2017-12-04 21:34:59

by Sugar, David

[permalink] [raw]
Subject: [refpolicy] [PATCH 1/1] Allow dbus to write to xserver_log_t

Allow dbus to write the the xserver log

type=AVC msg=audit(1511920435.381:102): avc: denied { write } for pid=904 comm="dbus-daemon" path="/var/log/lightdm/seat0-greeter.log" dev="dm-0" ino=17320832 scontext=system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xserver_log_t:s0 tclass=file
---
dbus.te | 1 +
1 file changed, 1 insertion(+)

diff --git a/dbus.te b/dbus.te
index 5f2199c..015f1e1 100644
--- a/dbus.te
+++ b/dbus.te
@@ -274,6 +274,7 @@ optional_policy(`
xserver_rw_xsession_log(session_bus_type)
xserver_use_xdm_fds(session_bus_type)
xserver_rw_xdm_pipes(session_bus_type)
+ xserver_write_log(session_bus_type)
')

########################################
--
2.13.6


2017-12-05 08:09:34

by Dac Override

[permalink] [raw]
Subject: [refpolicy] [PATCH 1/1] Allow dbus to write to xserver_log_t

On Mon, Dec 04, 2017 at 09:34:59PM +0000, David Sugar via refpolicy wrote:
> Allow dbus to write the the xserver log
>
> type=AVC msg=audit(1511920435.381:102): avc: denied { write } for pid=904 comm="dbus-daemon" path="/var/log/lightdm/seat0-greeter.log" dev="dm-0" ino=17320832 scontext=system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xserver_log_t:s0 tclass=file
> ---
> dbus.te | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/dbus.te b/dbus.te
> index 5f2199c..015f1e1 100644
> --- a/dbus.te
> +++ b/dbus.te
> @@ -274,6 +274,7 @@ optional_policy(`
> xserver_rw_xsession_log(session_bus_type)
> xserver_use_xdm_fds(session_bus_type)
> xserver_rw_xdm_pipes(session_bus_type)
> + xserver_write_log(session_bus_type)

Assuming this is not a leak. Pity that it doesnt append instead. You could potentialy leverage the open permission here and use a xserver_write_inherited_log_files() instead

> ')
>
> ########################################
> --
> 2.13.6
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20171205/abaee7d0/attachment-0001.bin