gnome-screensav AVCs

gnome-screensav AVCs

[Xavier Toth]

I'm seeing AVCs related to netlink_audit_socket when the screen saver
dialog is run. gnome-screensaver-dialog opens a pam session which uses
pam_unix which in turn runs the unix_chkpwd helper. I'm thinking that
gnome-screensaver-dialog is going to need some policy including
possibly authlogin_common_auth_domain_template. Would it be best to
add policy for this to gnome or should it have it's own module?

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: gnome-screensav AVCs

[Christopher J. PeBenito]

On Tue, 2008-06-17 at 09:46 -0500, Xavier Toth wrote:
> I'm seeing AVCs related to netlink_audit_socket when the screen saver
> dialog is run. gnome-screensaver-dialog opens a pam session which uses
> pam_unix which in turn runs the unix_chkpwd helper. I'm thinking that
> gnome-screensaver-dialog is going to need some policy including
> possibly authlogin_common_auth_domain_template.

I'm not 100% clear, is the auditing happening from unix_chkpwd or the
screensaver proper?

> Would it be best to add policy for this to gnome or should it have
> it's own module?

The gnome module is for policies for core gnome components.
Unfortunately "core component" isn't really well defined at the moment.
But I've been thinking about it since Dan has a gnome clock applet
policy since it can set the clock.  If we had a better idea what pieces
needed their own domain, it'd be easier to make a decision.  Something
like dbus doesn't fit since its useful outside of gnome.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: gnome-screensav AVCs

[Xavier Toth]

On Tue, Jun 17, 2008 at 10:39 AM, Christopher J. PeBenito
<cpebenito@tresys.com> wrote:
> On Tue, 2008-06-17 at 09:46 -0500, Xavier Toth wrote:
>> I'm seeing AVCs related to netlink_audit_socket when the screen saver
>> dialog is run. gnome-screensaver-dialog opens a pam session which uses
>> pam_unix which in turn runs the unix_chkpwd helper. I'm thinking that
>> gnome-screensaver-dialog is going to need some policy including
>> possibly authlogin_common_auth_domain_template.
>
> I'm not 100% clear, is the auditing happening from unix_chkpwd or the
> screensaver proper?
>

I'm sure that it is unix_chkpwd that is auditing and not
gnome-screensaver-dialog.

>> Would it be best to add policy for this to gnome or should it have
>> it's own module?
>
> The gnome module is for policies for core gnome components.
> Unfortunately "core component" isn't really well defined at the moment.
> But I've been thinking about it since Dan has a gnome clock applet
> policy since it can set the clock.  If we had a better idea what pieces
> needed their own domain, it'd be easier to make a decision.  Something
> like dbus doesn't fit since its useful outside of gnome.

Yes there may be other gnome apps that need policy but I don't know
which at this point.

>
> --
> Chris PeBenito
> Tresys Technology, LLC
> (410) 290-1411 x150
>
>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: gnome-screensav AVCs

[Christopher J. PeBenito]

On Tue, 2008-06-17 at 10:55 -0500, Xavier Toth wrote:
> On Tue, Jun 17, 2008 at 10:39 AM, Christopher J. PeBenito
> <cpebenito@tresys.com> wrote:
> > On Tue, 2008-06-17 at 09:46 -0500, Xavier Toth wrote:
> >> I'm seeing AVCs related to netlink_audit_socket when the screen saver
> >> dialog is run. gnome-screensaver-dialog opens a pam session which uses
> >> pam_unix which in turn runs the unix_chkpwd helper. I'm thinking that
> >> gnome-screensaver-dialog is going to need some policy including
> >> possibly authlogin_common_auth_domain_template.
> >
> > I'm not 100% clear, is the auditing happening from unix_chkpwd or the
> > screensaver proper?
> >
> 
> I'm sure that it is unix_chkpwd that is auditing and not
> gnome-screensaver-dialog.

Is gnome-screensaver-dialog not running the user domain?  I would have
expected that it was, and that when unix_chkpwd is run, that it
transitions to *_unix_chkpwd_t, which should be able to send audit
messages.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: gnome-screensav AVCs

[Ted X Toth]

Christopher J. PeBenito wrote:
> On Tue, 2008-06-17 at 10:55 -0500, Xavier Toth wrote:
>   
>> On Tue, Jun 17, 2008 at 10:39 AM, Christopher J. PeBenito
>> <cpebenito@tresys.com> wrote:
>>     
>>> On Tue, 2008-06-17 at 09:46 -0500, Xavier Toth wrote:
>>>       
>>>> I'm seeing AVCs related to netlink_audit_socket when the screen saver
>>>> dialog is run. gnome-screensaver-dialog opens a pam session which uses
>>>> pam_unix which in turn runs the unix_chkpwd helper. I'm thinking that
>>>> gnome-screensaver-dialog is going to need some policy including
>>>> possibly authlogin_common_auth_domain_template.
>>>>         
>>> I'm not 100% clear, is the auditing happening from unix_chkpwd or the
>>> screensaver proper?
>>>
>>>       
>> I'm sure that it is unix_chkpwd that is auditing and not
>> gnome-screensaver-dialog.
>>     
>
> Is gnome-screensaver-dialog not running the user domain?
I believe this is true.

>   I would have
> expected that it was, and that when unix_chkpwd is run, that it
> transitions to *_unix_chkpwd_t, which should be able to send audit
> messages.
>
>   
You know policy better than I, where is the policy for this?


