* gnome-screensav AVCs @ 2008-06-17 14:46 Xavier Toth 2008-06-17 15:39 ` Christopher J. PeBenito 0 siblings, 1 reply; 8+ messages in thread From: Xavier Toth @ 2008-06-17 14:46 UTC (permalink / raw) To: SELinux Mail List, Christopher J. PeBenito I'm seeing AVCs related to netlink_audit_socket when the screen saver dialog is run. gnome-screensaver-dialog opens a pam session which uses pam_unix which in turn runs the unix_chkpwd helper. I'm thinking that gnome-screensaver-dialog is going to need some policy including possibly authlogin_common_auth_domain_template. Would it be best to add policy for this to gnome or should it have it's own module? -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: gnome-screensav AVCs 2008-06-17 14:46 gnome-screensav AVCs Xavier Toth @ 2008-06-17 15:39 ` Christopher J. PeBenito 2008-06-17 15:55 ` Xavier Toth 0 siblings, 1 reply; 8+ messages in thread From: Christopher J. PeBenito @ 2008-06-17 15:39 UTC (permalink / raw) To: Xavier Toth; +Cc: SELinux Mail List On Tue, 2008-06-17 at 09:46 -0500, Xavier Toth wrote: > I'm seeing AVCs related to netlink_audit_socket when the screen saver > dialog is run. gnome-screensaver-dialog opens a pam session which uses > pam_unix which in turn runs the unix_chkpwd helper. I'm thinking that > gnome-screensaver-dialog is going to need some policy including > possibly authlogin_common_auth_domain_template. I'm not 100% clear, is the auditing happening from unix_chkpwd or the screensaver proper? > Would it be best to add policy for this to gnome or should it have > it's own module? The gnome module is for policies for core gnome components. Unfortunately "core component" isn't really well defined at the moment. But I've been thinking about it since Dan has a gnome clock applet policy since it can set the clock. If we had a better idea what pieces needed their own domain, it'd be easier to make a decision. Something like dbus doesn't fit since its useful outside of gnome. -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150 -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: gnome-screensav AVCs 2008-06-17 15:39 ` Christopher J. PeBenito @ 2008-06-17 15:55 ` Xavier Toth 2008-06-17 17:23 ` Christopher J. PeBenito 2008-07-03 20:34 ` Daniel J Walsh 0 siblings, 2 replies; 8+ messages in thread From: Xavier Toth @ 2008-06-17 15:55 UTC (permalink / raw) To: Christopher J. PeBenito; +Cc: SELinux Mail List On Tue, Jun 17, 2008 at 10:39 AM, Christopher J. PeBenito <cpebenito@tresys.com> wrote: > On Tue, 2008-06-17 at 09:46 -0500, Xavier Toth wrote: >> I'm seeing AVCs related to netlink_audit_socket when the screen saver >> dialog is run. gnome-screensaver-dialog opens a pam session which uses >> pam_unix which in turn runs the unix_chkpwd helper. I'm thinking that >> gnome-screensaver-dialog is going to need some policy including >> possibly authlogin_common_auth_domain_template. > > I'm not 100% clear, is the auditing happening from unix_chkpwd or the > screensaver proper? > I'm sure that it is unix_chkpwd that is auditing and not gnome-screensaver-dialog. >> Would it be best to add policy for this to gnome or should it have >> it's own module? > > The gnome module is for policies for core gnome components. > Unfortunately "core component" isn't really well defined at the moment. > But I've been thinking about it since Dan has a gnome clock applet > policy since it can set the clock. If we had a better idea what pieces > needed their own domain, it'd be easier to make a decision. Something > like dbus doesn't fit since its useful outside of gnome. Yes there may be other gnome apps that need policy but I don't know which at this point. > > -- > Chris PeBenito > Tresys Technology, LLC > (410) 290-1411 x150 > > -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: gnome-screensav AVCs 2008-06-17 15:55 ` Xavier Toth @ 2008-06-17 17:23 ` Christopher J. PeBenito 2008-06-17 18:28 ` Ted X Toth 2008-07-03 20:34 ` Daniel J Walsh 1 sibling, 1 reply; 8+ messages in thread From: Christopher J. PeBenito @ 2008-06-17 17:23 UTC (permalink / raw) To: Xavier Toth; +Cc: SELinux Mail List On Tue, 2008-06-17 at 10:55 -0500, Xavier Toth wrote: > On Tue, Jun 17, 2008 at 10:39 AM, Christopher J. PeBenito > <cpebenito@tresys.com> wrote: > > On Tue, 2008-06-17 at 09:46 -0500, Xavier Toth wrote: > >> I'm seeing AVCs related to netlink_audit_socket when the screen saver > >> dialog is run. gnome-screensaver-dialog opens a pam session which uses > >> pam_unix which in