Bug 1157247
| Summary: | Problem logging in | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | bodhi.zazen <bodhi.zazen> | ||||||||
| Component: | selinux-policy-targeted | Assignee: | Lukas Vrabec <lvrabec> | ||||||||
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Ben Levenson <benl> | ||||||||
| Severity: | unspecified | Docs Contact: | |||||||||
| Priority: | unspecified | ||||||||||
| Version: | 21 | CC: | bodhi.zazen, dwalsh, lvrabec, mgrepl | ||||||||
| Target Milestone: | --- | ||||||||||
| Target Release: | --- | ||||||||||
| Hardware: | Unspecified | ||||||||||
| OS: | Unspecified | ||||||||||
| Whiteboard: | |||||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||||
| Doc Text: | Story Points: | --- | |||||||||
| Clone Of: | Environment: | ||||||||||
| Last Closed: | 2015-02-10 12:25:31 UTC | Type: | Bug | ||||||||
| Regression: | --- | Mount Type: | --- | ||||||||
| Documentation: | --- | CRM: | |||||||||
| Verified Versions: | Category: | --- | |||||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||||
| Embargoed: | |||||||||||
| Attachments: |
|
||||||||||
I tried to add pollicy, mypolicykit, but got an error when adding it
Error:
semanage -i mypolicykit.pp
usage: semanage [-h]
{import,export,login,user,port,interface,module,node,fcontext,boolean,permissive,dontaudit}
...
semanage: error: argument subcommand: invalid choice: '\x8f\xff|\xf9\x01\x00\x00\x00\x01\x00\x00\x00\x10\x00\x00\x00\x8d\xff|\xf9\x0f\x00\x00\x00SE' (choose from 'import', 'export', 'login', 'user', 'port', 'interface', 'module', 'node', 'fcontext', 'boolean', 'permissive', 'dontaudit')
Here is the .te
module mypolicykit 1.0;
require {
type staff_t;
type policykit_auth_t;
type config_home_t;
type init_t;
class unix_stream_socket connectto;
class dir write;
class file { write read getattr open };
}
#============= policykit_auth_t ==============
allow policykit_auth_t config_home_t:dir write;
allow policykit_auth_t config_home_t:file write;
allow policykit_auth_t init_t:file { read getattr open };
allow policykit_auth_t staff_t:unix_stream_socket connectto;
I had to add additional policy
module mylogin 1.0;
require {
type staff_t;
type unconfined_service_t;
type xsession_exec_t;
class dbus send_msg;
class file entrypoint;
}
#============= staff_t ==============
allow staff_t unconfined_service_t:dbus send_msg;
allow staff_t xsession_exec_t:file entrypoint;
I had to add all this to allow log in
module myproblems 1.0;
require {
type staff_t;
type staff_dbusd_t;
type policykit_auth_t;
type init_t;
type pulseaudio_t;
type var_run_t;
type unconfined_service_t;
type setroubleshootd_t;
type mozilla_plugin_t;
type chkpwd_t;
type wtmp_t;
type gpg_agent_t;
type systemd_tmpfiles_t;
type user_devpts_t;
type initrc_exec_t;
type system_dbusd_t;
type fcoemon_exec_t;
type shadow_t;
type xsession_exec_t;
type user_tmp_t;
type systemd_unit_file_t;
type staff_ssh_agent_t;
type usr_t;
type user_home_dir_t;
type lldpad_exec_t;
type policykit_t;
type rpm_var_lib_t;
type xdm_home_t;
type iceauth_home_t;
type initrc_var_run_t;
type xdm_t;
type vmtools_helper_t;
class process { siginh noatsecure rlimitinh };
class unix_stream_socket { read write ioctl };
class chr_file { read write };
class capability net_admin;
class file { write getattr ioctl read open execute };
class sock_file unlink;
class dir { getattr search };
}
#============= chkpwd_t ==============
allow chkpwd_t user_devpts_t:chr_file { read write };
#============= gpg_agent_t ==============
allow gpg_agent_t xdm_home_t:file { write getattr };
#============= mozilla_plugin_t ==============
allow mozilla_plugin_t xdm_home_t:file write;
#============= policykit_auth_t ==============
allow policykit_auth_t iceauth_home_t:file { read getattr open };
allow policykit_auth_t init_t:dir search;
allow policykit_auth_t user_home_dir_t:dir getattr;
allow policykit_auth_t user_tmp_t:file open;
allow policykit_auth_t xdm_home_t:file write;
#============= policykit_t ==============
allow policykit_t policykit_auth_t:process { siginh rlimitinh noatsecure };
#============= pulseaudio_t ==============
allow pulseaudio_t xdm_home_t:file write;
#============= setroubleshootd_t ==============
allow setroubleshootd_t rpm_var_lib_t:file write;
allow setroubleshootd_t var_run_t:sock_file unlink;
#============= staff_dbusd_t ==============
allow staff_dbusd_t staff_t:process { siginh rlimitinh noatsecure };
allow staff_dbusd_t systemd_unit_file_t:dir getattr;
allow staff_dbusd_t xdm_home_t:file write;
#============= staff_ssh_agent_t ==============
allow staff_ssh_agent_t staff_t:process { siginh rlimitinh noatsecure };
allow staff_ssh_agent_t xdm_home_t:file write;
#============= staff_t ==============
allow staff_t fcoemon_exec_t:file { read getattr execute };
allow staff_t gpg_agent_t:process { siginh rlimitinh noatsecure };
allow staff_t initrc_exec_t:file execute;
allow staff_t initrc_var_run_t:file write;
allow staff_t lldpad_exec_t:file { read getattr execute };
allow staff_t mozilla_plugin_t:process { siginh rlimitinh };
allow staff_t policykit_auth_t:process { siginh rlimitinh noatsecure };
allow staff_t pulseaudio_t:process { siginh rlimitinh noatsecure };
allow staff_t staff_dbusd_t:process { siginh rlimitinh noatsecure };
allow staff_t staff_dbusd_t:unix_stream_socket { read write ioctl };
allow staff_t staff_ssh_agent_t:process { siginh rlimitinh noatsecure };
allow staff_t vmtools_helper_t:process { siginh rlimitinh noatsecure };
allow staff_t wtmp_t:file write;
allow staff_t xsession_exec_t:file { read ioctl open getattr };
#============= system_dbusd_t ==============
allow system_dbusd_t setroubleshootd_t:process { siginh rlimitinh noatsecure };
allow system_dbusd_t unconfined_service_t:process { siginh rlimitinh noatsecure };
#============= systemd_tmpfiles_t ==============
allow systemd_tmpfiles_t self:capability net_admin;
#============= xdm_t ==============
allow xdm_t chkpwd_t:process { siginh rlimitinh noatsecure };
allow xdm_t shadow_t:file { read getattr open };
allow xdm_t staff_t:process { siginh noatsecure };
allow xdm_t usr_t:file write;
Any chance try to execute # restorecon -R -v /usr/bin /usr/sbin to see if there are mislabeled files? And if I see correctly, you use KDE? I use primarity KDE, but I am testing gnome and xfce a bit for Fedora 21. Yes, I ran restorecon and fixfiles (on reboot) before working through all the denials (with audit2why and audit2allow). If it helps, I use confined users, staff_u mainly. I can look at user_u as well. Looks like you turned off lots of dontaudit rules. Most of these you should not need. What process is running as unconfined_service_t on your machine? ps -eZ | grep unconfined_service_t On comment 1 you should use semodule not semanage. Sorry for comment 1, I noted that after I posted and can not delete it. tab completion fail, lol ps -eZ | grep unconfined_service_t does not return anything Updated to most recent selinux policy
I still can not log in with confined users ( staff_u or user_u ) with the default targeted policy.
selinux-policy.noarch 3.13.1-91.fc21 @fedora
selinux-policy-targeted.noarch 3.13.1-91.fc21 @fedora
Some of the problems are silent denials.
After a reboot and relabel of the file system, I logged into kde, gnome-shell, and xfce as a user_u and staff_u and swithced users between the two.
I will attach the raw AVC denials (there are tons) and here is the my myuser_u.te
module myuser_u 1.0;
require {
type vhost_device_t;
type uhid_device_t;
type systemd_tmpfiles_t;
type unconfined_service_t;
type home_root_t;
type thumb_t;
type mozilla_plugin_t;
type chkpwd_t;
type bluetooth_tmp_t;
type howl_port_t;
type autofs_device_t;
type initrc_exec_t;
type abrt_t;
type user_tmp_t;
type var_run_t;
type initctl_t;
type systemd_logind_t;
type iptables_t;
type selinux_config_t;
type ppp_device_t;
type rpm_t;
type user_gkeyringd_t;
type vmtools_helper_t;
type default_context_t;
type freeipmi_port_t;
type policykit_auth_t;
type auditd_log_t;
type printer_device_t;
type NetworkManager_t;
type user_dbusd_t;
type systemd_logind_var_run_t;
type setroubleshootd_t;
type lvm_control_t;
type memory_device_t;
type insmod_t;
type us_cli_port_t;
type kvm_device_t;
type file_context_t;
type systemd_unit_file_t;
type nvram_device_t;
type config_home_t;
type firewalld_t;
type rpm_tmp_t;
type pulseaudio_port_t;
type apm_bios_t;
type xdm_home_t;
type device_t;
type iceauth_home_t;
type getty_t;
type netcontrol_device_t;
type staff_t;
type semanage_store_t;
type pulseaudio_t;
type iceauth_t;
type initrc_t;
type wtmp_t;
type user_devpts_t;
type dhcpc_t;
type ms_streaming_port_t;
type fcoemon_exec_t;
type power_unit_file_t;
type telepathy_mission_control_t;
type ssh_t;
type lldpad_exec_t;
type policykit_t;
type rpm_var_lib_t;
type usbmon_device_t;
type init_var_run_t;
type condor_port_t;
type user_t;
type staff_gkeyringd_t;
type xdm_t;
type unconfined_t;
type staff_dbusd_t;
type tty_device_t;
type init_t;
type usr_t;
type ricci_port_t;
type sysfs_t;
type system_dbusd_t;
type local_login_t;
type gpg_agent_t;
type shadow_t;
type xsession_exec_t;
type loop_control_device_t;
type staff_ssh_agent_t;
type unreserved_port_t;
type user_home_dir_t;
type abrt_watch_log_exec_t;
type framebuf_device_t;
type var_lib_t;
type clock_device_t;
type readahead_t;
type staff_sudo_t;
type user_ssh_agent_t;
type initrc_var_run_t;
type bin_t;
type tmpfs_t;
class fifo_file getattr;
class service status;
class process { siginh execmem noatsecure rlimitinh };
class unix_stream_socket { write connectto ioctl read getattr };
class dbus send_msg;
class chr_file { read write getattr };
class capability { setuid dac_read_search sys_admin sys_module net_admin dac_override };
class tcp_socket name_bind;
class file { execute read lock create getattr write ioctl entrypoint open };
class sock_file unlink;
class udp_socket name_bind;
class dir { search read mounton write getattr };
}
#============= NetworkManager_t ==============
#!!!! This avc has a dontaudit rule in the current policy
allow NetworkManager_t dhcpc_t:process { siginh noatsecure rlimitinh };
#!!!! This avc has a dontaudit rule in the current policy
allow NetworkManager_t initrc_t:process { siginh noatsecure rlimitinh };
#!!!! This avc has a dontaudit rule in the current policy
allow NetworkManager_t self:capability sys_module;
#============= abrt_t ==============
#!!!! This avc has a dontaudit rule in the current policy
allow abrt_t rpm_var_lib_t:file write;
#!!!! This avc has a dontaudit rule in the current policy
allow abrt_t self:capability net_admin;
#============= chkpwd_t ==============
#!!!! This avc has a dontaudit rule in the current policy
allow chkpwd_t tty_device_t:chr_file { read write };
#!!!! This avc has a dontaudit rule in the current policy
allow chkpwd_t user_devpts_t:chr_file { read write };
#============= firewalld_t ==============
#!!!! This avc has a dontaudit rule in the current policy
allow firewalld_t iptables_t:process { siginh noatsecure rlimitinh };
#============= getty_t ==============
#!!!! This avc has a dontaudit rule in the current policy
allow getty_t local_login_t:process { siginh noatsecure rlimitinh };
#============= gpg_agent_t ==============
#!!!! This avc is allowed in the current policy
allow gpg_agent_t user_tmp_t:file { create open };
#!!!! This avc has a dontaudit rule in the current policy
allow gpg_agent_t xdm_home_t:file { write getattr };
#============= iceauth_t ==============
#!!!! This avc has a dontaudit rule in the current policy
allow iceauth_t xdm_home_t:file write;
#============= iptables_t ==============
