On Sat, 2008-06-28 at 22:23 +0000, Justin Mattock wrote:
> Hello; after seeing all of these posts about xserver I couldn't help
> but to try MLS policy.
> As the same results a few months back it seems there isn't any support
> for this policy yet to work with xserver is there?
> i.g. from what I see after allowing most of the avc's, I'm left with
> these that seem to keep appearing upon a reboot:
>
> allow insmod_t kernel_t:process setsched;
> allow kernel_t bluetooth_t:socket write;
> allow sysadm_sudo_t devpts_t:dir search;
> allow sysadm_xserver_t memory_device_t:chr_file { read write };
> <------ I can't start X without this one here.
> allow syslogd_t var_log_t:file append;
>
> I think it's the same with hid2hci --tohci upon wakeup, the ioctl or
> node is changed resulting in a new avc's for that device.
> Is there going to be support to use MLS in the future or is it too
> much of a security risk.(xserver).
The X server only has relatively well tested TE policy right now, and
only in the non object manager sense. The object manager TE policy is
still early and needs more time to mature. The MLS policy for the X
server is being looked at now, but still has a ways to go.
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
