[Fwd: [Pkg-fglrx-devel] Bug#514061: atieventsd and SELinux support]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
tags #514061 + help
thanks
Hello list,
I am also an SELinux newbie and hope here is someone who knows how to
fix this. :-)
Please keep the BTS in CC, thanks.
- -------- Original-Nachricht --------
Betreff: [Pkg-fglrx-devel] Bug#514061: Workaround
Weitersenden-Datum: Mon, 09 Feb 2009 17:39:02 +0000, Mon, 09 Feb 2009
17:39:03 +0000
Weitersenden-Von: Don Pellegrino <don@drexel.edu>
Weitersenden-An: debian-bugs-dist@lists.debian.org
Weitersenden-CC: Fglrx packaging team
<pkg-fglrx-devel@lists.alioth.debian.org>
Datum: Mon, 09 Feb 2009 12:37:37 -0500
Von: Don Pellegrino <don@drexel.edu>
Antwort an: Don Pellegrino <don@drexel.edu>, 514061@bugs.debian.org
Organisation: Drexel University
An: 514061@bugs.debian.org
In my original report I mentioned that I couldn't find the error message
with grep. The error is recorded in /var/log/audit/audit.log and I
didn't run grep -r so I initially missed it. The error is:
type=AVC msg=audit(1234196438.214:4): avc: denied { execmem } for
pid=3063 comm="atieventsd" scontext=system_u:system_r:initrc_t:s0
tcontext=system_u:system_r:initrc_t:s0 tclass=process
type=SYSCALL msg=audit(1234196438.214:4): arch=40000003 syscall=192
success=no exit=-13 a0=b7e06000 a1=6000 a2=7 a3=812 items=0 ppid=3061
pid=3063 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) ses=4294967295 comm="atieventsd"
exe="/usr/sbin/atieventsd" subj=system_u:system_r:initrc_t:s0 key=(null)
Experimentation with my local policy file shows that both execmem and
execstack are needed:
type=AVC msg=audit(1234199603.086:4): avc: denied { execstack } for
pid=3057 comm="atieventsd" scontext=system_u:system_r:initrc_t:s0
tcontext=system_u:system_r:initrc_t:s0 tclass=process
type=SYSCALL msg=audit(1234199603.086:4): arch=40000003 syscall=125
success=no exit=-13 a0=bf81d000 a1=1000 a2=1000007 a3=fffff000 items=0
ppid=3055 pid=3057 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="atieventsd"
exe="/usr/sbin/atieventsd" subj=system_u:system_r:initrc_t:s0 key=(null)
The basic work-around is to just assume atieventsd should be given the
security it needs and to add a local policy entry:
module local-ati 1.0.0;
require {
type initrc_t;
class process { execmem execstack };
}
# Workaround for atieventsd
allow initrc_t self:process { execmem execstack };
This policy can be added with the following commands:
# checkmodule -M -m -o local-ati.mod local-ati.te
# semodule_package -o local-ati.pp -m local-ati.mod
# semodule -i ./local-ati.pp
I am a novice SELinux user and I don't believe this is the best
work-around. For one the allow statement appears to cover the entire
initrc_t type rather than the /usr/sbin/atieventsd binary specifically.
Second, I don't know enough to determine if this the proper course of
action. Should a policy update be made or should this go to ATI for a
correction to the atieventsd binary itself so that it doesn't use
execmem or execstack?
Finally, it is curious that /etc/init.d/fglrx-driver start worked to
load atieventsd after boot without any problems. So it seems that
loading the process at boot time gives different behavior.
_______________________________________________
Pkg-fglrx-devel mailing list
Pkg-fglrx-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/mailman/listinfo/pkg-fglrx-devel
- --
/*
Mit freundlichem Gruß / With kind regards,
Patrick Matthäi
E-Mail: patrick.matthaei@web.de
Comment:
Always if we think we are right,
we were maybe wrong.
*/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkmQa6UACgkQ2XA5inpabMchRACgm/nDQ4k1P3etCkwCVFQZa1bF
eVkAnAycOqp4QKm42mOCvdfmEn4YvA/l
=K/Jc
-----END PGP SIGNATURE-----
Reply to: