On Mar 9, 2008, at 2:36 PM, Xavier Toth wrote:
selinux-policy 3.3.1-11
xorg-x11-server-Xorg-1.4.99.900-0.28.20080304
Error message something like:
file_contexts line 0 invalid context
system_u:object_r:info_xproperty_t:s0
SELinux: Failed to set label property on window!
I'm using MLS policy in permissive mode.
Using selinux-policy 3.3.1-13 (or what I think it will be) and xorg-
x11-server-Xorg-1.4.99.901-1.20080307.fc9.i386 on a rawhide box build
today and
setsebool xdm_sysadm_login on
setsebool xserver_object_manager on
setsebool allow_xserver_execmem on
setsebool allow_read_x_device on
I can login to a Fedora 9 system in mls/Permissive as a normal user.
An attempt to login as 'Other' fails before the username prompt.
A 'restorecon -rv /' does have an X related relabel.
restorecon reset /tmp/.X11-unix context system_u:object_r:tmp_t:s0-
>system_u:object_r:xdm_tmp_t:s0
The following avcs were in dmesg
type=1400 audit(1205177196.981:5): avc: denied { read } for
pid=1299 comm="Xorg" name="mem" dev=tmpfs ino=3742
scontext=system_u:system_r:xdm_xserver_t:s0-s15:c0.c1023
tcontext=system_u:object_r:memory_device_t:s15:c0.c1023 tclass=chr_file
type=1400 audit(1205177197.000:6): avc: denied { getpgid } for
pid=1299 comm="Xorg" scontext=system_u:system_r:xdm_xserver_t:s0-
s15:c0.c1023 tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023
tclass=process
type=1400 audit(1205177197.295:7): avc: denied { write } for
pid=1299 comm="Xorg" name="mem" dev=tmpfs ino=3742
scontext=system_u:system_r:xdm_xserver_t:s0-s15:c0.c1023
tcontext=system_u:object_r:memory_device_t:s15:c0.c1023 tclass=chr_file
type=1400 audit(1205177197.546:8): avc: denied { read } for
pid=1299 comm="Xorg" name="perms" dev=selinuxfs ino=67111368
scontext=system_u:system_r:xdm_xserver_t:s0-s15:c0.c1023
tcontext=system_u:object_r:security_t:s0 tclass=dir
type=1400 audit(1205177197.568:9): avc: denied { write } for
pid=1299 comm="Xorg" name="create" dev=selinuxfs ino=7
scontext=system_u:system_r:xdm_xserver_t:s0-s15:c0.c1023
tcontext=system_u:object_r:security_t:s0 tclass=file
type=1400 audit(1205177197.568:10): avc: denied { compute_create }
for pid=1299 comm="Xorg" scontext=system_u:system_r:xdm_xserver_t:s0-
s15:c0.c1023 tcontext=system_u:object_r:security_t:s15:c0.c1023
tclass=security
type=1400 audit(1205177197.680:11): avc: denied { check_context }
for pid=1299 comm="Xorg" scontext=system_u:system_r:xdm_xserver_t:s0-
s15:c0.c1023 tcontext=system_u:object_r:security_t:s15:c0.c1023
tclass=security
type=1400 audit(1205177198.574:12): avc: denied { signal } for
pid=1299 comm="Xorg" scontext=system_u:system_r:xdm_xserver_t:s0-
s15:c0.c1023 tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023
tclass=process
audit2allow says
#============= initrc_t ==============
allow initrc_t mnt_t:dir mounton;
allow initrc_t ramfs_t:dir setattr;
#============= xdm_xserver_t ==============
allow xdm_xserver_t initrc_t:process { signal getpgid };
allow xdm_xserver_t memory_device_t:chr_file { read write };
allow xdm_xserver_t security_t:dir read;
allow xdm_xserver_t security_t:file write;
allow xdm_xserver_t security_t:security { check_context
compute_create };
joe
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
