Daniel J Walsh wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Stephen Smalley wrote:
On Mon, 2008-02-25 at 09:48 -0500, Daniel J Walsh wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Stephen Smalley wrote:
On Mon, 2008-02-25 at 09:12 -0500, Stephen Smalley wrote:
On Mon, 2008-02-25 at 09:09 -0500, Daniel J Walsh wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
If I turn on xserver_object_manager in rawhide and log in as staff_t in
permissive mode, I get all sorts of things failing, which makes writing
policy for it very difficult. And is very broken.
Hmmm...as I understood it, XSELinux should follow the kernel's enforcing
status by default (i.e. if the kernel is permissive, then so should
XSELinux), unless you explicitly configure enforcing= in xorg.conf to
specify a different setting for the X server than the kernel. You are
supposed to be able to make the X server permissive w/o making the
kernel permissive via xorg configuration, I believe, although I'm not
sure that made it into the rawhide xorg yet.
Doesn't look like the rawhide xorg server has that support yet.
But it should follow the kernel's enforcing status. You should see log
messages with "received setenforce notice (enforcing=...)" in them from
both dbus and X in either /var/log/messages or /var/log/audit/audit.log.
Looking at the code, I do not see security_getenforce() in the code.
Are you saying that this is not necessary, the kernel will return
allowed but generate the AVC?
Handling of enforcing status is hidden within the userspace AVC in
libselinux (libselinux/src/avc*.c). avc_enforcing stores the current
value of the enforcing status and is updated when the kernel generates
the setenforce notification. avc_setenforce is set if the object
manager explicitly sets its own enforcing mode to a specific value to
override the kernel status.
And the only one who mentions setenforce in /var/log/audit/audit.log in
dbus not X?
Hmmm...that's seems like a bug in X then, that it isn't getting the
notifications from the kernel (via netlink).
Yes XAce seems to be very broken in Rawhide. Enforcing mode was working
until I fixed the policy to allow xserver to talk to /selinux and run
the validation routines. Now xace is blowing up both in permissive and
enforcing mode.
Trying to start nm-applet is getting a BadWindow error.
If you update to todays rawhide and try to login in permissive mode,
metacity and gconf will blow up.
I'll investigate the blowing up today. I'm puzzled by the BadWindow
error; permission denials should always be indicated by "BadAccess".
This may be the bug fixed by the errno patch I posted on Friday.
There is no support for configuring the X server in permissive/enforcing
in xorg.conf. You can disable it from xorg.conf, but if it is not
disabled, it will follow the system setting. I proposed adding support
for this to /etc/selinux/config, which was shot down on the list. I
have not moved forward with adding a permissive/enforcing switch to Xorg.
The X object manager logs all avc's and status messages (including the
AVC netlink stuff) through the audit system using libaudit calls
(audit_log_user_avc_message, etc.) I disavow all responsibility for
the messages once they enter libaudit.
--
Eamon Walsh <ewalsh@xxxxxxxxxxxxx>
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