turn runs the unix_chkpwd helper. I'm thinking that > >> gnome-screensaver-dialog is going to need some policy including > >> possibly authlogin_common_auth_domain_template. > > > > I'm not 100% clear, is the auditing happening from unix_chkpwd or the > > screensaver proper? > > > > I'm sure that it is unix_chkpwd that is auditing and not > gnome-screensaver-dialog. Is gnome-screensaver-dialog not running the user domain? I would have expected that it was, and that when unix_chkpwd is run, that it transitions to *_unix_chkpwd_t, which should be able to send audit messages. -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150 -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: gnome-screensav AVCs 2008-06-17 17:23 ` Christopher J. PeBenito @ 2008-06-17 18:28 ` Ted X Toth 2008-06-17 18:38 ` Christopher J. PeBenito 0 siblings, 1 reply; 8+ messages in thread From: Ted X Toth @ 2008-06-17 18:28 UTC (permalink / raw) To: Christopher J. PeBenito; +Cc: SELinux Mail List Christopher J. PeBenito wrote: > On Tue, 2008-06-17 at 10:55 -0500, Xavier Toth wrote: > >> On Tue, Jun 17, 2008 at 10:39 AM, Christopher J. PeBenito >> <cpebenito@tresys.com> wrote: >> >>> On Tue, 2008-06-17 at 09:46 -0500, Xavier Toth wrote: >>> >>>> I'm seeing AVCs related to netlink_audit_socket when the screen saver >>>> dialog is run. gnome-screensaver-dialog opens a pam session which uses >>>> pam_unix which in turn runs the unix_chkpwd helper. I'm thinking that >>>> gnome-screensaver-dialog is going to need some policy including >>>> possibly authlogin_common_auth_domain_template. >>>> >>> I'm not 100% clear, is the auditing happening from unix_chkpwd or the >>> screensaver proper? >>> >>> >> I'm sure that it is unix_chkpwd that is auditing and not >> gnome-screensaver-dialog. >> > > Is gnome-screensaver-dialog not running the user domain? I believe this is true. > I would have > expected that it was, and that when unix_chkpwd is run, that it > transitions to *_unix_chkpwd_t, which should be able to send audit > messages. > > You know policy better than I, where is the policy for this? -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: gnome-screensav AVCs 2008-06-17 18:28 ` Ted X Toth @ 2008-06-17 18:38 ` Christopher J. PeBenito 2008-07-03 20:36 ` Daniel J Walsh 0 siblings, 1 reply; 8+ messages in thread From: Christopher J. PeBenito @ 2008-06-17 18:38 UTC (permalink / raw) To: Ted X Toth; +Cc: SELinux Mail List On Tue, 2008-06-17 at 13:28 -0500, Ted X Toth wrote: > Christopher J. PeBenito wrote: > > On Tue, 2008-06-17 at 10:55 -0500, Xavier Toth wrote: > >> On Tue, Jun 17, 2008 at 10:39 AM, Christopher J. PeBenito > >> <cpebenito@tresys.com> wrote: > >> > >>> On Tue, 2008-06-17 at 09:46 -0500, Xavier Toth wrote: > >>> > >>>> I'm seeing AVCs related to netlink_audit_socket when the screen saver > >>>> dialog is run. gnome-screensaver-dialog opens a pam session which uses > >>>> pam_unix which in turn runs the unix_chkpwd helper. I'm thinking that > >>>> gnome-screensaver-dialog is going to need some policy including > >>>> possibly authlogin_common_auth_domain_template. > >>>> > >>> I'm not 100% clear, is the auditing happening from unix_chkpwd or the > >>> screensaver proper? > >>> > >>> > >> I'm sure that it is unix_chkpwd that is auditing and not > >> gnome-screensaver-dialog. > >> > > > > Is gnome-screensaver-dialog not running the user domain? > I believe this is true. > > > I would have > > expected that it was, and that when unix_chkpwd is run, that it > > transitions to *_unix_chkpwd_t, which should be able to send audit > > messages. > > > > > You know policy better than I, where is the policy for this? In authlogin_per_role_template(): role $3 types $1_chkpwd_t; # Transition from the user domain to this domain. domtrans_pattern($2,chkpwd_exec_t,$1_chkpwd_t) -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150 -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: gnome-screensav AVCs 2008-06-17 18:38 ` Christopher J. PeBenito @ 2008-07-03 20:36 ` Daniel J Walsh 0 siblings, 0 replies; 8+ messages in thread From: Daniel J Walsh @ 2008-07-03 20:36 UTC (permalink / raw) To: Christopher J. PeBenito; +Cc: Ted X Toth, SELinux Mail List -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Christopher J. PeBenito wrote: > On Tue, 2008-06-17 at 13:28 -0500, Ted X Toth wrote: >> Christopher J. PeBenito wrote: >>> On Tue, 2008-06-17 at 10:55 -0500, Xavier Toth wrote: >>>> On Tue, Jun 17, 2008 at 10:39 AM, Christopher