Op ma 12-04-2004, om 15:29 schreef Russell Coker:
> On Mon, 12 Apr 2004 20:36, Herald van der Breggen <herald@xxxxxxxxxxxxxxxxx>
> wrote:
> > removed the line
> > #x:5:respawn:/etc/X11/prefdm -nodaemon
> >
> > added the line
> > x:5:respawn:/usr/X11R6/bin/X -query 192.168.1.12
> >
> > The current policy files don't allow init to start X (which is a symlink
> > to XFree in the same direcory).
> >
> > avc: denied { execute } for pid=3058 exe=/sbin/init name=XFree86
> > dev=hda5 ino=395703 scontext=system_u:system_r:init_t
> > tcontext=system_u:object_r:policy_config_t tclass=file
>
> Firstly there is something very wrong in having the file labeled as
> policy_config_t. Please use setfiles to relabel /usr/X11R6 before trying it
> again.
Yes, you are right, in my attempts to fix the problem, I made a mistake.
I did a relabel and now a "better" avc message appears when init tries
to start X:
avc: denied { execute } for pid=1908 exe=/sbin/init name=XFree86
dev=hda5 ino=395703 scontext=system_u:system_r:init_t
tcontext=system_u:object_r:xserver_exec_t tclass=file
>
> > Question one: should the default set of policy rules not allow this?
>
> Yes, I think it should.
>
> > Question two: what is the best way to allow to start the X server by
> > init? I am new to selinux and have trouble to find my way. I struggled
> > with the newrules.pl script (which not seemed to right way to solve this
> > problem) and tried rules like
> >
> > can_exec(init_t, xserver_exec_t);
> > can_exec(init_t, xserver_log_t);
>
> I don't know why a log file is being executed, I guess that there is a
> mislabeled file. Maybe relabelling your system would be a good idea.
>
> As for solving the problem, what you want is for init_t to transition to
> xdm_xserver_t (the domain for system X server processes). The following
> policy should work:
>
> domain_auto_trans(init_t, xserver_exec_t, xdm_xserver_t)
I have put the line in domains/program/init.te, did a "make load" and
there were no more avc messages anymore. Nice!
The only thing was that the screen stayed black. I decided to reboot.
And after that... It worked!
So, the domain_auto_trans line really works! Thanks a lot!
Herald