#!!!! This avc has a dontaudit rule in the current policy
allow iptables_t insmod_t:process { siginh noatsecure rlimitinh };
#============= local_login_t ==============
#!!!! This avc has a dontaudit rule in the current policy
allow local_login_t chkpwd_t:process { siginh noatsecure rlimitinh };
#!!!! This avc has a dontaudit rule in the current policy
allow local_login_t self:capability net_admin;
#!!!! This avc has a dontaudit rule in the current policy
allow local_login_t unconfined_t:process { siginh noatsecure };
#============= mozilla_plugin_t ==============
#!!!! This avc has a dontaudit rule in the current policy
allow mozilla_plugin_t xdm_home_t:file write;
#============= policykit_auth_t ==============
allow policykit_auth_t config_home_t:dir write;
allow policykit_auth_t config_home_t:file write;
allow policykit_auth_t home_root_t:dir read;
#!!!! This avc has a dontaudit rule in the current policy
allow policykit_auth_t iceauth_home_t:file { read getattr open };
#!!!! This avc has a dontaudit rule in the current policy
allow policykit_auth_t init_t:dir search;
allow policykit_auth_t init_t:file { read getattr open };
allow policykit_auth_t staff_t:unix_stream_socket connectto;
allow policykit_auth_t tmpfs_t:file { read write };
allow policykit_auth_t user_home_dir_t:dir write;
#!!!! This avc has a dontaudit rule in the current policy
allow policykit_auth_t user_home_dir_t:dir { read getattr search };
allow policykit_auth_t user_t:unix_stream_socket connectto;
#!!!! This avc has a dontaudit rule in the current policy
allow policykit_auth_t user_tmp_t:file open;
#!!!! This avc has a dontaudit rule in the current policy
allow policykit_auth_t xdm_home_t:file write;
#============= policykit_t ==============
#!!!! This avc has a dontaudit rule in the current policy
allow policykit_t policykit_auth_t:process { siginh noatsecure rlimitinh };
#============= pulseaudio_t ==============
allow pulseaudio_t self:process execmem;
#!!!! This avc has a dontaudit rule in the current policy
allow pulseaudio_t staff_t:unix_stream_socket { read write };
allow pulseaudio_t user_home_dir_t:file create;
#!!!! This avc has a dontaudit rule in the current policy
allow pulseaudio_t user_t:unix_stream_socket { read write };
#!!!! This avc is allowed in the current policy
allow pulseaudio_t user_tmp_t:file execute;
#!!!! This avc has a dontaudit rule in the current policy
allow pulseaudio_t xdm_home_t:file write;
#============= readahead_t ==============
#!!!! This avc has a dontaudit rule in the current policy
allow readahead_t auditd_log_t:file getattr;
#!!!! This avc has a dontaudit rule in the current policy
allow readahead_t default_context_t:file { read open };
#!!!! This avc has a dontaudit rule in the current policy
allow readahead_t file_context_t:file { read open };
#!!!! This avc has a dontaudit rule in the current policy
allow readahead_t selinux_config_t:file { read ioctl open getattr };
#!!!! This avc has a dontaudit rule in the current policy
allow readahead_t semanage_store_t:file { read ioctl open getattr };
#!!!! This avc has a dontaudit rule in the current policy
allow readahead_t shadow_t:file { read open };
#============= setroubleshootd_t ==============
#!!!! This avc has a dontaudit rule in the current policy
allow setroubleshootd_t rpm_var_lib_t:dir write;
#!!!! This avc has a dontaudit rule in the current policy
allow setroubleshootd_t rpm_var_lib_t:file write;
#!!!! This avc has a dontaudit rule in the current policy
allow setroubleshootd_t self:capability net_admin;
allow setroubleshootd_t user_t:dbus send_msg;
allow setroubleshootd_t var_lib_t:file { read lock open };
allow setroubleshootd_t var_run_t:sock_file unlink;
#============= staff_dbusd_t ==============
#!!!! This avc has a dontaudit rule in the current policy
allow staff_dbusd_t staff_gkeyringd_t:process { siginh noatsecure rlimitinh };
#!!!! This avc has a dontaudit rule in the current policy
allow staff_dbusd_t staff_t:process { siginh noatsecure rlimitinh };
#!!!! This avc has a dontaudit rule in the current policy
allow staff_dbusd_t systemd_unit_file_t:dir getattr;
#!!!! This avc has a dontaudit rule in the current policy
