-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Stephen Smalley wrote: > On Mon, 2008-02-25 at 20:12 -0500, Eamon Walsh wrote: >> Eamon Walsh wrote: >>> The X object manager logs all avc's and status messages (including the >>> AVC netlink stuff) through the audit system using libaudit calls >>> (audit_log_user_avc_message, etc.) I disavow all responsibility for >>> the messages once they enter libaudit >> It's being black-holed in rawhide. To see for yourself, add the >> attached patch to the spec file and rebuild the xserver from SRPM. It >> will tee the avc messages into /var/log/Xorg.0.log. > > Looking at the corresponding code in dbus, I see that dbus is calling > both audit_log_user_avc_message() (if HAVE_LIBAUDIT) and > vsyslog(LOG_INFO...) with the message. > > Can you verify that the X server was able to create the audit socket > successfully? > > Things that could go wrong: > - X server uses privilege bracketing (switching uids or capabilities) > and lacks the necessary audit capabilities. > - X server shuts down all descriptors _after_ you've opened the audit > socket, thereby closing it down too. > - Policy doesn't allow X server to write audit messages (requires > audit_write capability and netlink_audit_socket perms). > > Dan, what policy are you using? trunk? or xselinux branch? > I don't think Chris has merged xselinux branch to trunk yet, or that it > is necessarily safe to work from that branch (i.e. things could change > as part of the merge in an incompatible way). > >> Also, pull libselinux from upstream. The BadWindow error may be fixed. >> >> You'll have to report to me what you see in the X server output. I'm >> seeing tons of avc's: it doesn't appear as though staff_t is even >> getting X permissions allowed. >> >> >> >> >> I have merged changes from the xselinux into the Fedora pool. I am now seeing AVC messages in the /var/log/audit/audit.log with an unreleased policy. My current policy does not generate AVC's with staff_t, but in permissive mode/without the xserver_object_manager boolean set, lots of XApps (toolbar apps) with BadWindow. In enforcing mode with the xserver_object_manager boolean set they are also failing. I have updated to the latest libselinux and am still seeing the problem. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkfED4QACgkQrlYvE4MpobPcQwCguQfD9qHcfDQV+Zy12JqUJREz RAIAnihuzWBm5dU66RDMHamaHoScH1OJ =UfCr -----END PGP SIGNATURE----- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
