Bug#850116: [DSE-Dev] Bug#850116: SEGV is always a bug in app or library

Laurent Bigonville bigon at debian.org
Fri Jan 13 18:26:38 UTC 2017 

Le 13/01/17 à 16:43, Russell Coker a écrit :
> I find it difficult to think of situations where a SEGV in a program is anything
> other than a bug in the program or a library it uses.  If the program is
> prevented from doing something it wants to do (by SE Linux, Unix permissions,
> a filesystem error, lack of disk space, etc) it should log an error so that the
> sysadmin can fix the problem.
Did you check the user_avc's too? I see some denials of dbus 
communication here.

With all the new allow rules in the attached files, I can get gdm 
running and I can open a session too in enforcing. (I had to set the 
boolean allow_execmem to on also).

All these rules are probably not needed, but that can be used as a base 
I guess.

Cheers,

Laurent Bigonville
-------------- next part --------------
module local_dbus2 1.0;

require {
	type event_device_t;
	type system_dbusd_t;
	class chr_file { read write };
}

#============= system_dbusd_t ==============
allow system_dbusd_t event_device_t:chr_file { read write };

module local_dbus 1.0;

require {
	type system_dbusd_t;
	type dri_device_t;
        type event_device_t;
	class chr_file { read write };
}

#============= system_dbusd_t ==============
allow system_dbusd_t dri_device_t:chr_file { read write };


#============= system_dbusd_t ==============
allow system_dbusd_t event_device_t:chr_file { read write };

module local_rtkit 1.0;

require {
	type rtkit_daemon_t;
	type xdm_t;
	class process setsched;
	class dbus send_msg;
}

#============= rtkit_daemon_t ==============
allow rtkit_daemon_t xdm_t:dbus send_msg;

#!!!! This avc is allowed in the current policy
allow rtkit_daemon_t xdm_t:process setsched;

module local_systemd 1.0;

require {
	type systemd_logind_t;
	type NetworkManager_t;
	type tty_device_t;
	type user_runtime_t;
	class chr_file setattr;
	class fd use;
	class file unlink;
}

#============= NetworkManager_t ==============
allow NetworkManager_t systemd_logind_t:fd use;

#============= systemd_logind_t ==============

#!!!! This avc is allowed in the current policy
allow systemd_logind_t tty_device_t:chr_file setattr;

#!!!! This avc is allowed in the current policy
allow systemd_logind_t user_runtime_t:file unlink;

module local_udev 1.0;

require {
	type alsa_t;
	type kernel_t;
	type initrc_var_run_t;
	type udev_t;
	class capability sys_tty_config;
	class key search;
	class dir { add_name getattr search write };
	class process { noatsecure rlimitinh siginh };
	class file { create write };
}

#============= udev_t ==============
allow udev_t alsa_t:process { noatsecure rlimitinh siginh };

#!!!! This avc is allowed in the current policy
allow udev_t initrc_var_run_t:dir { add_name getattr search write };

#!!!! This avc is allowed in the current policy
allow udev_t initrc_var_run_t:file create;
allow udev_t initrc_var_run_t:file write;
allow udev_t kernel_t:key search;
allow udev_t self:capability sys_tty_config;

module local_user 1.0;

require {
	type init_var_run_t;
	type colord_t;
	type rtkit_daemon_t;
	type realmd_t;
	type xdm_t;
	type avahi_t;
	type NetworkManager_t;
	type policykit_t;
	type modemmanager_t;
	type unconfined_t;
	type systemd_locale_t;
	type systemd_logind_t;
	type systemd_hostnamed_t;
	type devicekit_disk_t;
	type accountsd_t;
	type apt_t;
	type init_t;
	type initrc_t;
	class service status;
	class system status;
	class dbus send_msg;
}

#============= NetworkManager_t ==============
allow NetworkManager_t apt_t:dbus send_msg;

#!!!! This avc is allowed in the current policy
allow NetworkManager_t init_t:dbus send_msg;
allow NetworkManager_t unconfined_t:dbus send_msg;
allow NetworkManager_t xdm_t:dbus send_msg;

#============= accountsd_t ==============
allow accountsd_t unconfined_t:dbus send_msg;

#============= apt_t ==============
allow apt_t unconfined_t:dbus send_msg;

#============= avahi_t ==============
allow avahi_t colord_t:dbus send_msg;

#!!!! This avc is allowed in the current policy
allow avahi_t init_t:dbus send_msg;

#============= colord_t ==============
allow colord_t avahi_t:dbus send_msg;
allow colord_t unconfined_t:dbus send_msg;

#============= devicekit_disk_t ==============
allow devicekit_disk_t initrc_t:dbus send_msg;

#============= init_t ==============

#!!!! This avc is allowed in the current policy
allow init_t unconfined_t:dbus send_msg;

#============= modemmanager_t ==============

#!!!! This avc is allowed in the current policy
allow modemmanager_t init_t:dbus send_msg;
allow modemmanager_t systemd_logind_t:dbus send_msg;
allow modemmanager_t unconfined_t:dbus send_msg;

#============= policykit_t ==============
allow policykit_t apt_t:dbus send_msg;
allow policykit_t xdm_t:dbus send_msg;

#============= realmd_t ==============
allow realmd_t xdm_t:dbus send_msg;

#============= rtkit_daemon_t ==============

#!!!! This avc is allowed in the current policy
allow rtkit_daemon_t xdm_t:dbus send_msg;

#============= systemd_hostnamed_t ==============
allow systemd_hostnamed_t unconfined_t:dbus send_msg;
allow systemd_hostnamed_t xdm_t:dbus send_msg;

#============= systemd_locale_t ==============
allow systemd_locale_t init_t:dbus send_msg;
allow systemd_locale_t unconfined_t:dbus send_msg;
allow systemd_locale_t xdm_t:dbus send_msg;

#============= systemd_logind_t ==============
allow systemd_logind_t apt_t:dbus send_msg;
allow systemd_logind_t modemmanager_t:dbus send_msg;

#============= unconfined_t ==============

#!!!! This avc is allowed in the current policy
allow unconfined_t init_var_run_t:service status;

#============= xdm_t ==============
allow xdm_t init_t:system status;

More information about the pkg-gnome-maintainers mailing list