On Thu, 2008-02-28 at 13:38 -0800, Tom London wrote:
> On Thu, Feb 28, 2008 at 12:21 PM, Eamon Walsh <ewalsh@xxxxxxxxxxxxx> wrote:
> > Tom London wrote:
> > > On Thu, Feb 28, 2008 at 10:06 AM, Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote:
> > >
> > >> -----BEGIN PGP SIGNED MESSAGE-----
> > >> Hash: SHA1
> > >>
> > >>
> > >>
> > >> Tom London wrote:
> > >> > On Thu, Feb 28, 2008 at 7:41 AM, Tom London <selinux@xxxxxxxxx> wrote:
> > >> >> After applying today's selinux-policy* packages, gnome/gdm login
> > >> >> fails: gdmgreeter runs, but X quickly dies after enter password and
> > >> >> you're back to the greeter.
> > >> >>
> > >> >> Booting up in permissive lets me log in.
> > >> >>
> > >> >> Here are the borkages:
> > >> >>
> > >> >>
> > >> >> #============= mono_t ==============
> > >> >> allow mono_t xdm_xserver_t:x_device read;
> > >> >>
> > >> >> #============= unconfined_execmem_t ==============
> > >> >> allow unconfined_execmem_t xdm_xserver_t:x_device read;
> > >> >>
> > >> >> #============= unconfined_t ==============
> > >> >> allow unconfined_t mono_t:x_resource write;
> > >> >> allow unconfined_t unconfined_execmem_t:x_resource { write read };
> > >> >> allow unconfined_t unlabeled_t:x_drawable { destroy getattr };
> > >> >> [root@localhost ~]#
> > >> >>
> >
> > The "null" avc's are fixed in the upstream X server. This is a bad
> > security hook call in the GLX code and affects GLX programs such as compiz.
> >
> > The unlabeled AVC is the result of a mislabeled program?
> >
> >
> >
> > --
> > Eamon Walsh <ewalsh@xxxxxxxxxxxxx>
> > National Security Agency
> >
> >
> I've backed up policy to previous version, and checking for unlabeled
> programs indicates nothing amiss.
>
> No programs were relabeled on install of poicy; something else I should check?
grep 'invalidating context' /var/log/messages
--
Stephen Smalley
National Security Agency
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