allow staff_dbusd_t telepathy_mission_control_t:process { siginh noatsecure rlimitinh };
#!!!! This avc has a dontaudit rule in the current policy
allow staff_dbusd_t thumb_t:process { siginh noatsecure rlimitinh };
#!!!! This avc has a dontaudit rule in the current policy
allow staff_dbusd_t xdm_home_t:file write;
#============= staff_gkeyringd_t ==============
#!!!! This avc has a dontaudit rule in the current policy
allow staff_gkeyringd_t staff_dbusd_t:unix_stream_socket { read write };
#!!!! This avc has a dontaudit rule in the current policy
allow staff_gkeyringd_t staff_t:unix_stream_socket { read write getattr };
#============= staff_ssh_agent_t ==============
#!!!! This avc has a dontaudit rule in the current policy
allow staff_ssh_agent_t staff_t:process { siginh noatsecure rlimitinh };
#!!!! This avc has a dontaudit rule in the current policy
allow staff_ssh_agent_t xdm_home_t:file write;
#============= staff_sudo_t ==============
#!!!! This avc has a dontaudit rule in the current policy
allow staff_sudo_t chkpwd_t:process { siginh noatsecure rlimitinh };
allow staff_sudo_t init_var_run_t:fifo_file getattr;
#!!!! This avc has a dontaudit rule in the current policy
allow staff_sudo_t unconfined_t:process { siginh noatsecure rlimitinh };
#============= staff_t ==============
#!!!! This avc has a dontaudit rule in the current policy
allow staff_t abrt_watch_log_exec_t:file { read execute getattr };
#!!!! This avc has a dontaudit rule in the current policy
allow staff_t apm_bios_t:chr_file getattr;
#!!!! This avc has a dontaudit rule in the current policy
allow staff_t autofs_device_t:chr_file getattr;
#!!!! This avc has a dontaudit rule in the current policy
allow staff_t bluetooth_tmp_t:fifo_file getattr;
#!!!! This avc has a dontaudit rule in the current policy
allow staff_t chkpwd_t:process { siginh noatsecure rlimitinh };
#!!!! This avc has a dontaudit rule in the current policy
allow staff_t clock_device_t:chr_file getattr;
#!!!! This avc can be allowed using the boolean 'selinuxuser_udp_server'
allow staff_t condor_port_t:udp_socket name_bind;
#!!!! This avc has a dontaudit rule in the current policy
allow staff_t device_t:chr_file getattr;
#!!!! This avc has a dontaudit rule in the current policy
allow staff_t fcoemon_exec_t:file { read getattr execute };
#!!!! This avc has a dontaudit rule in the current policy
allow staff_t framebuf_device_t:chr_file getattr;
#!!!! This avc can be allowed using the boolean 'selinuxuser_udp_server'
allow staff_t freeipmi_port_t:udp_socket name_bind;
#!!!! This avc has a dontaudit rule in the current policy
allow staff_t gpg_agent_t:process { siginh noatsecure rlimitinh };
#!!!! This avc can be allowed using the boolean 'selinuxuser_udp_server'
allow staff_t howl_port_t:udp_socket name_bind;
#!!!! This avc has a dontaudit rule in the current policy
allow staff_t iceauth_t:process { siginh noatsecure rlimitinh };
#!!!! This avc has a dontaudit rule in the current policy
allow staff_t initctl_t:fifo_file getattr;
#!!!! This avc has a dontaudit rule in the current policy
allow staff_t initrc_exec_t:file execute;
#!!!! This avc has a dontaudit rule in the current policy
allow staff_t initrc_var_run_t:file write;
#!!!! This avc can be allowed using the boolean 'staff_use_svirt'
allow staff_t kvm_device_t:chr_file getattr;
#!!!! This avc has a dontaudit rule in the current policy
allow staff_t lldpad_exec_t:file { read getattr execute };
#!!!! This avc has a dontaudit rule in the current policy
allow staff_t loop_control_device_t:chr_file getattr;
#!!!! This avc has a dontaudit rule in the current policy
allow staff_t lvm_control_t:chr_file getattr;
#!!!! This avc has a dontaudit rule in the current policy
allow staff_t memory_device_t:chr_file getattr;
#!!!! This avc has a dontaudit rule in the current policy
allow staff_t mozilla_plugin_t:process { siginh rlimitinh };
#!!!! This avc can be allowed using the boolean 'selinuxuser_udp_server'
allow staff_t ms_streaming_port_t:udp_socket name_bind;
#!!!! This avc has a dontaudit rule in the current policy
allow staff_t netcontrol_device_t:chr_file getattr;
#!!!! This avc has a dontaudit rule in the current policy
allow staff_t nvram_device_t:chr_file getattr;
#!!!! This avc has a dontaudit rule in the current policy
