On Wed, Jun 11, 2008 at 8:48 AM, Ted X Toth <txtoth@xxxxxxxxx> wrote:
> Eamon Walsh wrote:
>>
>> Xavier Toth wrote:
>>
>> [snip]
>>
>>> Now I looking at the USER_AVCs and trying to figure out how to
>>> translate those into policy. Will audit2allow be updated to help with
>>> generating rules for the X USER_AVCs?
>>>
>>
>> The stock audit2allow parses my audit.log just fine. It doesn't work for
>> you?
>>
>>
>>> For those who haven't seen the X user space object manager AVCs here
>>> are some examples:
>>> type=USER_AVC msg=audit(1213049927.142:132): user pid=2636 uid=0
>>> auid=4294967295 ses=4294967295
>>> subj=system_u:system_r:xdm_xserver_t:s0-s15:c0.c1023 msg='avc: denied
>>> { blend } for request=X11:CreateWindow comm=dbus-launch resid=800001
>>> restype=WINDOW scontext=user_u:user_r:user_t:s0
>>> tcontext=user_u:object_r:user_t:s0 tclass=x_drawable :
>>> exe="/usr/bin/Xorg" (sauid=0, hostname=?, addr=?, terminal=?)'
>>>
>>
>> This is a program attempting to create a window with no background. The
>> denial will cause the window background to be filled in with a solid color.
>>
>> Dontaudit should work here.
>>
>> However, window managers do need the blend permission (on all windows).
>> The "compositing" feature requires this permission.
>>
>>
>>> type=USER_AVC msg=audit(1213049927.144:133): user pid=2636 uid=0
>>> auid=4294967295 ses=4294967295
>>> subj=system_u:system_r:xdm_xserver_t:s0-s15:c0.c1023 msg='avc: denied
>>> { setattr } for request=X11:SetSelectionOwner comm=dbus-launch
>>>
>>> selection=_DBUS_SESSION_BUS_SELECTION_tedx_caa2282936b539cb3e36c2ae4845ed0b
>>> scontext=user_u:user_r:user_t:s0
>>> tcontext=system_u:object_r:xselection_t:s0 tclass=x_selection :
>>> exe="/usr/bin/Xorg" (sauid=0, hostname=?, addr=?, terminal=?)'
>>>
>>
>> This is a known issue. I have not found an explanation yet for the
>> purpose of these D-BUS selections.
>>
>> There is no easy solution here. The selabel system cannot handle these
>> funky names. Even if there was regexp support, as Chris has indicated the
>> name contains a username, implying that it should be labeled with a derived
>> type.
>>
>> I think the "dbus-launch" program needs to undergo surgery to either not
>> create these things or to label them explicitly.
>
> If I were to do this I'd use either SetSelectionCreateContext or
> SetSelectionUseContext, could you explain the difference between them and
> which I should use?
I also will need to compute a new context from the process and default
selection contexts but I'd need an object class definition
(SECCLASS_XSELECTION?) which I don't think exists yet does it?
>>
>>
>>> type=USER_AVC msg=audit(1213049927.227:134): user pid=2636 uid=0
>>> auid=4294967295 ses=4294967295
>>> subj=system_u:system_r:xdm_xserver_t:s0-s15:c0.c1023 msg='avc: denied
>>> { manage } for request=X11:ChangeHosts comm=xhost
>>> scontext=user_u:user_r:user_t:s0
>>> tcontext=system_u:system_r:xdm_xserver_t:s0-s15:c0.c1023
>>> tclass=x_server : exe="/usr/bin/Xorg" (sauid=0, hostname=?, addr=?,
>>> terminal=?)'
>>>
>>
>> Somewhere in the startup scripts xhost is being called to fiddle with the
>> lists of hosts that can connect to the server.
>>
>> Either solve the xdm_xserver_t versus user_xserver_t problem, which has
>> been much discussed, or grant the permission above, and rely on the
>> Xauthority mechanism to keep people from running xhost on other people's
>> servers.
>>
>> As to the former, I'm trying to get something working with setcon and my
>> GDM/pam_selinux patches.
>>
>>
>>> type=USER_AVC msg=audit(1213049927.653:135): user pid=2636 uid=0
>>> auid=4294967295 ses=4294967295
>>> subj=system_u:system_r:xdm_xserver_t:s0-s15:c0.c1023 msg='avc: denied
>>> { blend } for request=X11:CreateWindow comm=gnome-session
>>> resid=800001 restype=WINDOW scontext=user_u:user_r:user_t:s0
>>> tcontext=user_u:object_r:user_t:s0 tclass=x_drawable :
>>> exe="/usr/bin/Xorg" (sauid=0, hostname=?, addr=?, terminal=?)'
