[DSE-Dev] Bug#781779: not grave

Tue Sep 15 09:56:09 UTC 2015

Hello!

>
> Firstly this is not a grave bug.  Most of the benefits of SE Linux are on 
> servers so even if it didn't work for a graphical login that wouldn't be a 
> grave bug.

I completely disagree here!
A large part of Debian installations is used as desktop [1].
Just there when using EMails and Web-Browsers SELinux is of great help.

> 
> allow kernel_t systemd_unit_file_t:service { status start };
> 
> The above line suggests that your init is running in the wrong domain.  Check 
> your audit.log and see what was running as kernel_t, probably running 
> restorecon on that will fix it.

Checking this with your latest selinux-policy-default package: 2:2.20140421-10.
Looks that this is fixed now. The list is now much smaller (appended).

> 
> #!!!! This avc can be allowed using one of the these booleans:
> #     allow_execstack, allow_execmem
> allow unconfined_t self:process execmem;
> 
> Some desktop environments (like KDE) require execmem.  Setting allow_execmem 
> will fix that.  See setsebool(8).

I'm using Gnome.
After
# setsebool allow_execstack true
# setsebool allow_execmem true
I'm now able to log in. Roughly checked some applications:
iceweasel, libre-office, gimp, ...
No problems!
Looks that the new version of selinux-policy-default fixes a lot of things!

> 
> Finally I can't do anything more about this without even knowing what desktop 
> environment is having a problem.  I need to know what XDM program and what 
> desktop environment are being used and if it works with a different XDM or 
> different desktop environment (twm is good for testing).
> 

I'm using the default :-)
Minimal VM installation and then:
# apt-get install task-desktop

Do you need more information? List of installed packages?
Command to set up the VM?

Kind regards

Andre

[1] https://qa.debian.org/popcon.php?package=tasksel

===

# audit2allow --boot

#============= NetworkManager_t ==============
allow NetworkManager_t NetworkManager_initrc_exec_t:dir { read search };
allow NetworkManager_t systemd_logind_t:dbus send_msg;
allow NetworkManager_t systemd_logind_var_run_t:dir { read search };

#============= alsa_t ==============

#!!!! The source type 'alsa_t' can write to a 'dir' of the following types:
# pulseaudio_home_t, alsa_tmp_t, alsa_var_lib_t, var_lock_t, etc_t, tmpfs_t, user_home_dir_t, root_t, tmp_t, user_tmp_t, pulseaudio_tmpfsfile, alsa_etc_rw_t, user_home_t

allow alsa_t var_run_t:dir write;

#============= rtkit_daemon_t ==============
allow rtkit_daemon_t xdm_t:process setsched;

#============= systemd_logind_t ==============
allow systemd_logind_t NetworkManager_t:dbus send_msg;

#!!!! The source type 'systemd_logind_t' can write to a 'dir' of the following types:
# var_auth_t, cgroup_t, user_tmp_t, udev_rules_t, init_var_run_t, udev_var_run_t, systemd_logind_var_run_t, systemd_logind_sessions_t

allow systemd_logind_t tmpfs_t:dir write;
allow systemd_logind_t user_tmpfs_t:dir read;
allow systemd_logind_t user_tmpfs_t:file getattr;
allow systemd_logind_t xdm_tmpfs_t:dir read;
allow systemd_logind_t xdm_tmpfs_t:file getattr;

#============= udev_t ==============
allow udev_t self:netlink_socket create;

#============= unconfined_t ==============

#!!!! This avc can be allowed using one of the these booleans:
#     allow_execstack, allow_execmem
allow unconfined_t self:process execmem;

#============= xdm_t ==============
allow xdm_t init_t:system status;