 2012 at 06:36:07PM +0200, Paolo Barile wrote:
>> Aug 29 18:09:04 dell-studio kernel: [ 112.875933] type=1400
>> audit(1346256544.115:57): avc: denied { read } for pid=3066
>> comm="udev-acl.ck" name="udev-acl" dev="tmpfs" ino=3219
>> scontext=system_u:system_r:consolekit_t
>> tcontext=system_u:object_r:udev_var_run_t tclass=dir
> This one is biting me a bit. Could you try labeling udev-acl.ck (wherever it
> is) as udev_exec_t and see if that helps?
>
> The udev-acl.ck code tries to iterate over devices, setting the proper
> access controls. This is most likely what is causing your USB disks to not
> show up (properly). However, I'm not very fond of allowing consolekit_t to
> do this if this is a udev-task (and more specifically, udev-acl.c (the
> source cde) uses a lot of udev related methods for this.
>
> The alternative (if we don't run it as udev) is to allow all possible rights
> on consolekit, but I think that'll be a lot more than reading the directory
> (as this is just the first step).
The file is /usr/lib64/ConsoleKit/run-seat.d/udev-acl.ck, it is a
symlink to /usr/libexec/udev-acl that is labeled bin_t.
Anyway I relabeled udev-acl.ck as udev_exec_t, so that denial
disappeard, but now I have this new one:

Aug 30 19:31:06 dell-studio kernel: [ 75.419082] type=1400
audit(1346347866.859:59): avc: denied { read } for pid=3121
comm="console-kit-dae" name="udev-acl.ck" dev="sda5" ino=1057310
scontext=system_u:system_r:consolekit_t
tcontext=system_u:object_r:udev_exec_t tclass=lnk_file


>> Aug 29 18:10:14 dell-studio kernel: [ 183.307019] type=1400
>> audit(1346256614.546:69): avc: denied { getattr } for pid=3233
>> comm="pm-is-supported" path="/dev/snapshot" dev="tmpfs" ino=3438
>> scontext=system_u:system_r:devicekit_power_t
>> tcontext=system_u:object_r:apm_bios_t tclass=chr_file
>> Aug 29 18:10:14 dell-studio kernel: [ 183.318766] type=1400
>> audit(1346256614.558:70): avc: denied { getattr } for pid=3252
>> comm="pm-is-supported" path="/dev/snapshot" dev="tmpfs" ino=3438
>> scontext=system_u:system_r:devicekit_power_t
>> tcontext=system_u:object_r:apm_bios_t tclass=chr_file
>> Aug 29 18:10:14 dell-studio kernel: [ 183.717762] type=1400
>> audit(1346256614.957:71): avc: denied { getattr } for pid=3276
>> comm="pm-powersave" path="/dev/snapshot" dev="tmpfs" ino=3438
>> scontext=system_u:system_r:devicekit_power_t
>> tcontext=system_u:object_r:apm_bios_t tclass=chr_file
>> Aug 29 18:10:14 dell-studio kernel: [ 183.721637] type=1400
>> audit(1346256614.961:72): avc: denied { write } for pid=3281
>> comm="mkdir" name="/" dev="tmpfs" ino=1059
>> scontext=system_u:system_r:devicekit_power_t
>> tcontext=system_u:object_r:var_run_t tclass=dir
> [...]
>
> This one we need to work out further. I'm okay with allowing
> devicekit_power_t to get the attributes of apm_bios_t, but for some reason I
> don't think that'll be enough.
>
> Care to add in something like:
>
> #v+
> policy_module(localdevicekit, 1.0)
>
> gen_require(`
> type devicekit_power_t;
> ')
>
> dev_getattr_apm_bios_dev(devicekit_power_t)
> #v-
>
> and then see what happens next? If it wants to read or write to it, add in:
>
> #v+
> dev_rw_apm_bios(devicekit_power_t)
> #v-
Ok with this module the denial about devicekit_power_t over apm_bios has
gone. It seems that the rw rights are not necessary.
Now it only remains the last one:

Aug 30 19:53:13 dell-studio kernel: [ 98.792934] type=1400
audit(1346349193.267:60): avc: denied { write } for pid=3240
comm="mkdir" name="/" dev="tmpfs" ino=2982
scontext=system_u:system_r:devicekit_power_t
tcontext=system_u:object_r:var_run_t tclass=dir

