Re: X avcs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Ok that helped the issue with the notification-daemon. Now I'm looking
at some avcs generated while running one of our apps and have some
more questions. I first ran QBrowser at CONFIDENTIAL(s2:c0.c253) then
later ran it at TS(s4:c0.c253). CUT_BUFFER0 and _MOTIF_DRAG_TARGETS
got created at CONFIDENTIAL and then the TS instance of the app tried
to use them, do we need polyinstantiated properties? Or maybe the type
should change on write.

avc:  denied  { write } for request=X11:ChangeProperty
comm=/opt/jcdx/bin/QBrowser property=CUT_BUFFER0
scontext=swo_u:user_r:user_t:s4:c0.c253
tcontext=swo_u:object_r:clipboard_xproperty_t:s2:c0.c253
tclass=x_property
avc:  denied  { write } for request=X11:ChangeProperty
comm=/opt/jcdx/bin/QBrowser property=_MOTIF_DRAG_TARGETS
scontext=swo_u:user_r:user_t:s4:c0.c253
tcontext=swo_u:object_r:user_default_xproperty_t:s2:c0.c253
tclass=x_property

Why are the root window drawable and root color map s0?

avc:  denied  { send } for request=X11:SendEvent
comm=/opt/jcdx/bin/QBrowser resid=76 restype=WINDOW
scontext=swo_u:user_r:user_t:s4:c0.c253
tcontext=system_u:object_r:x_rootwindow_t:s0 tclass=x_drawable
avc:  denied  { remove_color } for request=X11:FreeColors
comm=/opt/jcdx/bin/QBrowser resid=20 restype=COLORMAP
scontext=swo_u:user_r:user_t:s4:c0.c253
tcontext=system_u:object_r:x_rootcolormap_t:s0 tclass=x_colormap

On Dec 28, 2007 3:26 PM, Xavier Toth <txtoth@xxxxxxxxx> wrote:
> Thanks I'll check it out.
>
>
> On Dec 28, 2007 1:34 PM, Eamon Walsh <ewalsh@xxxxxxxxxxxxx> wrote:
> >
> > Xavier Toth wrote:
> > > What about labeling notification-daemon as other gnome apps have been
> > > labeled (user_xpriv_t)?
> > >
> > > On Dec 26, 2007 3:01 PM, Xavier Toth <txtoth@xxxxxxxxx> wrote:
> > >
> > >> swo_u who is running ranged (systemlow-systemhigh) uses newrole to
> > >> launch an X windows app at systemhigh and then I get avcs like the
> > >> following:
> > >>
> > >> avc:  denied  { receive } for request=X11:ChangeWindowAttributes
> > >> comm=/usr/libexec/notification-daemon resid=3800036 restype=WINDOW
> > >> scontext=swo_u:user_r:user_t:s0-s15:c0.c1023
> > >> tcontext=swo_u:object_r:user_t:s15:c0.c1023 tclass=x_drawable
> > >> avc:  denied  { get_property } for request=X11:GetProperty
> > >> comm=/usr/libexec/notification-daemon resid=3800036 restype=WINDOW
> > >> scontext=swo_u:user_r:user_t:s0-s15:c0.c1023
> > >> tcontext=swo_u:object_r:user_t:s15:c0.c1023 tclass=x_drawable
> > >> avc:  denied  { receive } for  comm=/usr/libexec/notification-daemon
> > >> event=X11:MapNotify scontext=swo_u:user_r:user_t:s0-s15:c0.c1023
> > >> tcontext=swo_u:object_r:user_manage_xevent_t:s15:c0.c1023
> > >> tclass=x_event
> > >> avc:  denied  { receive } for  comm=/usr/libexec/notification-daemon
> > >> event=X11:VisibilityNotify
> > >> scontext=swo_u:user_r:user_t:s0-s15:c0.c1023
> > >> tcontext=swo_u:object_r:user_default_xevent_t:s15:c0.c1023
> > >> tclass=x_event
> > >> avc:  denied  { receive } for  comm=/usr/libexec/notification-daemon
> > >> event=X11:PropertyNotify scontext=swo_u:user_r:user_t:s0-s15:c0.c1023
> > >> tcontext=swo_u:object_r:user_property_xevent_t:s15:c0.c1023
> > >> tclass=x_event
> > >> avc:  denied  { receive } for  comm=/usr/libexec/notification-daemon
> > >> event=X11:FocusIn scontext=swo_u:user_r:user_t:s0-s15:c0.c1023
> > >> tcontext=swo_u:object_r:user_focus_xevent_t:s15:c0.c1023
> > >> tclass=x_event
> > >> avc:  denied  { getattr } for request=X11:GetGeometry
> > >> comm=/usr/libexec/notification-daemon resid=3800036 restype=WINDOW
> > >> scontext=swo_u:user_r:user_t:s0-s15:c0.c1023
> > >> tcontext=swo_u:object_r:user_t:s15:c0.c1023 tclass=x_drawable
> > >> avc:  denied  { read } for request=X11:GetProperty
> > >> comm=/usr/libexec/notification-daemon property=WM_NAME
> > >> scontext=swo_u:user_r:user_t:s0-s15:c0.c1023
> > >> tcontext=swo_u:object_r:user_default_xproperty_t:s15:c0.c1023
> > >> tclass=x_property
> > >>
> >
> > These are all allowed by the TE rules.  So I think this is a MLS issue.
> >
> > I committed read-to-clearance and write-to-clearance interfaces and went
> > ahead and granted read-to-clearance in the per-role template.  The patch
> > I committed is below.  So update from SVN and see if that solves the
> > problem.
> >
> > Index: policy/modules/kernel/mls.if
> > ===================================================================
> > --- policy/modules/kernel/mls.if        (revision 2565)
> > +++ policy/modules/kernel/mls.if        (working copy)
> > @@ -612,6 +612,26 @@
> >  ########################################
> >  ## <summary>
> >  ##     Make specified domain MLS trusted
> > +##     for reading from X objects up to its clearance.
> > +## </summary>
> > +## <param name="domain">
> > +##     <summary>
> > +##     Domain allowed access.
> > +##     </summary>
> > +## </param>
> > +## <rolecap/>
> > +#
> > +interface(`mls_xwin_read_to_clearance',`
> > +       gen_require(`
> > +               attribute mlsxwinreadtoclr;
> > +       ')
> > +
> > +       typeattribute $1 mlsxwinreadtoclr;
> > +')
> > +
> > +########################################
> > +## <summary>
> > +##     Make specified domain MLS trusted
> >  ##     for reading from X objects at any level.
> >  ## </summary>
> >  ## <param name="domain">
> > @@ -632,6 +652,26 @@
> >  ########################################
> >  ## <summary>
> >  ##     Make specified domain MLS trusted
> > +##     for write to X objects up to its clearance.
> > +## </summary>
> > +## <param name="domain">
> > +##     <summary>
> > +##     Domain allowed access.
> > +##     </summary>
> > +## </param>
> > +## <rolecap/>
> > +#
> > +interface(`mls_xwin_write_to_clearance',`
> > +       gen_require(`
> > +               attribute mlsxwinwritetoclr;
> > +       ')
> > +
> > +       typeattribute $1 mlsxwinwritetoclr;
> > +')
> > +
> > +########################################
> > +## <summary>
> > +##     Make specified domain MLS trusted
> >  ##     for writing to X objects at any level.
> >  ## </summary>
> >  ## <param name="domain">
> > Index: policy/modules/services/xwindows.if
> > ===================================================================
> > --- policy/modules/services/xwindows.if (revision 2565)
> > +++ policy/modules/services/xwindows.if (working copy)
> > @@ -374,6 +374,7 @@
> >         #
> >
> >         xwindows_domain_template($1,$1,$2,$3)
> > +       mls_xwin_read_to_clearance($2)
> >
> >         # FIXME: this domain should be removed
> >         xwindows_domain_template($1,$1_xpriv,$1_xpriv_t,$3)
> >
> >
> >
> > --
> > Eamon Walsh <ewalsh@xxxxxxxxxxxxx>
> > National Security Agency
> >
> >
>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux