[DSE-Dev] Bug#781779: not grave
Andre Florath
andre at florath.net
Tue Sep 15 09:56:09 UTC 2015
Hello!
>
> Firstly this is not a grave bug. Most of the benefits of SE Linux are on
> servers so even if it didn't work for a graphical login that wouldn't be a
> grave bug.
I completely disagree here!
A large part of Debian installations is used as desktop [1].
Just there when using EMails and Web-Browsers SELinux is of great help.
>
> allow kernel_t systemd_unit_file_t:service { status start };
>
> The above line suggests that your init is running in the wrong domain. Check
> your audit.log and see what was running as kernel_t, probably running
> restorecon on that will fix it.
Checking this with your latest selinux-policy-default package: 2:2.20140421-10.
Looks that this is fixed now. The list is now much smaller (appended).
>
> #!!!! This avc can be allowed using one of the these booleans:
> # allow_execstack, allow_execmem
> allow unconfined_t self:process execmem;
>
> Some desktop environments (like KDE) require execmem. Setting allow_execmem
> will fix that. See setsebool(8).
I'm using Gnome.
After
# setsebool allow_execstack true
# setsebool allow_execmem true
I'm now able to log in. Roughly checked some applications:
iceweasel, libre-office, gimp, ...
No problems!
Looks that the new version of selinux-policy-default fixes a lot of things!
>
> Finally I can't do anything more about this without even knowing what desktop
> environment is having a problem. I need to know what XDM program and what
> desktop environment are being used and if it works with a different XDM or
> different desktop environment (twm is good for testing).
>
I'm using the default :-)
Minimal VM installation and then:
# apt-get install task-desktop
Do you need more information? List of installed packages?
Command to set up the VM?
Kind regards
Andre
[1] https://qa.debian.org/popcon.php?package=tasksel
===
# audit2allow --boot
#============= NetworkManager_t ==============
allow NetworkManager_t NetworkManager_initrc_exec_t:dir { read search };
allow NetworkManager_t systemd_logind_t:dbus send_msg;
allow NetworkManager_t systemd_logind_var_run_t:dir { read search };
#============= alsa_t ==============
#!!!! The source type 'alsa_t' can write to a 'dir' of the following types:
# pulseaudio_home_t, alsa_tmp_t, alsa_var_lib_t, var_lock_t, etc_t, tmpfs_t, user_home_dir_t, root_t, tmp_t, user_tmp_t, pulseaudio_tmpfsfile, alsa_etc_rw_t, user_home_t
allow alsa_t var_run_t:dir write;
#============= rtkit_daemon_t ==============
allow rtkit_daemon_t xdm_t:process setsched;
#============= systemd_logind_t ==============
allow systemd_logind_t NetworkManager_t:dbus send_msg;
#!!!! The source type 'systemd_logind_t' can write to a 'dir' of the following types:
# var_auth_t, cgroup_t, user_tmp_t, udev_rules_t, init_var_run_t, udev_var_run_t, systemd_logind_var_run_t, systemd_logind_sessions_t
allow systemd_logind_t tmpfs_t:dir write;
allow systemd_logind_t user_tmpfs_t:dir read;
allow systemd_logind_t user_tmpfs_t:file getattr;
allow systemd_logind_t xdm_tmpfs_t:dir read;
allow systemd_logind_t xdm_tmpfs_t:file getattr;
#============= udev_t ==============
allow udev_t self:netlink_socket create;
#============= unconfined_t ==============
#!!!! This avc can be allowed using one of the these booleans:
# allow_execstack, allow_execmem
allow unconfined_t self:process execmem;
#============= xdm_t ==============
allow xdm_t init_t:system status;
More information about the SELinux-devel
mailing list