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: gnome-screensav AVCs

[Christopher J. PeBenito]

On Tue, 2008-06-17 at 13:28 -0500, Ted X Toth wrote:
> Christopher J. PeBenito wrote:
> > On Tue, 2008-06-17 at 10:55 -0500, Xavier Toth wrote:
> >> On Tue, Jun 17, 2008 at 10:39 AM, Christopher J. PeBenito
> >> <cpebenito@tresys.com> wrote:
> >>     
> >>> On Tue, 2008-06-17 at 09:46 -0500, Xavier Toth wrote:
> >>>       
> >>>> I'm seeing AVCs related to netlink_audit_socket when the screen saver
> >>>> dialog is run. gnome-screensaver-dialog opens a pam session which uses
> >>>> pam_unix which in turn runs the unix_chkpwd helper. I'm thinking that
> >>>> gnome-screensaver-dialog is going to need some policy including
> >>>> possibly authlogin_common_auth_domain_template.
> >>>>         
> >>> I'm not 100% clear, is the auditing happening from unix_chkpwd or the
> >>> screensaver proper?
> >>>
> >>>       
> >> I'm sure that it is unix_chkpwd that is auditing and not
> >> gnome-screensaver-dialog.
> >>     
> >
> > Is gnome-screensaver-dialog not running the user domain?
> I believe this is true.
> 
> >   I would have
> > expected that it was, and that when unix_chkpwd is run, that it
> > transitions to *_unix_chkpwd_t, which should be able to send audit
> > messages.
> >
> >   
> You know policy better than I, where is the policy for this?

In authlogin_per_role_template():

	role $3 types $1_chkpwd_t;

	# Transition from the user domain to this domain.
	domtrans_pattern($2,chkpwd_exec_t,$1_chkpwd_t)

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: gnome-screensav AVCs

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Xavier Toth wrote:
> On Tue, Jun 17, 2008 at 10:39 AM, Christopher J. PeBenito
> <cpebenito@tresys.com> wrote:
>> On Tue, 2008-06-17 at 09:46 -0500, Xavier Toth wrote:
>>> I'm seeing AVCs related to netlink_audit_socket when the screen saver
>>> dialog is run. gnome-screensaver-dialog opens a pam session which uses
>>> pam_unix which in turn runs the unix_chkpwd helper. I'm thinking that
>>> gnome-screensaver-dialog is going to need some policy including
>>> possibly authlogin_common_auth_domain_template.
>> I'm not 100% clear, is the auditing happening from unix_chkpwd or the
>> screensaver proper?
>>
> 
> I'm sure that it is unix_chkpwd that is auditing and not
> gnome-screensaver-dialog.
> 
>>> Would it be best to add policy for this to gnome or should it have
>>> it's own module?
>> The gnome module is for policies for core gnome components.
>> Unfortunately "core component" isn't really well defined at the moment.
>> But I've been thinking about it since Dan has a gnome clock applet
>> policy since it can set the clock.  If we had a better idea what pieces
>> needed their own domain, it'd be easier to make a decision.  Something
>> like dbus doesn't fit since its useful outside of gnome.
> 
> Yes there may be other gnome apps that need policy but I don't know
> which at this point.
> 
>> --
>> Chris PeBenito
>> Tresys Technology, LLC
>> (410) 290-1411 x150
>>
>>
> 
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
It is the pam library that is calling audit_open, which triggers this
avc.  You need to dontaudit it.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkhtN7sACgkQrlYvE4MpobM8PACbBbESdnuEbdlT6u1fhyiWDSj3
hkQAnRYuulCW0b2GfcPbbnOzxXqn92CI
=4478
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: gnome-screensav AVCs

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Christopher J. PeBenito wrote:
> On Tue, 2008-06-17 at 13:28 -0500, Ted X Toth wrote:
>> Christopher J. PeBenito wrote:
>>> On Tue, 2008-06-17 at 10:55 -0500, Xavier Toth wrote:
>>>> On Tue, Jun 17, 2008 at 10:39 AM, Christopher J. PeBenito
>>>> <cpebenito@tresys.com> wrote:
>>>>     
>>>>> On Tue, 2008-06-17 at 09:46 -0500, Xavier Toth wrote:
>>>>>       
>>>>>> I'm seeing AVCs related to netlink_audit_socket when the screen saver
>>>>>> dialog is run. gnome-screensaver-dialog opens a pam session which uses
>>>>>> pam_unix which in turn runs the unix_chkpwd helper. I'm thinking that
>>>>>> gnome-screensaver-dialog is going to need some policy including
>>>>>> possibly authlogin_common_auth_domain_template.
>>>>>>         
>>>>> I'm not 100% clear, is the auditing happening from unix_chkpwd or the
>>>>> screensaver proper?
>>>>>
>>>>>       
>>>> I'm sure that it is unix_chkpwd that is auditing and not
>>>> gnome-screensaver-dialog.
>>>>     
>>> Is gnome-screensaver-dialog not running the user domain?
>> I believe this is true.
>>
>>>   I would have
>>> expected that it was, and that when unix_chkpwd is run, that it
>>> transitions to *_unix_chkpwd_t, which should be able to send audit
>>> messages.
>>>
>>>   
>> You know policy better than I, where is the policy for this?
> 
> In authlogin_per_role_template():
> 
> 	role $3 types $1_chkpwd_t;
> 
> 	# Transition from the user domain to this domain.
> 	domtrans_pattern($2,chkpwd_exec_t,$1_chkpwd_t)
> 
Gnome-clock and other policies are to cover

policykit/hal/dbus interaction where the system debus is doing things on
behalf of the logged in user.  In this case the latest gnome clock
allows a user to specify the timezone that he is in, as well as change
the time.  So we want policy on the script that is execed by dbus for
the user.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkhtODQACgkQrlYvE4MpobPgoQCgtXmqEsGaexePJMro55Vb6/Db
oRMAnjRW/GTMEIiBTyGPW/74vB4ZRnvT
=JNQd
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.