On Wed, Jun 11, 2008 at 4:59 PM, Eamon Walsh <ewalsh@xxxxxxxxxxxxx> wrote:
> Xavier Toth wrote:
>>
>> On Wed, Jun 11, 2008 at 8:48 AM, Ted X Toth <txtoth@xxxxxxxxx> wrote:
>>
>>>
>>> Eamon Walsh wrote:
>>>
>>>>
>>>> Xavier Toth wrote:
>>>>
>>>> [snip]
>>>>
>>>>
>>>>>
>>>>> Now I looking at the USER_AVCs and trying to figure out how to
>>>>> translate those into policy. Will audit2allow be updated to help with
>>>>> generating rules for the X USER_AVCs?
>>>>>
>>>>>
>>>>
>>>> The stock audit2allow parses my audit.log just fine. It doesn't work
>>>> for
>>>> you?
>>>>
>>>>
>>>>
>>>>>
>>>>> For those who haven't seen the X user space object manager AVCs here
>>>>> are some examples:
>>>>> type=USER_AVC msg=audit(1213049927.142:132): user pid=2636 uid=0
>>>>> auid=4294967295 ses=4294967295
>>>>> subj=system_u:system_r:xdm_xserver_t:s0-s15:c0.c1023 msg='avc: denied
>>>>> { blend } for request=X11:CreateWindow comm=dbus-launch resid=800001
>>>>> restype=WINDOW scontext=user_u:user_r:user_t:s0
>>>>> tcontext=user_u:object_r:user_t:s0 tclass=x_drawable :
>>>>> exe="/usr/bin/Xorg" (sauid=0, hostname=?, addr=?, terminal=?)'
>>>>>
>>>>>
>>>>
>>>> This is a program attempting to create a window with no background. The
>>>> denial will cause the window background to be filled in with a solid
>>>> color.
>>>>
>>>> Dontaudit should work here.
>>>>
>>>> However, window managers do need the blend permission (on all windows).
>>>> The "compositing" feature requires this permission.
>>>>
>>>>
>>>>
>>>>>
>>>>> type=USER_AVC msg=audit(1213049927.144:133): user pid=2636 uid=0
>>>>> auid=4294967295 ses=4294967295
>>>>> subj=system_u:system_r:xdm_xserver_t:s0-s15:c0.c1023 msg='avc: denied
>>>>> { setattr } for request=X11:SetSelectionOwner comm=dbus-launch
>>>>>
>>>>>
>>>>> selection=_DBUS_SESSION_BUS_SELECTION_tedx_caa2282936b539cb3e36c2ae4845ed0b
>>>>> scontext=user_u:user_r:user_t:s0
>>>>> tcontext=system_u:object_r:xselection_t:s0 tclass=x_selection :
>>>>> exe="/usr/bin/Xorg" (sauid=0, hostname=?, addr=?, terminal=?)'
>>>>>
>>>>>
>>>>
>>>> This is a known issue. I have not found an explanation yet for the
>>>> purpose of these D-BUS selections.
>>>>
>>>> There is no easy solution here. The selabel system cannot handle these
>>>> funky names. Even if there was regexp support, as Chris has indicated
>>>> the
>>>> name contains a username, implying that it should be labeled with a
>>>> derived
>>>> type.
>>>>
>>>> I think the "dbus-launch" program needs to undergo surgery to either not
>>>> create these things or to label them explicitly.
>>>>
>>>
>>> If I were to do this I'd use either SetSelectionCreateContext or
>>> SetSelectionUseContext, could you explain the difference between them and
>>> which I should use?
>>>
>>
>> I also will need to compute a new context from the process and default
>> selection contexts but I'd need an object class definition
>> (SECCLASS_XSELECTION?) which I don't think exists yet does it?
>>
>
>
> Use class x_selection. To find it's value dynamically, you can use the
> following code.
>
> #define THE_CLASS 1
>
> security_class_mapping map[] = { { "x_drawable", { NULL } }, { NULL } };
>
> if (selinux_set_mapping(map) < 0)
> /* probably don't have class - skip SELinux stuff */
>
>
> Then use THE_CLASS (or just "1") as the class value in your code.
>
> Lots of questions about these interfaces lately - I need to write man pages
> for them.
Agreed.
>
>
>
> --
> Eamon Walsh <ewalsh@xxxxxxxxxxxxx>
> National Security Agency
>
>
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
