Bug 430437
Description
Jim Cornette
2008-01-28 02:04:51 UTC
Created attachment 293096 [details]
console-kit-daemon error search
Created attachment 293098 [details]
SELinux is preventing console-kit-dae(/usr/sbin/console-kit-daemon) (system_dbusd_t) "sys_nice" to <Unknown> (system_dbusd_t). Detailed Description
Many errors related to SELinux and console-kit-daemon second error
Created attachment 293099 [details]
SELinux is preventing console-kit-dae(/usr/sbin/console-kit-daemon)
(system_dbusd_t) "sys_ptrace" to <Unknown> (system_dbusd_t).
Created attachment 293100 [details]
SELinux is preventing console-kit-dae(/usr/sbin/console-kit-daemon)
(system_dbusd_t) "getattr" to /proc/2643/stat (polkit_auth_t).
Created attachment 293102 [details]
SELinux is preventing console-kit-dae(/usr/sbin/console-kit-daemon)
(system_dbusd_t) "getattr" to /var/log/ConsoleKit/history (var_log_t).
Created attachment 293103 [details]
SELinux is preventing console-kit-dae(/usr/sbin/console-kit-daemon)
(system_dbusd_t) "getattr" to /proc/2403/stat (xdm_t).
Created attachment 293104 [details]
SELinux is preventing console-kit-dae(/usr/sbin/console-kit-daemon)
(system_dbusd_t) "read" to <Unknown> (var_log_t)
Created attachment 293105 [details]
SELinux is preventing console-kit-dae(/usr/sbin/console-kit-daemon)
(system_dbusd_t) "search" to <Unknown> (hald_t).
Created attachment 293106 [details]
SELinux is preventing console-kit-dae(/usr/sbin/console-kit-daemon)
(system_dbusd_t) "search" to <Unknown> (var_log_t).
Created attachment 293107 [details]
SELinux is preventing console-kit-dae(/usr/sbin/console-kit-daemon)
(system_dbusd_t) "search" to <Unknown> (xdm_t).
Created attachment 293108 [details]
SELinux is preventing console-kit-dae(/usr/sbin/console-kit-daemon)
(system_dbusd_t) "sys_nice" to <Unknown> (system_dbusd_t).
Created attachment 293109 [details]
SELinux is preventing console-kit-dae(/usr/sbin/console-kit-daemon)
(system_dbusd_t) "sys_ptrace" to <Unknown> (system_dbusd_t).
Created attachment 293110 [details]
SELinux is preventing console-kit-dae(/usr/sbin/console-kit-daemon)
(system_dbusd_t) "getattr" to /proc/2152/stat (hald_t).
Created attachment 293111 [details]
SELinux is preventing console-kit-dae(/usr/sbin/console-kit-daemon)
(system_dbusd_t) "getattr" to /proc/2947/stat (polkit_auth_t).
Created attachment 293112 [details]
SELinux is preventing console-kit-dae(/usr/sbin/console-kit-daemon)
(system_dbusd_t) "getattr" to /proc/2939/environ (unconfined_t).
Created attachment 293113 [details]
SELinux is preventing console-kit-dae(/usr/sbin/console-kit-daemon)
(system_dbusd_t) "ptrace" to <Unknown> (hald_t).
Created attachment 293114 [details]
SELinux prevented console-kit-dae(/usr/sbin/console-kit-daemon) from using the
terminal <Unknown>
Created attachment 293115 [details]
SELinux is preventing console-kit-dae(/usr/sbin/console-kit-daemon)
(system_dbusd_t) "search" to <Unknown> (system_crond_var_lib_t).
Created attachment 293116 [details]
SELinux is preventing console-kit-dae(/usr/sbin/console-kit-daemon)
(system_dbusd_t) "getattr" to pipe (system_dbusd_t).
Created attachment 293118 [details]
SELinux is preventing console-kit-dae(/usr/sbin/console-kit-daemon)
(system_dbusd_t) "getsched" to <Unknown> (system_dbusd_t).
Created attachment 293119 [details]
SELinux is preventing console-kit-dae(/usr/sbin/console-kit-daemon)
(system_dbusd_t) "getsched" to <Unknown> (system_dbusd_t).
Created attachment 293120 [details]
SELinux is preventing console-kit-dae(/usr/sbin/console-kit-daemon)
(system_dbusd_t) "setattr" to <Unknown> (var_log_t).
End of SELinux error bomb related to console-kit-daemon Some descriptions could be off in early attachments. As reported on selinux-list, there is one additional AVC that only shows its head when 'semodule -DB' is run: type=AVC msg=audit(1201380657.580:110): avc: denied { sys_tty_config } for pid=2474 comm="console-kit-dae" capability=26 scontext=system_u:system_r:system_dbusd_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0 tclass=capability type=SYSCALL msg=audit(1201380657.580:110): arch=40000003 syscall=54 success=yes exit=0 a0=c a1=5603 a2=bfd48356 a3=c items=0 ppid=1 pid=2474 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="console-kit-dae" exe="/usr/sbin/console-kit-daemon" subj=system_u:system_r:system_dbusd_t:s0 key=(null) or #============= system_dbusd_t ============== allow system_dbusd_t self:capability sys_tty_config; This appears needed for console-kit both for "sound" as well as for "shutdown". Created attachment 293160 [details]
Module to workaround most "sound" issues
First of 3 .te files that seem to workaround sound and shutdown issues.
The first 2 were done with "blunt hammer": all generated AVCs were fed to
"audit2allow -M".
This one captures the sound related AVCs.
Created attachment 293161 [details]
.te generated for shutdown issues
.te file generated from AVCs generated after selecting "shutdown" from gnome
menue.
Created attachment 293162 [details]
"Magic" allow needed by both sound and shutdown
This last AVC only appeared when I turned off the "dontaudit" rules via
"semodule -DB".
Adding this with the previous 2 makes both "sound" and "shutdown" work.
Created attachment 293365 [details]
SELinux is preventing console-kit-dae(/usr/sbin/console-kit-daemon) (consolekit_t) "execute" to <Unknown> (polkit_auth_exec_t).
I don't believe this error was listed, most errors seem to be not present in
enforcing. This error was generated during shutdown from the system menu. Error
1 of 2
Created attachment 293366 [details]
SELinux is preventing console-kit-dae(/usr/sbin/console-kit-daemon) (consolekit_t) "read" to <Unknown> (usr_t).
Likewise generated when attempting to shut down system from menu. 2 of 2 errors
generated.
selinux-policy-3.2.5-21.fc9.noarch fixes these for me. |