Your message dated Thu, 15 Oct 2009 22:35:46 -0500
with message-id <[email protected]>
and subject line This was fixed in a previous upload
has caused the Debian Bug report #521808,
regarding selinux violations in consolekit
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
521808: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=521808
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: consolekit
Version: 0.3.0-2
Severity: normal
Tags: selinux
This could be re-assigned to selinux-policy-default package, if you see
this as a policy problem (and not a consolekit problem).
Summary:
SELinux prevented console-kit-dae from using the terminal tty0.
Detailed Description:
[SELinux is in permissive mode, the operation would have been denied but
was
permitted due to permissive mode.]
SELinux prevented console-kit-dae from using the terminal tty0. In most
cases
daemons do not need to interact with the terminal, usually these avc
messages
can be ignored. All of the confined daemons should have dontaudit rules
around
using the terminal. Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this
selinux-policy.
If you would like to allow all daemons to interact with the terminal,
you can
turn on the allow_daemons_use_tty boolean.
Allowing Access:
Changing the "allow_daemons_use_tty" boolean to true will allow this
access:
"setsebool -P allow_daemons_use_tty=1."
Fix Command:
setsebool -P allow_daemons_use_tty=1
Additional Information:
Source Context system_u:system_r:system_dbusd_t:s0
Target Context system_u:object_r:tty_device_t:s0
Target Objects tty0 [ chr_file ]
Source console-kit-dae
Source Path /usr/sbin/console-kit-daemon
Port <Unknown>
Host champaran
Source RPM Packages
Target RPM Packages
Policy RPM <Unknown>
Selinux Enabled True
Policy Type default
MLS Enabled True
Enforcing Mode Permissive
Plugin Name allow_daemons_use_tty
Host Name champaran
Platform Linux champaran 2.6.29-custom #1 SMP Wed
Mar 25
14:59:06 IST 2009 i686
Alert Count 1
First Seen Mon 30 Mar 2009 02:03:42 PM IST
Last Seen Mon 30 Mar 2009 02:03:42 PM IST
Local ID 04383dd8-cfa3-4811-9caf-8a036e6e0186
Line Numbers
Raw Audit Messages
node=champaran type=AVC msg=audit(1238402022.858:53): avc: denied {
read } for pid=4345 comm="console-kit-dae" name="tty0" dev=tmpfs
ino=1368 scontext=system_u:system_r:system_dbusd_t:s0
tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file
node=champaran type=SYSCALL msg=audit(1238402022.858:53): arch=40000003
syscall=5 success=yes exit=13 a0=80631dc a1=100 a2=10f9 a3=9adce78
items=0 ppid=1 pid=4345 auid=4294967295 uid=0 gid=0 euid=0 suid=0
fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
comm="console-kit-dae" exe="/usr/sbin/console-kit-daemon"
subj=system_u:system_r:system_dbusd_t:s0 key=(null)
-- System Information:
Debian Release: squeeze/sid
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable'), (101, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.29-custom (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages consolekit depends on:
ii dbus 1.2.12-1 simple interprocess messaging syst
ii libc6 2.9-4 GNU C Library: Shared libraries
ii libck-connector0 0.3.0-2 ConsoleKit libraries
ii libdbus-1-3 1.2.12-1 simple interprocess messaging syst
ii libdbus-glib-1-2 0.80-3 simple interprocess messaging syst
ii libglib2.0-0 2.20.0-2 The GLib library of C routines
ii libx11-6 2:1.2-1 X11 client-side library
ii zlib1g 1:1.2.3.3.dfsg-12 compression library - runtime
Versions of packages consolekit recommends:
ii libpam-ck-connector 0.3.0-2 ConsoleKit PAM module
consolekit suggests no packages.
-- no debconf information
--- End Message ---
--- Begin Message ---
Version: 2:0.2.20090828-1
refpolicy (2:0.2.20090828-1) unstable; urgency=low
* New upstream snapshot.
- Deprecated the userdom_xwindwos_client_template().
* Modified the list of modules we build (added consolekit, and added a
dependency on consolekit to the devicekit policymodule. Turned off
ddcprobe, since it needs kudzu.
* Bug fix: "linking policy fails", thanks to Jonathan Nieder
(Closes: #544079).
* Bug fix: "linking policy fails (with a statement to file a bug)",
thanks to Philipp Kern (Closes: #543148).
* Bug fix: "module cvs appears to depend on module apache", thanks to
Russell Coker (Closes: #539855).
* Bug fix: "SELinux prevented console-kit-dae from using the terminal
/dev/tty0", thanks to Ritesh Raj Sarraf. We now have:
policy/modules/services/consolekit.te:term_use_all_terms(consolekit_t)
This should allow access to all terms and ttys. (Closes: #515167).
* Bug fix: "SELinux is preventing pulseaudio from loading
/usr/lib/libFLAC.so.8.2.0 which requires text relocation", thanks to
Ritesh Raj Sarraf. /usr/lib/libFLAC\.so.* now has the context
system_u:object_r:textrel_shlib_t, so this should now work.
(Closes: #515166).
* [1ba2425]: nscd cache location changed from /var/db/nscd to
/var/cache/nscd. The nscd policy module uses the old
nscd cache location. The cache location changed with glibc 2.7-1,
and the current nscd does place the files in /var/cache/nscd/.
Bug fix: "nscd cache location changed from /var/db/nscd to
/var/cache/nscd", thanks to Sami Haahtinen (Closes: #506779).
-- Manoj Srivastava <[email protected]> Fri, 28 Aug 2009 15:10:50 -0500
--
"I have more information in one place than anybody in the world." Jerry
Pournelle, an absurd notion, apparently about the BIX BBS
Manoj Srivastava <[email protected]> <http://www.golden-gryphon.com/>
1024D/BF24424C print 4966 F272 D093 B493 410B 924B 21BA DABB BF24 424C
--- End Message ---