J. PeBenito >>>> <cpebenito@tresys.com> wrote: >>>> >>>>> On Tue, 2008-06-17 at 09:46 -0500, Xavier Toth wrote: >>>>> >>>>>> I'm seeing AVCs related to netlink_audit_socket when the screen saver >>>>>> dialog is run. gnome-screensaver-dialog opens a pam session which uses >>>>>> pam_unix which in turn runs the unix_chkpwd helper. I'm thinking that >>>>>> gnome-screensaver-dialog is going to need some policy including >>>>>> possibly authlogin_common_auth_domain_template. >>>>>> >>>>> I'm not 100% clear, is the auditing happening from unix_chkpwd or the >>>>> screensaver proper? >>>>> >>>>> >>>> I'm sure that it is unix_chkpwd that is auditing and not >>>> gnome-screensaver-dialog. >>>> >>> Is gnome-screensaver-dialog not running the user domain? >> I believe this is true. >> >>> I would have >>> expected that it was, and that when unix_chkpwd is run, that it >>> transitions to *_unix_chkpwd_t, which should be able to send audit >>> messages. >>> >>> >> You know policy better than I, where is the policy for this? > > In authlogin_per_role_template(): > > role $3 types $1_chkpwd_t; > > # Transition from the user domain to this domain. > domtrans_pattern($2,chkpwd_exec_t,$1_chkpwd_t) > Gnome-clock and other policies are to cover policykit/hal/dbus interaction where the system debus is doing things on behalf of the logged in user. In this case the latest gnome clock allows a user to specify the timezone that he is in, as well as change the time. So we want policy on the script that is execed by dbus for the user. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkhtODQACgkQrlYvE4MpobPgoQCgtXmqEsGaexePJMro55Vb6/Db oRMAnjRW/GTMEIiBTyGPW/74vB4ZRnvT =JNQd -----END PGP SIGNATURE----- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: gnome-screensav AVCs 2008-06-17 15:55 ` Xavier Toth 2008-06-17 17:23 ` Christopher J. PeBenito @ 2008-07-03 20:34 ` Daniel J Walsh 1 sibling, 0 replies; 8+ messages in thread From: Daniel J Walsh @ 2008-07-03 20:34 UTC (permalink / raw) To: Xavier Toth; +Cc: Christopher J. PeBenito, SELinux Mail List -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xavier Toth wrote: > On Tue, Jun 17, 2008 at 10:39 AM, Christopher J. PeBenito > <cpebenito@tresys.com> wrote: >> On Tue, 2008-06-17 at 09:46 -0500, Xavier Toth wrote: >>> I'm seeing AVCs related to netlink_audit_socket when the screen saver >>> dialog is run. gnome-screensaver-dialog opens a pam session which uses >>> pam_unix which in turn runs the unix_chkpwd helper. I'm thinking that >>> gnome-screensaver-dialog is going to need some policy including >>> possibly authlogin_common_auth_domain_template. >> I'm not 100% clear, is the auditing happening from unix_chkpwd or the >> screensaver proper? >> > > I'm sure that it is unix_chkpwd that is auditing and not > gnome-screensaver-dialog. > >>> Would it be best to add policy for this to gnome or should it have >>> it's own module? >> The gnome module is for policies for core gnome components. >> Unfortunately "core component" isn't really well defined at the moment. >> But I've been thinking about it since Dan has a gnome clock applet >> policy since it can set the clock. If we had a better idea what pieces >> needed their own domain, it'd be easier to make a decision. Something >> like dbus doesn't fit since its useful outside of gnome. > > Yes there may be other gnome apps that need policy but I don't know > which at this point. > >> -- >> Chris PeBenito >> Tresys Technology, LLC >> (410) 290-1411 x150 >> >> > > -- > This message was distributed to subscribers of the selinux mailing list. > If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with > the words "unsubscribe selinux" without quotes as the message. It is the pam library that is calling audit_open, which triggers this avc. You need to dontaudit it. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkhtN7sACgkQrlYvE4MpobM8PACbBbESdnuEbdlT6u1fhyiWDSj3 hkQAnRYuulCW0b2GfcPbbnOzxXqn92CI =4478 -----END PGP SIGNATURE----- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2008-07-03 20:36 UTC | newest] Thread overview: 8+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2008-06-17 14:46 gnome-screensav AVCs Xavier Toth 2008-06-17 15:39 ` Christopher J. PeBenito 2008-06-17 15:55 ` Xavier Toth 2008-06-17 17:23 ` Christopher J. PeBenito 2008-06-17 18:28 ` Ted X Toth 2008-06-17 18:38 ` Christopher J. PeBenito 2008-07-03 20:36 ` Daniel J Walsh 2008-07-03 20:34 ` Daniel J Walsh
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.