>>> type=USER_AVC msg=audit(1213049927.656:136): user pid=2636 uid=0
>>> auid=4294967295 ses=4294967295
>>> subj=system_u:system_r:xdm_xserver_t:s0-s15:c0.c1023 msg='avc: denied
>>> { blend } for request=X11:CreateWindow comm=gnome-session
>>> resid=800002 restype=WINDOW scontext=user_u:user_r:user_t:s0
>>> tcontext=user_u:object_r:user_t:s0 tclass=x_drawable :
>>> exe="/usr/bin/Xorg" (sauid=0, hostname=?, addr=?, terminal=?)'
>>>
>>
>> More blend errors.
>>
>>
>>> type=USER_AVC msg=audit(1213049927.659:137): user pid=2636 uid=0
>>> auid=4294967295 ses=4294967295
>>> subj=system_u:system_r:xdm_xserver_t:s0-s15:c0.c1023 msg='avc: denied
>>> { getattr } for request=X11:QueryPointer comm=gnome-session
>>> xdevice="Virtual core pointer" scontext=user_u:user_r:user_t:s0
>>> tcontext=system_u:system_r:xdm_xserver_t:s0-s15:c0.c1023
>>> tclass=x_device : exe="/usr/bin/Xorg" (sauid=0, hostname=?, addr=?,
>>> terminal=?)'
>>>
>>
>> The default label for devices is the server's context. Another xdm / user
>> issue.
>>
>> My GDM/pam_selinux patches attempt to relabel the devices to the user's
>> context, the same way the terminal is relabeled when you log in at the
>> console.
>>
>>
>>> type=USER_AVC msg=audit(1213049927.661:138): user pid=2636 uid=0
>>> auid=4294967295 ses=4294967295
>>> subj=system_u:system_r:xdm_xserver_t:s0-s15:c0.c1023 msg='avc: denied
>>> { use } for request=XKEYBOARD:SelectEvents comm=gnome-session
>>> xdevice="Virtual core keyboard" scontext=user_u:user_r:user_t:s0
>>> tcontext=system_u:system_r:xdm_xserver_t:s0-s15:c0.c1023
>>> tclass=x_device : exe="/usr/bin/Xorg" (sauid=0, hostname=?, addr=?,
>>> terminal=?)'
>>> type=USER_AVC msg=audit(1213049927.661:139): user pid=2636 uid=0
>>> auid=4294967295 ses=4294967295
>>> subj=system_u:system_r:xdm_xserver_t:s0-s15:c0.c1023 msg='avc: denied
>>> { use } for request=XKEYBOARD:SelectEvents comm=gnome-session
>>> xdevice="Virtual core keyboard" scontext=user_u:user_r:user_t:s0
>>> tcontext=system_u:system_r:xdm_xserver_t:s0-s15:c0.c1023
>>> tclass=x_device : exe="/usr/bin/Xorg" (sauid=0, hostname=?, addr=?,
>>> terminal=?)'
>>> type=USER_AVC msg=audit(1213049927.661:140): user pid=2636 uid=0
>>> auid=4294967295 ses=4294967295
>>> subj=system_u:system_r:xdm_xserver_t:s0-s15:c0.c1023 msg='avc: denied
>>> { getattr setattr } for request=XKEYBOARD:PerClientFlags
>>> comm=gnome-session xdevice="Virtual core keyboard"
>>> scontext=user_u:user_r:user_t:s0
>>> tcontext=system_u:system_r:xdm_xserver_t:s0-s15:c0.c1023
>>> tclass=x_device : exe="/usr/bin/Xorg" (sauid=0, hostname=?, addr=?,
>>> terminal=?)'
>>>
>>
>> More device errors.
>>
>>> type=ANOM_ABEND msg=audit(1213049927.662:141): auid=500 uid=500
>>> gid=500 ses=4 subj=user_u:user_r:user_t:s0 pid=3280
>>> comm="gnome-session" sig=5
>>>
>>
>> Standard error handling behavior for the desktop.
>>
>>
>>
>>> type=CRED_DISP msg=audit(1213049927.674:142): user pid=2720 uid=0
>>> auid=500 ses=4 subj=system_u:system_r:xdm_t:s0-s15:c0.c1023
>>> msg='op=PAM:setcred acct="tedx" exe="/usr/libexec/gdm-session-worker"
>>> (hostname=?, addr=?, terminal=:0 res=success)'
>>> type=USER_END msg=audit(1213049927.697:143): user pid=2720 uid=0
>>> auid=500 ses=4 subj=system_u:system_r:xdm_t:s0-s15:c0.c1023
>>> msg='op=PAM:session_close acct="tedx"
>>> exe="/usr/libexec/gdm-session-worker" (hostname=?, addr=?, terminal=:0
>>> res=success)'
>>>
>>> --
>>> This message was distributed to subscribers of the selinux mailing list.
>>> If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx
>>> with
>>> the words "unsubscribe selinux" without quotes as the message.
>>>
>>>
>>
>>
>
>
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
