On 11/07/2017 11:54 AM, sindano sindano wrote:
Hi Lukas,
ran into the same issue as before even after relabeling the /run files prior to a reboot.
the files got relabeled back to dbusd_t mp_t context(1): The output of ausearch command
can be found below(2)
Im running fedora 26:
Linux localhost.localdomain 4.13.10-200.fc26.x86_64 #1 SMP Fri Oct 27 15:34:40 UTC 2017
x86_64 x86_64 x86_64 GNU/Linux
my id is:
$ id
uid=1000(chira) gid=1000(chira) groups=1000(chira),10(wheel)
context=staff_u:staff_r:staff_t:s0-s0:c0.c1023
1.restorecon -nrv /run/user/
restorecon: Could not stat /run/user/1000/gvfs: Permission denied.
Would relabel /run/user/1000/dbus-1 from staff_u:object_r:session_dbusd_tmp_t:s0 to
staff_u:object_r:user_tmp_t:s0
Would relabel /run/user/1000/dbus-1/services from staff_u:object_r:session_dbusd_tmp_t:s0
to staff_u:object_r:user_tmp_t:s0
Would relabel /run/user/42/dbus-1 from unconfined_u:object_r:session_dbusd_tmp_t:s0 to
unconfined_u:object_r:user_tmp_t:s0
Would relabel /run/user/42/dbus-1/services from
unconfined_u:object_r:session_dbusd_tmp_t:s0 to unconfined_u:object_r:user_tmp_t:s0
2. Output of 'ausearch -m AVC,USER_AVC,SELINUX_ERR -ts today' after relabel and
restart
----
time->Tue Nov 7 12:25:29 2017
type=USER_AVC msg=audit(1510050329.510:414): pid=1044 uid=81 auid=4294967295
ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied
{ send_msg } for msgtype=method_call interface=org.freedesktop.DBus member=Hello
dest=org.freedesktop.DBus spid=1700
scontext=staff_u:staff_r:staff_gkeyringd_t:s0-s0:c0.c1023
tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=dbus
exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
----
time->Tue Nov 7 12:25:30 2017
type=PROCTITLE msg=audit(1510050330.690:447):
proctitle=2F7573722F62696E2F676E6F6D652D6B657972696E672D6461656D6F6E002D2D6461656D6F6E697A65002D2D6C6F67696E
type=PATH msg=audit(1510050330.690:447): item=0 name="/run/user/1000/bus"
inode=33432 dev=00:36 mode=0140666 ouid=1000 ogid=1000 rdev=00:00
obj=staff_u:object_r:user_tmp_t:s0 nametype=NORMAL cap_fp=0000000000000000
cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=CWD msg=audit(1510050330.690:447): cwd="/"
type=SOCKADDR msg=audit(1510050330.690:447):
saddr=01002F72756E2F757365722F313030302F627573000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
type=SYSCALL msg=audit(1510050330.690:447): arch=c000003e syscall=42 success=no exit=-13
a0=9 a1=7ffcb94c67a0 a2=6e a3=0 items=1 ppid=1 pid=1700 auid=1000 uid=1000 gid=1000
euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=2
comm="gnome-keyring-d" exe="/usr/bin/gnome-keyring-daemon"
subj=staff_u:staff_r:staff_gkeyringd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1510050330.690:447): avc: denied { write } for pid=1700
comm="gnome-keyring-d" name="bus" dev="tmpfs" ino=33432
scontext=staff_u:staff_r:staff_gkeyringd_t:s0-s0:c0.c1023
tcontext=staff_u:object_r:user_tmp_t:s0 tclass=sock_file permissive=0
Hi,
Are you able to reproduce it with following build?
https://koji.fedoraproject.org/koji/buildinfo?buildID=995729
Thanks,
Lukas.
-BR
Sindano
_______________________________________________
selinux mailing list -- selinux(a)lists.fedoraproject.org
To unsubscribe send an email to selinux-leave(a)lists.fedoraproject.org
--
Lukas Vrabec
Software Engineer, Security Technologies
Red Hat, Inc.