Re: ainit (xdm_t) wants to write /etc/alsa/pcm/dmix.conf (etc_t) ...

On 5/24/05, Tom London <selinux@xxxxxxxxx> wrote:
> On 5/24/05, Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote:
> > Tom London wrote:
> >
> > >Running strict/enforcing, latest rawhide.
> > >
> > >Get the following when logging in:
> > >May 21 13:30:16 fedora gdm(pam_unix)[2946]: session opened for user
> > >tbl by (uid=0)
> > >May 21 13:30:16 fedora kernel: audit(1116707416.740:0): avc:  denied
> > >{ write } for  name=dmix.conf dev=hda2 ino=4523476
> > >scontext=system_u:system_r:xdm_t tcontext=system_u:object_r:etc_t
> > >tclass=file
> > >May 21 13:30:16 fedora ainit: Failed to open file /etc/alsa/pcm/dmix.conf
> > >May 21 13:30:16 fedora ainit: Error: Permission denied
> > >
> > >The file in questions is /etc/alsa/pcm/dmix.conf.
> > >
> > >/etc/alsa/ainit.conf has:
> > >#
> > ># overwrite target files, if exists
> > >#
> > >overwrite = yes
> > >
> > >#
> > ># first config file - for dmix plugin
> > >#
> > >template_0 = /etc/alsa/pcm/dmix.template
> > >target_0  = /etc/alsa/pcm/dmix.conf
> > >target_root_file_0 = yes
> > >
> > >This seems less than perfect to me....
> > >Should dmix.conf (and dsnoop.conf) be someplace else? Labeled as
> > >xdm_rw_etc_t? (I don't know who else needs to read these files....)
> > >
> > >tom
> > >
> > >
> > >
> > Do you have any idea if xdm is actually trying to write this file, or
> > could this just be they used the wrong flags when opening the file?
> >
> No idea.
> 
> I'll test tonight on my 'strict machine'.
> 
> tom
> 
Running strict/permissive, I get this:

May 25 06:19:54 fedora gdm(pam_unix)[2695]: session opened for user
tbl by (uid=0)
May 25 06:19:54 fedora kernel: audit(1117027194.325:0): avc:  denied 
{ write } for  pid=2739 comm="ainit" name=pcm dev=hda2 ino=4524122
scontext=system_u:system_r:xdm_t tcontext=system_u:object_r:etc_t
tclass=dir
May 25 06:19:54 fedora kernel: audit(1117027194.325:0): avc:  denied 
{ add_name } for  pid=2739 comm="ainit" name=dmix.conf
scontext=system_u:system_r:xdm_t tcontext=system_u:object_r:etc_t
tclass=dir
May 25 06:19:54 fedora kernel: audit(1117027194.325:0): avc:  denied 
{ create } for  pid=2739 comm="ainit" name=dmix.conf
scontext=system_u:system_r:xdm_t tcontext=system_u:object_r:etc_t
tclass=file
May 25 06:19:54 fedora kernel: audit(1117027194.340:0): avc:  denied 
{ write } for  pid=2739 comm="ainit" name=dmix.conf dev=hda2
ino=4522361 scontext=system_u:system_r:xdm_t
tcontext=system_u:object_r:etc_t tclass=file
May 25 06:19:56 fedora gconfd (tbl-2801): starting (version 2.10.0),
pid 2801 user 'tbl'

So it looks like xdm wants to really create/write this....

Logging out does this:

May 25 06:24:54 fedora gconfd (tbl-2801): Exiting
May 25 06:24:54 fedora gdm(pam_unix)[2695]: session closed for user tbl
May 25 06:24:54 fedora kernel: audit(1117027494.313:0): avc:  denied 
{ write } for  pid=3184 comm="ainit" name=pcm dev=hda2 ino=4524122
scontext=system_u:system_r:xdm_t tcontext=system_u:object_r:etc_t
tclass=dir
May 25 06:24:54 fedora kernel: audit(1117027494.313:0): avc:  denied 
{ remove_name } for  pid=3184 comm="ainit" name=dmix.conf.lock
dev=hda2 ino=4522777 scontext=system_u:system_r:xdm_t
tcontext=system_u:object_r:etc_t tclass=dir
May 25 06:24:54 fedora kernel: audit(1117027494.313:0): avc:  denied 
{ unlink } for  pid=3184 comm="ainit" name=dmix.conf.lock dev=hda2
ino=4522777 scontext=system_u:system_r:xdm_t
tcontext=system_u:object_r:etc_t tclass=file
May 25 06:24:54 fedora kernel: audit(1117027494.349:0): avc:  denied 
{ unix_read unix_write } for  pid=3184 comm="ainit" key=1947154681
scontext=system_u:system_r:xdm_t tcontext=tbl:staff_r:staff_t
tclass=shm
May 25 06:24:54 fedora kernel: audit(1117027494.349:0): avc:  denied 
{ associate } for  pid=3184 comm="ainit" key=1947154681
scontext=system_u:system_r:xdm_t tcontext=tbl:staff_r:staff_t
tclass=shm
May 25 06:24:54 fedora kernel: audit(1117027494.349:0): avc:  denied 
{ destroy } for  pid=3184 comm="ainit" key=1947154681
scontext=system_u:system_r:xdm_t tcontext=tbl:staff_r:staff_t
tclass=shm

tom
-- 
Tom London