On Thu, 2008-06-19 at 17:33 -0500, Xavier Toth wrote:
> I'm seeing a number of AVCs out of gnome applications for a range of X
> extensions. Now I wondering about allowing access to X extensions. In
> general should apps be able to use any extension or are there specific
> one that need greater access control?
I can't really add anything to what Eamon said but there is one thing I
wanted to note:
> type=USER_AVC msg=audit(1213883755.647:918): user pid=23989 uid=0
> auid=4294967295 ses=4294967295
> subj=system_u:system_r:xdm_xserver_t:s0-s15:c0.c1023 msg='avc: denied
> { use } for request=XFree86-VidModeExtension:QueryVersion
> comm=gnome-screensaver extension=XFree86-VidModeExtension
> scontext=user_u:user_r:user_t:s0
> tcontext=system_u:object_r:directhw_xext_t:s0 tclass=x_extension :
> exe="/usr/bin/Xorg" (sauid=0, hostname=?, addr=?, terminal=?)'
This extension gives direct access to hardware, so you may not want to
allow this one.
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