allow staff_t policykit_auth_t:process { siginh noatsecure rlimitinh };
#!!!! This avc has a dontaudit rule in the current policy
allow staff_t ppp_device_t:chr_file getattr;
#!!!! This avc has a dontaudit rule in the current policy
allow staff_t printer_device_t:chr_file getattr;
#!!!! This avc can be allowed using the boolean 'selinuxuser_udp_server'
allow staff_t pulseaudio_port_t:udp_socket name_bind;
#!!!! This avc has a dontaudit rule in the current policy
allow staff_t pulseaudio_t:process { siginh noatsecure rlimitinh };
#!!!! This avc can be allowed using the boolean 'selinuxuser_udp_server'
allow staff_t ricci_port_t:udp_socket name_bind;
#!!!! This avc has a dontaudit rule in the current policy
allow staff_t rpm_tmp_t:dir getattr;
#!!!! This avc has a dontaudit rule in the current policy
allow staff_t self:capability net_admin;
#!!!! This avc is allowed in the current policy
allow staff_t self:capability { setuid sys_admin };
allow staff_t self:capability { dac_read_search dac_override };
#!!!! This avc has a dontaudit rule in the current policy
allow staff_t ssh_t:process { siginh noatsecure rlimitinh };
#!!!! This avc has a dontaudit rule in the current policy
allow staff_t staff_dbusd_t:process { siginh noatsecure rlimitinh };
allow staff_t staff_dbusd_t:unix_stream_socket ioctl;
#!!!! This avc has a dontaudit rule in the current policy
allow staff_t staff_dbusd_t:unix_stream_socket { read write };
#!!!! This avc has a dontaudit rule in the current policy
allow staff_t staff_gkeyringd_t:process { siginh noatsecure rlimitinh };
#!!!! This avc has a dontaudit rule in the current policy
allow staff_t staff_ssh_agent_t:process { siginh noatsecure rlimitinh };
#!!!! This avc has a dontaudit rule in the current policy
allow staff_t staff_sudo_t:process { siginh noatsecure rlimitinh };
allow staff_t sysfs_t:file write;
#!!!! This avc has a dontaudit rule in the current policy
allow staff_t uhid_device_t:chr_file getattr;
allow staff_t unconfined_service_t:dbus send_msg;
#!!!! This avc can be allowed using one of the these booleans:
# nis_enabled, selinuxuser_tcp_server
allow staff_t unreserved_port_t:tcp_socket name_bind;
#!!!! This avc can be allowed using the boolean 'selinuxuser_udp_server'
allow staff_t us_cli_port_t:udp_socket name_bind;
#!!!! This avc has a dontaudit rule in the current policy
allow staff_t usbmon_device_t:chr_file getattr;
#!!!! This avc has a dontaudit rule in the current policy
allow staff_t vhost_device_t:chr_file getattr;
#!!!! This avc has a dontaudit rule in the current policy
allow staff_t vmtools_helper_t:process { siginh noatsecure rlimitinh };
#!!!! This avc has a dontaudit rule in the current policy
allow staff_t wtmp_t:file write;
allow staff_t xsession_exec_t:file entrypoint;
#!!!! This avc has a dontaudit rule in the current policy
allow staff_t xsession_exec_t:file { read ioctl open getattr };
#============= system_dbusd_t ==============
#!!!! This avc has a dontaudit rule in the current policy
allow system_dbusd_t abrt_t:process { siginh noatsecure rlimitinh };
#!!!! This avc has a dontaudit rule in the current policy
allow system_dbusd_t setroubleshootd_t:process { siginh noatsecure rlimitinh };
#!!!! This avc has a dontaudit rule in the current policy
allow system_dbusd_t unconfined_service_t:process { siginh noatsecure rlimitinh };
#============= systemd_logind_t ==============
#!!!! This avc is allowed in the current policy
allow systemd_logind_t self:capability sys_admin;
#!!!! This avc is allowed in the current policy
allow systemd_logind_t tmpfs_t:dir read;
allow systemd_logind_t unconfined_service_t:dbus send_msg;
#!!!! This avc is allowed in the current policy
allow systemd_logind_t user_tmp_t:dir mounton;
#============= systemd_tmpfiles_t ==============
#!!!! This avc has a dontaudit rule in the current policy
allow systemd_tmpfiles_t self:capability net_admin;
#============= telepathy_mission_control_t ==============
allow telepathy_mission_control_t bin_t:file execute;
#!!!! This avc has a dontaudit rule in the current policy
allow telepathy_mission_control_t staff_dbusd_t:unix_stream_socket { read write };
#!!!! This avc has a dontaudit rule in the current policy
allow telepathy_mission_control_t user_dbusd_t:unix_stream_socket { read write };
#============= thumb_t ==============
#!!!! This avc has a dontaudit rule in the current policy
allow thumb_t staff_dbusd_t:unix_stream_socket { read write };
#!!!! This avc has a dontaudit rule in the current policy
allow thumb_t user_dbusd_t:unix_stream_socket { read write };
#============= user_dbusd_t ==============
#!!!! This avc has a dontaudit rule in the current policy
allow user_dbusd_t systemd_unit_file_t:dir getattr;
#!!!! This avc has a dontaudit rule in the current policy
allow user_dbusd_t telepathy_mission_control_t:process { siginh noatsecure rlimitinh };
#!!!! This avc has a dontaudit rule in the current policy
allow user_dbusd_t thumb_t:process { siginh noatsecure rlimitinh };
#!!!! This avc has a dontaudit rule in the current policy
allow user_dbusd_t user_t:process { siginh noatsecure rlimitinh };
#!!!! This avc has a dontaudit rule in the current policy
allow user_dbusd_t xdm_home_t:file write;
#============= user_gkeyringd_t ==============
#!!!! This avc has a dontaudit rule in the current policy
allow user_gkeyringd_t user_t:unix_stream_socket { read write getattr };
#============= user_ssh_agent_t ==============
#!!!! This avc has a dontaudit rule in the current policy
allow user_ssh_agent_t user_t:process { siginh noatsecure rlimitinh };
#!!!! This avc has a dontaudit rule in the current policy
allow user_ssh_agent_t xdm_home_t:file write;
#============= user_t ==============
#!!!! This avc has a dontaudit rule in the current policy
allow user_t gpg_agent_t:process { siginh noatsecure rlimitinh };
#!!!! This avc has a dontaudit rule in the current policy
allow user_t iceauth_t:process { siginh noatsecure rlimitinh };
#!!!! This avc has a dontaudit rule in the current policy
allow user_t init_var_run_t:dir read;
#!!!! This avc has a dontaudit rule in the current policy
allow user_t initrc_var_run_t:file write;
#!!!! This avc has a dontaudit rule in the current policy
allow user_t policykit_auth_t:process { siginh noatsecure rlimitinh };
#!!!! This avc has a dontaudit rule in the current policy
allow user_t pulseaudio_t:process { siginh noatsecure rlimitinh };
#!!!! This avc has a dontaudit rule in the current policy
allow user_t rpm_t:dbus send_msg;
allow user_t self:capability net_admin;
allow user_t setroubleshootd_t:dbus send_msg;
allow user_t sysfs_t:file write;
#!!!! This avc has a dontaudit rule in the current policy
allow user_t systemd_logind_var_run_t:dir read;
allow user_t unconfined_service_t:dbus send_msg;
#!!!! This avc has a dontaudit rule in the current policy
allow user_t user_dbusd_t:process { siginh noatsecure rlimitinh };
allow user_t user_dbusd_t:unix_stream_socket ioctl;
#!!!! This avc has a dontaudit rule in the current policy
allow user_t user_dbusd_t:unix_stream_socket { read write };
#!!!! This avc has a dontaudit rule in the current policy
allow user_t user_gkeyringd_t:process { siginh noatsecure rlimitinh };
#!!!! This avc has a dontaudit rule in the current policy
allow user_t user_ssh_agent_t:process { siginh noatsecure rlimitinh };
#!!!! This avc has a dontaudit rule in the current policy
allow user_t vmtools_helper_t:process { siginh noatsecure rlimitinh };
#!!!! This avc has a dontaudit rule in the current policy
allow user_t wtmp_t:file write;
allow user_t xsession_exec_t:file entrypoint;
#!!!! This avc has a dontaudit rule in the current policy
allow user_t xsession_exec_t:file { read ioctl open getattr };
#============= xdm_t ==============
#!!!! This avc has a dontaudit rule in the current policy
allow xdm_t chkpwd_t:process { siginh noatsecure rlimitinh };
allow xdm_t power_unit_file_t:service status;
#!!!! This avc has a dontaudit rule in the current policy
allow xdm_t shadow_t:file { read getattr open };
#!!!! This avc has a dontaudit rule in the current policy
allow xdm_t staff_gkeyringd_t:process { siginh noatsecure rlimitinh };
#!!!! This avc has a dontaudit rule in the current policy
allow xdm_t staff_t:process { siginh noatsecure };
#!!!! This avc has a dontaudit rule in the current policy
allow xdm_t user_gkeyringd_t:process { siginh noatsecure rlimitinh };
#!!!! This avc has a dontaudit rule in the current policy
allow xdm_t user_t:process { siginh noatsecure };
#!!!! This avc has a dontaudit rule in the current policy
allow xdm_t usr_t:file write;
Created attachment 952789 [details]
Raw AVC denials 11-01-2014
Could you turn dontaudit rules on to clean up it. # semodule -B and then try to login into Gnome as staff_u with permissive and run # ausearch -m avc,user_avc -ts recent I don't see this problem. This is what I got :
----
time->Mon Nov 3 16:11:56 2014
type=USER_AVC msg=audit(1415056316.318:468): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: received policyload notice (seqno=2) exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
----
time->Mon Nov 3 16:11:56 2014
type=USER_AVC msg=audit(1415056316.318:469): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: received setenforce notice (enforcing=0) exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
----
time->Mon Nov 3 16:11:56 2014
type=PROCTITLE msg=audit(1415056316.572:474): proctitle=2F62696E2F7368002F6574632F6B64652F6B646D2F5873657373696F6E00676E6F6D652D73657373696F6E
type=SYSCALL msg=audit(1415056316.572:474): arch=c000003e syscall=59 success=yes exit=0 a0=7fd74c28d0b0 a1=7fd74c28d090 a2=7fd74c2a7cd0 a3=21 items=0 ppid=3072 pid=3153 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=4 comm="Xsession" exe="/usr/bin/bash" subj=staff_u:staff_r:staff_t:s0 key=(null)
type=AVC msg=audit(1415056316.572:474): avc: denied { entrypoint } for pid=3153 comm="kdm" path="/etc/kde/kdm/Xsession" dev="dm-2" ino=131925 scontext=staff_u:staff_r:staff_t:s0 tcontext=system_u:object_r:xsession_exec_t:s0 tclass=file permissive=1
However .... I think the silent denials are also causing problems.
Those avc denials result in
cat mystaff_u.te
module mystaff_u 1.0;
require {
type staff_t;
type xsession_exec_t;
class file entrypoint;
}
#============= staff_t ==============
allow staff_t xsession_exec_t:file entrypoint;
and after adding that to my semodules, I still can not log in as staff_U
[root@daemon selinux]# ausearch -m avc,user_avc -ts recent | audit2why
[root@daemon selinux]#
Ok what does ps -efZ |grep kdm root@daemon ~]# ps -efZ |grep kdm system_u:system_r:kernel_t:s0 root 433 2 0 17:36 ? 00:00:00 [kdmflush] system_u:system_r:kernel_t:s0 root 509 2 0 17:36 ? 00:00:00 [kdmflush] system_u:system_r:kernel_t:s0 root 517 2 0 17:36 ? 00:00:00 [kdmflush] system_u:system_r:kernel_t:s0 root 744 2 0 17:36 ? 00:00:00 [kdmflush] system_u:system_r:xdm_t:s0-s0:c0.c1023 root 888 1 0 17:37 ? 00:00:00 /usr/bin/kdm vt1 system_u:system_r:xserver_t:s0-s0:c0.c1023 root 1041 888 6 17:37 tty1 00:02:20 /usr/libexec/Xorg.bin :0 vt1 -background none -nolisten tcp -seat seat0 -auth /var/run/kdm/A:0-t0GDma Lukas, are you able to reproduce it with KDE? *** Bug 1158260 has been marked as a duplicate of this bug. *** Update: with most recent policy selinux-policy.noarch 3.13.1-92.fc21 @fedora selinux-policy-targeted.noarch 3.13.1-92.fc21 @fedora I am attaching the AVC denials ;) I can not identify the unconfined service. Created attachment 956089 [details]
AVC denials 11-10-2014
We have another bug related to this issue with SELinux confined users. Try to execute # chcon -t bin_t /etc/kde/kdm/Xsession for now to see if it works. Brilliant !!! Thank you so much, I can now log into gnome and kde as both a staff_u and user_u . FWIW, there are other binaries in that directory -rwxr-xr-x. root root system_u:object_r:bin_t:s0 Xsession -rwxr-xr-x. root root system_u:object_r:etc_t:s0 Xsetup -rwxr-xr-x. root root system_u:object_r:etc_t:s0 Xwilling I am not sure if Xsetup or Xwilling may need to be relabeled or not. Looks like already fixed in F21. Closing for now. |
Created attachment 950799 [details] Raw AVC denials Description of problem: Can not log in with selinux enabled. I am using the targeted policy with confined users (staff_u for now, user_u not tested). Note: I upgraded from Fedora 20 Version-Release number of selected component (if applicable): selinux-policy-targeted.noarch 3.13.1-85.fc21 How reproducible: Every time selinux is enabled Steps to Reproduce: Log in at the log in screen. Actual results: Brief flash to console, login restarts Expected results: Sucessful log in Additional info: I am attaching the raw avc denials (policykit)