Daniel J Walsh wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Stephen Smalley wrote:
On Mon, 2008-02-25 at 20:12 -0500, Eamon Walsh wrote:
Eamon Walsh wrote:
The X object manager logs all avc's and status messages (including the
AVC netlink stuff) through the audit system using libaudit calls
(audit_log_user_avc_message, etc.) I disavow all responsibility for
the messages once they enter libaudit
It's being black-holed in rawhide. To see for yourself, add the
attached patch to the spec file and rebuild the xserver from SRPM. It
will tee the avc messages into /var/log/Xorg.0.log.
Looking at the corresponding code in dbus, I see that dbus is calling
both audit_log_user_avc_message() (if HAVE_LIBAUDIT) and
vsyslog(LOG_INFO...) with the message.
Can you verify that the X server was able to create the audit socket
successfully?
Things that could go wrong:
- X server uses privilege bracketing (switching uids or capabilities)
and lacks the necessary audit capabilities.
- X server shuts down all descriptors _after_ you've opened the audit
socket, thereby closing it down too.
- Policy doesn't allow X server to write audit messages (requires
audit_write capability and netlink_audit_socket perms).
Dan, what policy are you using? trunk? or xselinux branch?
I don't think Chris has merged xselinux branch to trunk yet, or that it
is necessarily safe to work from that branch (i.e. things could change
as part of the merge in an incompatible way).
Also, pull libselinux from upstream. The BadWindow error may be fixed.
You'll have to report to me what you see in the X server output. I'm
seeing tons of avc's: it doesn't appear as though staff_t is even
getting X permissions allowed.
I have merged changes from the xselinux into the Fedora pool. I am now
seeing AVC messages in the /var/log/audit/audit.log with an unreleased
policy. My current policy does not generate AVC's with staff_t, but in
permissive mode/without the xserver_object_manager boolean set, lots of
XApps (toolbar apps) with BadWindow. In enforcing mode with the
xserver_object_manager boolean set they are also failing. I have
updated to the latest libselinux and am still seeing the problem.
I found the source of the BadWindow errors. I'm going to fix this
upstream and throw an SRPM patch to Dan so he can test.
Also, I think I'm going to change XQueryPointer() from requring "read"
to simply "getattr" permission on the device. I really do think it
should require "read," but too many things call it and we need to turn
"read" off to prevent the xspy attack.
Finally, I'm going to try and get the polyinstantiation code for
properties and selections in before the feature freeze.
--
Eamon Walsh <ewalsh@xxxxxxxxxxxxx>
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
