Re: policy rules for use as Xterminal

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, 12 Apr 2004 20:36, Herald van der Breggen <herald@xxxxxxxxxxxxxxxxx> 
wrote:
> removed the line
> #x:5:respawn:/etc/X11/prefdm -nodaemon
>
> added the line
> x:5:respawn:/usr/X11R6/bin/X -query 192.168.1.12
>
> The current policy files don't allow init to start X (which is a symlink
> to XFree in the same direcory).
>
> avc:  denied  { execute } for  pid=3058 exe=/sbin/init name=XFree86
> dev=hda5 ino=395703 scontext=system_u:system_r:init_t
> tcontext=system_u:object_r:policy_config_t tclass=file

Firstly there is something very wrong in having the file labeled as 
policy_config_t.  Please use setfiles to relabel /usr/X11R6 before trying it 
again.

> Question one: should the default set of policy rules not allow this?

Yes, I think it should.

> Question two: what is the best way to allow to start the X server by
> init? I am new to selinux and have trouble to find my way. I struggled
> with the newrules.pl script (which not seemed to right way to solve this
> problem) and tried rules like
>
> can_exec(init_t, xserver_exec_t);
> can_exec(init_t, xserver_log_t);

I don't know why a log file is being executed, I guess that there is a 
mislabeled file.  Maybe relabelling your system would be a good idea.

As for solving the problem, what you want is for init_t to transition to 
xdm_xserver_t (the domain for system X server processes).  The following 
policy should work:

domain_auto_trans(init_t, xserver_exec_t, xdm_xserver_t)

Please try it and let me know how it works (very important).  I don't have a 
network setup for testing X terms so I need positive feedback from you if I 
am to include this policy in my tree.  If you want to have this work on a 
default Fedora SE Linux install then let me know how it works, if it doesn't 
work then tell me the AVC messages you get.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux