From: Daniel J Walsh <dwalsh@redhat.com>
To: Xavier Toth <txtoth@gmail.com>
Cc: "Christopher J. PeBenito" <cpebenito@tresys.com>,
SELinux Mail List <selinux@tycho.nsa.gov>
Subject: Re: gnome-screensav AVCs
Date: Thu, 03 Jul 2008 16:34:03 -0400 [thread overview]
Message-ID: <486D37BB.2030508@redhat.com> (raw)
In-Reply-To: <cadfc0e40806170855hf95edf4vdefe9b9710cadfb6@mail.gmail.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Xavier Toth wrote:
> On Tue, Jun 17, 2008 at 10:39 AM, Christopher J. PeBenito
> <cpebenito@tresys.com> wrote:
>> On Tue, 2008-06-17 at 09:46 -0500, Xavier Toth wrote:
>>> I'm seeing AVCs related to netlink_audit_socket when the screen saver
>>> dialog is run. gnome-screensaver-dialog opens a pam session which uses
>>> pam_unix which in turn runs the unix_chkpwd helper. I'm thinking that
>>> gnome-screensaver-dialog is going to need some policy including
>>> possibly authlogin_common_auth_domain_template.
>> I'm not 100% clear, is the auditing happening from unix_chkpwd or the
>> screensaver proper?
>>
>
> I'm sure that it is unix_chkpwd that is auditing and not
> gnome-screensaver-dialog.
>
>>> Would it be best to add policy for this to gnome or should it have
>>> it's own module?
>> The gnome module is for policies for core gnome components.
>> Unfortunately "core component" isn't really well defined at the moment.
>> But I've been thinking about it since Dan has a gnome clock applet
>> policy since it can set the clock. If we had a better idea what pieces
>> needed their own domain, it'd be easier to make a decision. Something
>> like dbus doesn't fit since its useful outside of gnome.
>
> Yes there may be other gnome apps that need policy but I don't know
> which at this point.
>
>> --
>> Chris PeBenito
>> Tresys Technology, LLC
>> (410) 290-1411 x150
>>
>>
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
It is the pam library that is calling audit_open, which triggers this
avc. You need to dontaudit it.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkhtN7sACgkQrlYvE4MpobM8PACbBbESdnuEbdlT6u1fhyiWDSj3
hkQAnRYuulCW0b2GfcPbbnOzxXqn92CI
=4478
-----END PGP SIGNATURE-----
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
prev parent reply other threads:[~2008-07-03 20:34 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-06-17 14:46 gnome-screensav AVCs Xavier Toth
2008-06-17 15:39 ` Christopher J. PeBenito
2008-06-17 15:55 ` Xavier Toth
2008-06-17 17:23 ` Christopher J. PeBenito
2008-06-17 18:28 ` Ted X Toth
2008-06-17 18:38 ` Christopher J. PeBenito
2008-07-03 20:36 ` Daniel J Walsh
2008-07-03 20:34 ` Daniel J Walsh [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=486D37BB.2030508@redhat.com \
--to=dwalsh@redhat.com \
--cc=cpebenito@tresys.com \
--cc=selinux@tycho.nsa.gov \
--cc=txtoth@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.