Xavier Toth wrote:
On Wed, Jun 11, 2008 at 8:48 AM, Ted X Toth <txtoth@xxxxxxxxx> wrote:
Eamon Walsh wrote:
Xavier Toth wrote:
[snip]
Now I looking at the USER_AVCs and trying to figure out how to
translate those into policy. Will audit2allow be updated to help with
generating rules for the X USER_AVCs?
The stock audit2allow parses my audit.log just fine. It doesn't work for
you?
For those who haven't seen the X user space object manager AVCs here
are some examples:
type=USER_AVC msg=audit(1213049927.142:132): user pid=2636 uid=0
auid=4294967295 ses=4294967295
subj=system_u:system_r:xdm_xserver_t:s0-s15:c0.c1023 msg='avc: denied
{ blend } for request=X11:CreateWindow comm=dbus-launch resid=800001
restype=WINDOW scontext=user_u:user_r:user_t:s0
tcontext=user_u:object_r:user_t:s0 tclass=x_drawable :
exe="/usr/bin/Xorg" (sauid=0, hostname=?, addr=?, terminal=?)'
This is a program attempting to create a window with no background. The
denial will cause the window background to be filled in with a solid color.
Dontaudit should work here.
However, window managers do need the blend permission (on all windows).
The "compositing" feature requires this permission.
type=USER_AVC msg=audit(1213049927.144:133): user pid=2636 uid=0
auid=4294967295 ses=4294967295
subj=system_u:system_r:xdm_xserver_t:s0-s15:c0.c1023 msg='avc: denied
{ setattr } for request=X11:SetSelectionOwner comm=dbus-launch
selection=_DBUS_SESSION_BUS_SELECTION_tedx_caa2282936b539cb3e36c2ae4845ed0b
scontext=user_u:user_r:user_t:s0
tcontext=system_u:object_r:xselection_t:s0 tclass=x_selection :
exe="/usr/bin/Xorg" (sauid=0, hostname=?, addr=?, terminal=?)'
This is a known issue. I have not found an explanation yet for the
purpose of these D-BUS selections.
There is no easy solution here. The selabel system cannot handle these
funky names. Even if there was regexp support, as Chris has indicated the
name contains a username, implying that it should be labeled with a derived
type.
I think the "dbus-launch" program needs to undergo surgery to either not
create these things or to label them explicitly.
If I were to do this I'd use either SetSelectionCreateContext or
SetSelectionUseContext, could you explain the difference between them and
which I should use?
I also will need to compute a new context from the process and default
selection contexts but I'd need an object class definition
(SECCLASS_XSELECTION?) which I don't think exists yet does it?
Use class x_selection. To find it's value dynamically, you can use the
following code.
#define THE_CLASS 1
security_class_mapping map[] = { { "x_drawable", { NULL } }, { NULL } };
if (selinux_set_mapping(map) < 0)
/* probably don't have class - skip SELinux stuff */
Then use THE_CLASS (or just "1") as the class value in your code.
Lots of questions about these interfaces lately - I need to write man
pages for them.
--
Eamon Walsh <ewalsh@xxxxxxxxxxxxx>
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
