* Two constraint violations
@ 2010-05-17 19:11 Alan Rouse
2010-05-17 20:20 ` Daniel J Walsh
0 siblings, 1 reply; 2+ messages in thread
From: Alan Rouse @ 2010-05-17 19:11 UTC (permalink / raw)
To: selinux@tycho.nsa.gov
[-- Attachment #1: Type: text/plain, Size: 1048 bytes --]
1. When I boot to a desktop as user_t, then open a terminal, and execute 'su' to login as root, a file is created in the /root directory called .xauth0SiF7t. That produces the following AVC:
type=AVC msg=audit(1274122005.740:4): avc: denied { create } for pid=4410 comm="su" name=".xauth0SiF7t" scontext=user_u:user_r:user_su_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=file
Audit2allow generates the an allow rule but tells me it is a constraint violation.
allow user_su_t default_t:file create;
Any insights into why this is happening / what I should do to fix it?
2. Note, I'm still also getting this AVC during system boot, for which audit2allow also generates a rule which is a constraint violation:
type=AVC msg=audit(1274121983.953:3): avc: denied { relablefrom } for pid=4335 comm="restorecond" name=".xsession-errors" dev=sda3 ino=127759 scontext=user_u:user_r:user_t:s0 tcontext=system_u:object_r:xauth_home_t:s0 tclass=file
Any insights into why this is happening / what I should do to fix it?
[-- Attachment #2: Type: text/html, Size: 2117 bytes --]
^ permalink raw reply [flat|nested] 2+ messages in thread* Re: Two constraint violations
2010-05-17 19:11 Two constraint violations Alan Rouse
@ 2010-05-17 20:20 ` Daniel J Walsh
0 siblings, 0 replies; 2+ messages in thread
From: Daniel J Walsh @ 2010-05-17 20:20 UTC (permalink / raw)
To: Alan Rouse; +Cc: selinux@tycho.nsa.gov
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 05/17/2010 03:11 PM, Alan Rouse wrote:
> 1. When I boot to a desktop as user_t, then open a terminal, and execute 'su' to login as root, a file is created in the /root directory called .xauth0SiF7t. That produces the following AVC:
>
> type=AVC msg=audit(1274122005.740:4): avc: denied { create } for pid=4410 comm="su" name=".xauth0SiF7t" scontext=user_u:user_r:user_su_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=file
>
> Audit2allow generates the an allow rule but tells me it is a constraint violation.
>
> allow user_su_t default_t:file create;
>
> Any insights into why this is happening / what I should do to fix it?
>
> 2. Note, I'm still also getting this AVC during system boot, for which audit2allow also generates a rule which is a constraint violation:
>
> type=AVC msg=audit(1274121983.953:3): avc: denied { relablefrom } for pid=4335 comm="restorecond" name=".xsession-errors" dev=sda3 ino=127759 scontext=user_u:user_r:user_t:s0 tcontext=system_u:object_r:xauth_home_t:s0 tclass=file
>
> Any insights into why this is happening / what I should do to fix it?
>
>
>
>
>
>
/root is mislabeled. It should not be default_t.
Also user_t should probably not be allowed to run su. Since it is a non
admin user.
In Fedora Policy, staff_t and user_t can not run su. They need to use
sudo.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkvxpQwACgkQrlYvE4MpobMPEwCfW9BVnCHfM6C1ZoHDJoQc8eGT
Yw4AniwXwMaewllrqic6dJgZ+FQg9n3I
=9gF5
-----END PGP SIGNATURE-----
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2010-05-17 20:20 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-05-17 19:11 Two constraint violations Alan Rouse
2010-05-17 20:20 ` Daniel J Walsh
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.