Daniel J Walsh wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Daniel J Walsh wrote:
Stephen Smalley wrote:
On Mon, 2008-02-25 at 09:48 -0500, Daniel J Walsh wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Stephen Smalley wrote:
On Mon, 2008-02-25 at 09:12 -0500, Stephen Smalley wrote:
On Mon, 2008-02-25 at 09:09 -0500, Daniel J Walsh wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
If I turn on xserver_object_manager in rawhide and log in as staff_t in
permissive mode, I get all sorts of things failing, which makes writing
policy for it very difficult. And is very broken.
Hmmm...as I understood it, XSELinux should follow the kernel's enforcing
status by default (i.e. if the kernel is permissive, then so should
XSELinux), unless you explicitly configure enforcing= in xorg.conf to
specify a different setting for the X server than the kernel. You are
supposed to be able to make the X server permissive w/o making the
kernel permissive via xorg configuration, I believe, although I'm not
sure that made it into the rawhide xorg yet.
Doesn't look like the rawhide xorg server has that support yet.
But it should follow the kernel's enforcing status. You should see log
messages with "received setenforce notice (enforcing=...)" in them from
both dbus and X in either /var/log/messages or /var/log/audit/audit.log.
Looking at the code, I do not see security_getenforce() in the code.
Are you saying that this is not necessary, the kernel will return
allowed but generate the AVC?
Handling of enforcing status is hidden within the userspace AVC in
libselinux (libselinux/src/avc*.c). avc_enforcing stores the current
value of the enforcing status and is updated when the kernel generates
the setenforce notification. avc_setenforce is set if the object
manager explicitly sets its own enforcing mode to a specific value to
override the kernel status.
And the only one who mentions setenforce in /var/log/audit/audit.log in
dbus not X?
Hmmm...that's seems like a bug in X then, that it isn't getting the
notifications from the kernel (via netlink).
Yes XAce seems to be very broken in Rawhide. Enforcing mode was working
until I fixed the policy to allow xserver to talk to /selinux and run
the validation routines. Now xace is blowing up both in permissive and
enforcing mode.
Trying to start nm-applet is getting a BadWindow error.
If you update to todays rawhide and try to login in permissive mode,
metacity and gconf will blow up.
nm-applet --sync
The program 'nm-applet' received an X Window System error.
This probably reflects a bug in the program.
The error was 'BadWindow (invalid Window parameter)'.
(Details: serial 228 error_code 3 request_code 2 minor_code 0)
(Note to programmers: normally, X errors are reported asynchronously;
that is, you will receive the error a while after causing it.
To debug your program, run it with the --sync command line
option to change this behavior. You can then get a meaningful
backtrace from your debugger if you break on the gdk_x_error() function.)
This is a serious problem, and needs to be fixed ASAP, or I need to pull
support for xace from policy.
Here's problem #1, after switching from refpolicy to targeted, reboot
with full relabel, and setenforce 1. We'll see what boolean I forgot to
set.
# ssh moss-charon
Last login: Mon Feb 25 16:36:55 2008 from moss-huskies.epoch.ncsc.mil
/bin/bash: Permission denied
Connection to moss-charon closed.
--
Eamon Walsh <ewalsh@xxxxxxxxxxxxx>
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
