On Mon, 2008-02-25 at 20:12 -0500, Eamon Walsh wrote: > Eamon Walsh wrote: > > The X object manager logs all avc's and status messages (including the > > AVC netlink stuff) through the audit system using libaudit calls > > (audit_log_user_avc_message, etc.) I disavow all responsibility for > > the messages once they enter libaudit > > It's being black-holed in rawhide. To see for yourself, add the > attached patch to the spec file and rebuild the xserver from SRPM. It > will tee the avc messages into /var/log/Xorg.0.log. Looking at the corresponding code in dbus, I see that dbus is calling both audit_log_user_avc_message() (if HAVE_LIBAUDIT) and vsyslog(LOG_INFO...) with the message. Can you verify that the X server was able to create the audit socket successfully? Things that could go wrong: - X server uses privilege bracketing (switching uids or capabilities) and lacks the necessary audit capabilities. - X server shuts down all descriptors _after_ you've opened the audit socket, thereby closing it down too. - Policy doesn't allow X server to write audit messages (requires audit_write capability and netlink_audit_socket perms). Dan, what policy are you using? trunk? or xselinux branch? I don't think Chris has merged xselinux branch to trunk yet, or that it is necessarily safe to work from that branch (i.e. things could change as part of the merge in an incompatible way). > Also, pull libselinux from upstream. The BadWindow error may be fixed. > > You'll have to report to me what you see in the X server output. I'm > seeing tons of avc's: it doesn't appear as though staff_t is even > getting X permissions allowed. > > > > > -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
