On Mon, 12 Apr 2004 20:36, Herald van der Breggen <herald@xxxxxxxxxxxxxxxxx>
wrote:
> removed the line
> #x:5:respawn:/etc/X11/prefdm -nodaemon
>
> added the line
> x:5:respawn:/usr/X11R6/bin/X -query 192.168.1.12
>
> The current policy files don't allow init to start X (which is a symlink
> to XFree in the same direcory).
>
> avc: denied { execute } for pid=3058 exe=/sbin/init name=XFree86
> dev=hda5 ino=395703 scontext=system_u:system_r:init_t
> tcontext=system_u:object_r:policy_config_t tclass=file
Firstly there is something very wrong in having the file labeled as
policy_config_t. Please use setfiles to relabel /usr/X11R6 before trying it
again.
> Question one: should the default set of policy rules not allow this?
Yes, I think it should.
> Question two: what is the best way to allow to start the X server by
> init? I am new to selinux and have trouble to find my way. I struggled
> with the newrules.pl script (which not seemed to right way to solve this
> problem) and tried rules like
>
> can_exec(init_t, xserver_exec_t);
> can_exec(init_t, xserver_log_t);
I don't know why a log file is being executed, I guess that there is a
mislabeled file. Maybe relabelling your system would be a good idea.
As for solving the problem, what you want is for init_t to transition to
xdm_xserver_t (the domain for system X server processes). The following
policy should work:
domain_auto_trans(init_t, xserver_exec_t, xdm_xserver_t)
Please try it and let me know how it works (very important). I don't have a
network setup for testing X terms so I need positive feedback from you if I
am to include this policy in my tree. If you want to have this work on a
default Fedora SE Linux install then let me know how it works, if it doesn't
work then tell me the AVC messages you get.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
