[DSE-Dev] Bug#781779: Bug#781779: not grave

Andre Florath andre at florath.net
Sat Sep 19 19:00:00 UTC 2015 

Hello!

Please note that I'm currently using the latest version of
selinux-policy-default: 2:2.20140421-11

>
> What I really want to know in such cases is whether other desktop environments 
> or other XDM programs work.  If one program breaks it could be an issue with 
> that program.  If multiple programs break it could be something more basic.
> 

Understand you - but I'm only using the default (gnome3).

> 
>> #============= alsa_t ==============
>>
>> #!!!! The source type 'alsa_t' can write to a 'dir' of the following types:
>> # pulseaudio_home_t, alsa_tmp_t, alsa_var_lib_t, var_lock_t, etc_t,
>> tmpfs_t, user_home_dir_t, root_t, tmp_t, user_tmp_t, pulseaudio_tmpfsfile,
>> alsa_etc_rw_t, user_home_t
>>
>> allow alsa_t var_run_t:dir write;
> 
> What is the name of the directory in question?  What is the name of the 
> program running in the alsa_t domain?

It's alsactl:

type=AVC msg=audit(1442688157.512:18): avc:  denied  { write } for  pid=346 comm="alsactl" name="/" dev="tmpfs" ino=6530 scontext=system_u:system_r:alsa_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir permissive=0
type=SYSCALL msg=audit(1442688157.512:18): arch=c000003e syscall=83 success=no exit=-13 a0=b737c0 a1=1c0 a2=ffffffff a3=7f3eca8f4460 items=0 ppid=1 pid=346 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="alsactl" exe="/usr/sbin/alsactl" subj=system_u:system_r:alsa_t:s0 key=(null)


>>
>> allow systemd_logind_t tmpfs_t:dir write;
>> allow systemd_logind_t user_tmpfs_t:dir read;
>> allow systemd_logind_t user_tmpfs_t:file getattr;
>> allow systemd_logind_t xdm_tmpfs_t:dir read;
>> allow systemd_logind_t xdm_tmpfs_t:file getattr;
> 
> What are the names of the directories in question?  Use the -v option to 
> audit2allow.
> 

Here are the AVCs:

type=USER_AVC msg=audit(1442688229.804:280): pid=363 uid=105 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=signal interface=org.freedesktop.login1.Manager
 member=SessionRemoved dest=org.freedesktop.DBus spid=357 tpid=355 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:NetworkManager_t:s0 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=105 hostname=? addr=? termina
l=?'
type=USER_AVC msg=audit(1442688229.836:281): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='Unknown permission stop for class system exe="/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=AVC msg=audit(1442688229.848:283): avc:  denied  { read } for  pid=357 comm="systemd-logind" name="gnome-shell" dev="tmpfs" ino=15030 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:xdm_tmpfs_t:s0 tclass=d
ir permissive=0
type=SYSCALL msg=audit(1442688229.848:283): arch=c000003e syscall=257 success=no exit=-13 a0=15 a1=7f2b62a19d03 a2=f0800 a3=0 items=0 ppid=1 pid=357 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=
4294967295 comm="systemd-logind" exe="/lib/systemd/systemd-logind" subj=system_u:system_r:systemd_logind_t:s0 key=(null)
type=PROCTITLE msg=audit(1442688229.848:283): proctitle="/lib/systemd/systemd-logind"
type=AVC msg=audit(1442688229.848:284): avc:  denied  { read } for  pid=357 comm="systemd-logind" name="pulse" dev="tmpfs" ino=14796 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:xdm_tmpfs_t:s0 tclass=dir per
missive=0
type=SYSCALL msg=audit(1442688229.848:284): arch=c000003e syscall=257 success=no exit=-13 a0=15 a1=7f2b62a19d23 a2=f0800 a3=0 items=0 ppid=1 pid=357 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=
4294967295 comm="systemd-logind" exe="/lib/systemd/systemd-logind" subj=system_u:system_r:systemd_logind_t:s0 key=(null)
type=PROCTITLE msg=audit(1442688229.848:284): proctitle="/lib/systemd/systemd-logind"
type=AVC msg=audit(1442688229.848:285): avc:  denied  { read } for  pid=357 comm="systemd-logind" name="dconf" dev="tmpfs" ino=14402 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:xdm_tmpfs_t:s0 tclass=dir per
missive=0
type=SYSCALL msg=audit(1442688229.848:285): arch=c000003e syscall=257 success=no exit=-13 a0=15 a1=7f2b62a19d43 a2=f0800 a3=0 items=0 ppid=1 pid=357 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=
4294967295 comm="systemd-logind" exe="/lib/systemd/systemd-logind" subj=system_u:system_r:systemd_logind_t:s0 key=(null)
type=PROCTITLE msg=audit(1442688229.848:285): proctitle="/lib/systemd/systemd-logind"
type=AVC msg=audit(1442688229.848:286): avc:  denied  { write } for  pid=357 comm="systemd-logind" name="systemd" dev="tmpfs" ino=14313 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir perm
issive=0
type=SYSCALL msg=audit(1442688229.848:286): arch=c000003e syscall=263 success=no exit=-13 a0=16 a1=7f2b62a21d43 a2=0 a3=0 items=0 ppid=1 pid=357 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294
967295 comm="systemd-logind" exe="/lib/systemd/systemd-logind" subj=system_u:system_r:systemd_logind_t:s0 key=(null)
type=PROCTITLE msg=audit(1442688229.848:286): proctitle="/lib/systemd/systemd-logind"
type=AVC msg=audit(1442688229.848:287): avc:  denied  { write } for  pid=357 comm="systemd-logind" name="systemd" dev="tmpfs" ino=14313 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir perm
issive=0
type=SYSCALL msg=audit(1442688229.848:287): arch=c000003e syscall=263 success=no exit=-13 a0=16 a1=7f2b62a21d63 a2=0 a3=0 items=0 ppid=1 pid=357 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294
967295 comm="systemd-logind" exe="/lib/systemd/systemd-logind" subj=system_u:system_r:systemd_logind_t:s0 key=(null)
type=PROCTITLE msg=audit(1442688229.848:287): proctitle="/lib/systemd/systemd-logind"
type=AVC msg=audit(1442688229.848:288): avc:  denied  { write } for  pid=357 comm="systemd-logind" name="/" dev="tmpfs" ino=14174 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive
=0
type=SYSCALL msg=audit(1442688229.848:288): arch=c000003e syscall=263 success=no exit=-13 a0=15 a1=7f2b62a19d63 a2=200 a3=0 items=0 ppid=1 pid=357 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=42
94967295 comm="systemd-logind" exe="/lib/systemd/systemd-logind" subj=system_u:system_r:systemd_logind_t:s0 key=(null)
type=PROCTITLE msg=audit(1442688229.848:288): proctitle="/lib/systemd/systemd-logind"
type=USER_AVC msg=audit(1442688229.852:289): pid=363 uid=105 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=signal interface=org.freedesktop.login1.Manager
 member=UserRemoved dest=org.freedesktop.DBus spid=357 tpid=355 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:NetworkManager_t:s0 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=105 hostname=? addr=? terminal=?

Hope this helps.

Kind regards

Andre

More information about the SELinux-devel mailing list