* allow statement OK?
@ 2007-11-09 17:38 Bill Chimiak
2007-11-14 20:19 ` Daniel J Walsh
0 siblings, 1 reply; 2+ messages in thread
From: Bill Chimiak @ 2007-11-09 17:38 UTC (permalink / raw)
To: selinux
I got a
avc: denied { search } for comm="pam_console_app" dev=sdb6 egid=650 euid=0
exe="/sbin/pam_console_apply" exit=-13 fsgid=650 fsuid=0 gid=650 items=0
name="gdm" pid=2693 scontext=system_u:system_r:pam_console_t:s0-s0:c0.c1023
sgid=650 subj=system_u:system_r:pam_console_t:s0-s0:c0.c1023 suid=0
tclass=dir tcontext=system_u:object_r:xserver_log_t:s0 tty=(none) uid=0
audit2allow recommended:
allow pam_console_t xserver_log_t:dir search;
Is this a reasonable module for me to add? To me it seems benign.
--
William Chimiak
Laboratory for Telecommunications Sciences
8080 Greenmead Road
College Park, MD
240-949-2778
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: allow statement OK?
2007-11-09 17:38 allow statement OK? Bill Chimiak
@ 2007-11-14 20:19 ` Daniel J Walsh
0 siblings, 0 replies; 2+ messages in thread
From: Daniel J Walsh @ 2007-11-14 20:19 UTC (permalink / raw)
To: w.chimiak; +Cc: selinux
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Bill Chimiak wrote:
> I got a
>
> avc: denied { search } for comm="pam_console_app" dev=sdb6 egid=650 euid=0
> exe="/sbin/pam_console_apply" exit=-13 fsgid=650 fsuid=0 gid=650 items=0
> name="gdm" pid=2693 scontext=system_u:system_r:pam_console_t:s0-s0:c0.c1023
> sgid=650 subj=system_u:system_r:pam_console_t:s0-s0:c0.c1023 suid=0
> tclass=dir tcontext=system_u:object_r:xserver_log_t:s0 tty=(none) uid=0
>
>
> audit2allow recommended:
>
> allow pam_console_t xserver_log_t:dir search;
>
> Is this a reasonable module for me to add? To me it seems benign.
>
This is probably caused by a redirection stdout/stderr to the
xserver.log. So when a confined app starts, the kernel checks the
access and closes the open file descriptors. You could safely dontaudit
this access.
dontaudit pam_console_t xserver_log_t:dir search_dir_perms;
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iD8DBQFHO1hWrlYvE4MpobMRAjxyAJwPIFbm633wiAhlJ2oe2oRGjuiomgCglo4B
ZnHgA1mLj3kaIDUlMe8XR6A=
=KEes
-----END PGP SIGNATURE-----
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2007-11-14 20:19 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2007-11-09 17:38 allow statement OK? Bill Chimiak
2007-11-14 20:19 ` Daniel J Walsh
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.