Re: gnome login broken.... "null" avcs...

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, Feb 28, 2008 at 1:50 PM, Tom London <selinux@xxxxxxxxx> wrote:
>
> On Thu, Feb 28, 2008 at 1:43 PM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote:
>  >
>  >
>  >  On Thu, 2008-02-28 at 13:38 -0800, Tom London wrote:
>  >  > On Thu, Feb 28, 2008 at 12:21 PM, Eamon Walsh <ewalsh@xxxxxxxxxxxxx> wrote:
>  >  > > Tom London wrote:
>  >  > >  > On Thu, Feb 28, 2008 at 10:06 AM, Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote:
>  >  > >  >
>  >  > >  >> -----BEGIN PGP SIGNED MESSAGE-----
>  >  > >  >>  Hash: SHA1
>  >  > >  >>
>  >  > >  >>
>  >  > >  >>
>  >  > >  >>  Tom London wrote:
>  >  > >  >>  > On Thu, Feb 28, 2008 at 7:41 AM, Tom London <selinux@xxxxxxxxx> wrote:
>  >  > >  >>  >> After applying today's selinux-policy* packages, gnome/gdm login
>  >  > >  >>  >>  fails: gdmgreeter runs, but X quickly dies after enter password and
>  >  > >  >>  >>  you're back to the greeter.
>  >  > >  >>  >>
>  >  > >  >>  >>  Booting up in permissive lets me log in.
>  >  > >  >>  >>
>  >  > >  >>  >>  Here are the borkages:
>  >  > >  >>  >>
>  >  > >  >>  >>
>  >  > >  >>  >>  #============= mono_t ==============
>  >  > >  >>  >>  allow mono_t xdm_xserver_t:x_device read;
>  >  > >  >>  >>
>  >  > >  >>  >>  #============= unconfined_execmem_t ==============
>  >  > >  >>  >>  allow unconfined_execmem_t xdm_xserver_t:x_device read;
>  >  > >  >>  >>
>  >  > >  >>  >>  #============= unconfined_t ==============
>  >  > >  >>  >>  allow unconfined_t mono_t:x_resource write;
>  >  > >  >>  >>  allow unconfined_t unconfined_execmem_t:x_resource { write read };
>  >  > >  >>  >>  allow unconfined_t unlabeled_t:x_drawable { destroy getattr };
>  >  > >  >>  >>  [root@localhost ~]#
>  >  > >  >>  >>
>  >  > >
>  >  > >  The "null" avc's are fixed in the upstream X server.  This is a bad
>  >  > >  security hook call in the GLX code and affects GLX programs such as compiz.
>  >  > >
>  >  > >  The unlabeled AVC is the result of a mislabeled program?
>  >  > >
>  >  > >
>  >  > >
>  >  > >  --
>  >  > >  Eamon Walsh <ewalsh@xxxxxxxxxxxxx>
>  >  > >  National Security Agency
>  >  > >
>  >  > >
>  >  > I've backed up policy to previous version, and checking for unlabeled
>  >  > programs indicates nothing amiss.
>  >  >
>  >  > No programs were relabeled on install of poicy; something else I should check?
>  >
>  >  grep 'invalidating context' /var/log/messages
>  >
>  >  --
>  >  Stephen Smalley
>  >  National Security Agency
>  >
>  >
>  [root@localhost ~]# grep 'invalidating context' /var/log/messages
>  Feb 27 07:13:31 localhost kernel: security:  invalidating context
>  unconfined_u:unconfined_r:samba_net_t:s0
>  Feb 28 06:47:08 localhost kernel: security:  invalidating context
>  system_u:system_r:httpd_unconfined_script_t:s0-s0:c0.c1023
>  Feb 28 06:47:08 localhost kernel: security:  invalidating context
>  unconfined_u:system_r:httpd_unconfined_script_t:s0
>  Feb 28 06:47:08 localhost kernel: security:  invalidating context
>  unconfined_u:unconfined_r:httpd_unconfined_script_t:s0
>  Feb 28 07:46:11 localhost kernel: security:  invalidating context
>  unconfined_u:system_r:httpd_user_script_t:s0
>  Feb 28 07:46:11 localhost kernel: security:  invalidating context
>  unconfined_u:system_r:httpd_user_script_t:s0-s0:c0.c255
>  Feb 28 07:46:11 localhost kernel: security:  invalidating context
>  system_u:system_r:httpd_user_script_t:s0-s0:c0.c1023
>  [root@localhost ~]#
>
>
Dowloading latest selinux-policy and xorg-x11-server packages from
koji fix this for me:

[root@localhost ~]# rpm -qa selinux\* xorg-x11-server\*
xorg-x11-server-utils-7.3-3.fc9.i386
selinux-policy-targeted-3.3.1-7.fc9.noarch
xorg-x11-server-common-1.4.99.1-0.26.20080227.fc9.i386
selinux-policy-devel-3.3.1-7.fc9.noarch
selinux-policy-3.3.1-7.fc9.noarch
xorg-x11-server-Xorg-1.4.99.1-0.26.20080227.fc9.i386
[root@localhost ~]#

"grep 'invalidating context' /var/log/messages" shows nothing.

Thanks for the quick work on this!

tom
-- 
Tom London

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux