Description of problem: Version-Release number of selected component (if applicable): selinux-policy-3.2.5-19.fc9.noarch How reproducible: Update to current policy Steps to Reproduce: 1. Log onto system in permissive mode 2. Get sound back but many errors reported 3. start from error 1 Actual results: Could not get sound or shut down via shutdown on menu Expected results: Able to log in. Additional info:
Created attachment 293096 [details] console-kit-daemon error search
Created attachment 293098 [details] SELinux is preventing console-kit-dae(/usr/sbin/console-kit-daemon) (system_dbusd_t) "sys_nice" to <Unknown> (system_dbusd_t). Detailed Description Many errors related to SELinux and console-kit-daemon second error
Created attachment 293099 [details] SELinux is preventing console-kit-dae(/usr/sbin/console-kit-daemon) (system_dbusd_t) "sys_ptrace" to <Unknown> (system_dbusd_t).
Created attachment 293100 [details] SELinux is preventing console-kit-dae(/usr/sbin/console-kit-daemon) (system_dbusd_t) "getattr" to /proc/2643/stat (polkit_auth_t).
Created attachment 293102 [details] SELinux is preventing console-kit-dae(/usr/sbin/console-kit-daemon) (system_dbusd_t) "getattr" to /var/log/ConsoleKit/history (var_log_t).
Created attachment 293103 [details] SELinux is preventing console-kit-dae(/usr/sbin/console-kit-daemon) (system_dbusd_t) "getattr" to /proc/2403/stat (xdm_t).
Created attachment 293104 [details] SELinux is preventing console-kit-dae(/usr/sbin/console-kit-daemon) (system_dbusd_t) "read" to <Unknown> (var_log_t)
Created attachment 293105 [details] SELinux is preventing console-kit-dae(/usr/sbin/console-kit-daemon) (system_dbusd_t) "search" to <Unknown> (hald_t).
Created attachment 293106 [details] SELinux is preventing console-kit-dae(/usr/sbin/console-kit-daemon) (system_dbusd_t) "search" to <Unknown> (var_log_t).
Created attachment 293107 [details] SELinux is preventing console-kit-dae(/usr/sbin/console-kit-daemon) (system_dbusd_t) "search" to <Unknown> (xdm_t).
Created attachment 293108 [details] SELinux is preventing console-kit-dae(/usr/sbin/console-kit-daemon) (system_dbusd_t) "sys_nice" to <Unknown> (system_dbusd_t).
Created attachment 293109 [details] SELinux is preventing console-kit-dae(/usr/sbin/console-kit-daemon) (system_dbusd_t) "sys_ptrace" to <Unknown> (system_dbusd_t).
Created attachment 293110 [details] SELinux is preventing console-kit-dae(/usr/sbin/console-kit-daemon) (system_dbusd_t) "getattr" to /proc/2152/stat (hald_t).
Created attachment 293111 [details] SELinux is preventing console-kit-dae(/usr/sbin/console-kit-daemon) (system_dbusd_t) "getattr" to /proc/2947/stat (polkit_auth_t).
Created attachment 293112 [details] SELinux is preventing console-kit-dae(/usr/sbin/console-kit-daemon) (system_dbusd_t) "getattr" to /proc/2939/environ (unconfined_t).
Created attachment 293113 [details] SELinux is preventing console-kit-dae(/usr/sbin/console-kit-daemon) (system_dbusd_t) "ptrace" to <Unknown> (hald_t).
Created attachment 293114 [details] SELinux prevented console-kit-dae(/usr/sbin/console-kit-daemon) from using the terminal <Unknown>
Created attachment 293115 [details] SELinux is preventing console-kit-dae(/usr/sbin/console-kit-daemon) (system_dbusd_t) "search" to <Unknown> (system_crond_var_lib_t).
Created attachment 293116 [details] SELinux is preventing console-kit-dae(/usr/sbin/console-kit-daemon) (system_dbusd_t) "getattr" to pipe (system_dbusd_t).
Created attachment 293118 [details] SELinux is preventing console-kit-dae(/usr/sbin/console-kit-daemon) (system_dbusd_t) "getsched" to <Unknown> (system_dbusd_t).
Created attachment 293119 [details] SELinux is preventing console-kit-dae(/usr/sbin/console-kit-daemon) (system_dbusd_t) "getsched" to <Unknown> (system_dbusd_t).
Created attachment 293120 [details] SELinux is preventing console-kit-dae(/usr/sbin/console-kit-daemon) (system_dbusd_t) "setattr" to <Unknown> (var_log_t).
End of SELinux error bomb related to console-kit-daemon Some descriptions could be off in early attachments.
As reported on selinux-list, there is one additional AVC that only shows its head when 'semodule -DB' is run: type=AVC msg=audit(1201380657.580:110): avc: denied { sys_tty_config } for pid=2474 comm="console-kit-dae" capability=26 scontext=system_u:system_r:system_dbusd_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0 tclass=capability type=SYSCALL msg=audit(1201380657.580:110): arch=40000003 syscall=54 success=yes exit=0 a0=c a1=5603 a2=bfd48356 a3=c items=0 ppid=1 pid=2474 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="console-kit-dae" exe="/usr/sbin/console-kit-daemon" subj=system_u:system_r:system_dbusd_t:s0 key=(null) or #============= system_dbusd_t ============== allow system_dbusd_t self:capability sys_tty_config; This appears needed for console-kit both for "sound" as well as for "shutdown".
Created attachment 293160 [details] Module to workaround most "sound" issues First of 3 .te files that seem to workaround sound and shutdown issues. The first 2 were done with "blunt hammer": all generated AVCs were fed to "audit2allow -M". This one captures the sound related AVCs.
Created attachment 293161 [details] .te generated for shutdown issues .te file generated from AVCs generated after selecting "shutdown" from gnome menue.
Created attachment 293162 [details] "Magic" allow needed by both sound and shutdown This last AVC only appeared when I turned off the "dontaudit" rules via "semodule -DB". Adding this with the previous 2 makes both "sound" and "shutdown" work.
Created attachment 293365 [details] SELinux is preventing console-kit-dae(/usr/sbin/console-kit-daemon) (consolekit_t) "execute" to <Unknown> (polkit_auth_exec_t). I don't believe this error was listed, most errors seem to be not present in enforcing. This error was generated during shutdown from the system menu. Error 1 of 2
Created attachment 293366 [details] SELinux is preventing console-kit-dae(/usr/sbin/console-kit-daemon) (consolekit_t) "read" to <Unknown> (usr_t). Likewise generated when attempting to shut down system from menu. 2 of 2 errors generated.
selinux-policy-3.2.5-21.fc9.noarch fixes these for me.