But even if it is related to devicekit_power_t it isn't over apm_bios,
but over var_run_t. Should I try to add something similar (but to
var_run_t) in that module?
>
> For the rest, I've put in quite a few changes in the policy for the other
> denials shown earlier. They will definitely be in revision 5, but if you
> know how to work with live ebuilds, you can use the SELinux live ebuilds as
> well (since the changes are in the policy repository).
>
> An overview of all changes:
> http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=summary
>
> Wkr,
> Sven Vermeulen
>

Ok, tomorrow I'll try the live ebuilds and I'll let you know. Pure
curiosity: when I'll try the live ebuild or when the rev5 will be out,
should I remove these modules you wrote in emails (localconsolekit and
localdevicekit)?
Thank you.
Paolo.
Re: Can't get fully functional (kde) desktop with SELinux [ In reply to ]
f.p.barile at gmail
Aug 31, 2012, 10:23 AM
Post #19 of 19 (9194 views)
Permalink
I tried the live ebuilds and something changed, but the problems didn't
go away.
Except the every present alsactl denials I have these related to cryptsetup:

Aug 31 17:48:56 dell-studio kernel: [ 10.300271] type=1400
audit(1346428122.197:11): avc: denied { getattr } for pid=1540
comm="cryptsetup" name="/" dev="tmpfs" ino=1149
scontext=system_u:system_r:lvm_t tcontext=system_u:object_r:tmpfs_t
tclass=filesystem
Aug 31 17:48:56 dell-studio kernel: [ 10.315780] type=1400
audit(1346428122.212:12): avc: denied { read } for pid=1540
comm="cryptsetup" name="queue.bin" dev="tmpfs" ino=1876
scontext=system_u:system_r:lvm_t
tcontext=system_u:object_r:udev_var_run_t tclass=file

The following for syslog-ng:

Aug 31 17:48:56 dell-studio kernel: [ 23.588852] type=1400
audit(1346428135.485:15): avc: denied { read } for pid=2013
comm="syslog-ng" name="syslog-ng.persist" dev="sda7" ino=73729
scontext=system_u:system_r:syslogd_t
tcontext=system_u:object_r:var_lib_t tclass=file
Aug 31 17:48:56 dell-studio kernel: [ 23.588861] type=1400
audit(1346428135.485:16): avc: denied { open } for pid=2013
comm="syslog-ng" name="syslog-ng.persist" dev="sda7" ino=73729
scontext=system_u:system_r:syslogd_t
tcontext=system_u:object_r:var_lib_t tclass=file
Aug 31 17:48:56 dell-studio kernel: [ 23.588878] type=1400
audit(1346428135.485:17): avc: denied { getattr } for pid=2013
comm="syslog-ng" path="/var/lib/misc/syslog-ng.persist" dev="sda7"
ino=73729 scontext=system_u:system_r:syslogd_t
tcontext=system_u:object_r:var_lib_t tclass=file
Aug 31 17:48:56 dell-studio kernel: [ 23.597238] type=1400
audit(1346428135.494:18): avc: denied { unlink } for pid=2013
comm="syslog-ng" name="syslog-ng.persist" dev="sda7" ino=73729
scontext=system_u:system_r:syslogd_t
tcontext=system_u:object_r:var_lib_t tclass=file


Again consolekit with policykit:

Aug 31 17:48:56 dell-studio kernel: [ 23.872708] type=1400
audit(1346428135.769:19): avc: denied { read } for pid=2101
comm="console-kit-dae" name="udev-acl.ck" dev="sda5" ino=1057310
scontext=system_u:system_r:consolekit_t
tcontext=system_u:object_r:udev_exec_t tclass=lnk_file
Aug 31 17:48:56 dell-studio kernel: [ 24.322689] type=1400
audit(1346428136.219:24): avc: denied { execute_no_trans } for
pid=2119 comm="dbus-daemon-lau" path="/usr/libexec/polkitd" dev="sda5"
ino=922900 scontext=system_u:system_r:system_dbusd_t
tcontext=system_u:object_r:policykit_exec_t tclass=file
Aug 31 17:50:21 dell-studio kernel: [ 110.007624] type=1400
audit(1346428221.949:50): avc: denied { search } for pid=2119
comm="polkitd" name="ConsoleKit" dev="tmpfs" ino=4520
scontext=system_u:system_r:system_dbusd_t
tcontext=system_u:object_r:consolekit_var_run_t tclass=dir
Aug 31 17:51:41 dell-studio kernel: [ 189.862655] type=1400
audit(1346428301.804:52): avc: denied { search } for pid=2119
comm="polkitd" name="ConsoleKit" dev="tmpfs" ino=4520
scontext=system_u:system_r:system_dbusd_t
tcontext=system_u:object_r:consolekit_var_run_t tclass=dir


Dbus:

Aug 31 17:48:56 dell-studio kernel: [ 24.322653] type=1400
audit(1346428136.219:23): avc: denied { read open } for pid=2119
comm="dbus-daemon-lau" name="polkitd" dev="sda5" ino=922900
scontext=system_u:system_r:system_dbusd_t
tcontext=system_u:object_r:policykit_exec_t tclass=file
Aug 31 17:48:56 dell-studio kernel: [ 24.322689] type=1400
audit(1346428136.219:24): avc: denied { execute_no_trans } for
pid=2119 comm="dbus-daemon-lau" path="/usr/libexec/polkitd" dev="sda5"
ino=922900 scontext=system_u:system_r:system_dbusd_t
tcontext=system_u:object_r:policykit_exec_t tclass=file

Devicekit:

Aug 31 17:49:54 dell-studio kernel: [ 82.473330] type=1400
audit(1346428194.371:44): avc: denied { getattr } for pid=3187
comm="udisks-daemon" name="/" dev="sda7" ino=2
scontext=system_u:system_r:devicekit_disk_t
tcontext=system_u:object_r:fs_t tclass=filesystem
Aug 31 17:49:55 dell-studio kernel: [ 83.242850] type=1400
audit(1346428195.140:45): avc: denied { write } for pid=3232
comm="mkdir" name="/" dev="tmpfs" ino=1115
scontext=system_u:system_r:devicekit_power_t
tcontext=system_u:object_r:var_run_t tclass=dir
Aug 31 17:59:55 dell-studio kernel: [ 683.103378] type=1400
audit(1346428795.045:56): avc: denied { getattr } for pid=3178
comm="upowerd" name="/" dev="sda7" ino=2
scontext=system_u:system_r:devicekit_power_t
tcontext=system_u:object_r:fs_t tclass=filesystem


Cron:

Aug 31 17:48:56 dell-studio kernel: [ 23.951130] type=1400
audit(1346428135.848:20): avc: denied { read } for pid=2102
comm="crond" name="root" dev="sda7" ino=12796
scontext=system_u:system_r:crond_t tcontext=system_u:object_r:file_t
tclass=file
Aug 31 17:48:56 dell-studio kernel: [ 23.951145] type=1400
audit(1346428135.848:21): avc: denied { open } for pid=2102
comm="crond" name="root" dev="sda7" ino=12796
scontext=system_u:system_r:crond_t tcontext=system_u:object_r:file_t
tclass=file
Aug 31 17:48:56 dell-studio kernel: [ 23.951170] type=1400
audit(1346428135.848:22): avc: denied { getattr } for pid=2102
comm="crond" path="/var/spool/cron/crontabs/root" dev="sda7" ino=12796
scontext=system_u:system_r:crond_t tcontext=system_u:object_r:file_t
tclass=file
Aug 31 17:50:01 dell-studio kernel: [ 89.975499] type=1400
audit(1346428201.873:46): avc: denied { read open } for pid=3248
comm="sh" name="run-crons" dev="sda5" ino=922129
scontext=system_u:system_r:crond_t tcontext=system_u:object_r:bin_t
tclass=file
Aug 31 17:50:01 dell-studio kernel: [ 89.975545] type=1400
audit(1346428201.873:47): avc: denied { getattr } for pid=3248
comm="sh" path="/usr/sbin/run-crons" dev="sda5" ino=922129
scontext=system_u:system_r:crond_t tcontext=system_u:object_r:bin_t
tclass=file
Aug 31 17:50:01 dell-studio kernel: [ 90.006658] type=1400
audit(1346428201.905:49): avc: denied { read } for pid=3249
comm="sendmail"
path=2F746D702F63726F6E2E6F384F6E336F2F63726F6E2E726F6F742E33323437202864656C6574656429
dev="sda5" ino=2229313 scontext=system_u:system_r:system_mail_t
tcontext=system_u:object_r:crond_tmp_t tclass=file
Aug 31 17:59:01 dell-studio kernel: [ 629.136631] type=1400
audit(1346428741.078:53): avc: denied { getattr } for pid=5838
comm="sh" path="/bin/rm" dev="sda5" ino=1700617
scontext=system_u:system_r:crond_t tcontext=system_u:object_r:bin_t
tclass=file

Thank you.
Paolo.

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal