On Mon, Jun 30, 2008 at 12:23 PM, Christopher J. PeBenito
<cpebenito@xxxxxxxxxx> wrote:
> On Sat, 2008-06-28 at 22:23 +0000, Justin Mattock wrote:
>> Hello; after seeing all of these posts about xserver I couldn't help
>> but to try MLS policy.
>> As the same results a few months back it seems there isn't any support
>> for this policy yet to work with xserver is there?
>> i.g. from what I see after allowing most of the avc's, I'm left with
>> these that seem to keep appearing upon a reboot:
>>
>> allow insmod_t kernel_t:process setsched;
>> allow kernel_t bluetooth_t:socket write;
>> allow sysadm_sudo_t devpts_t:dir search;
>> allow sysadm_xserver_t memory_device_t:chr_file { read write };
>> <------ I can't start X without this one here.
>> allow syslogd_t var_log_t:file append;
>>
>> I think it's the same with hid2hci --tohci upon wakeup, the ioctl or
>> node is changed resulting in a new avc's for that device.
>> Is there going to be support to use MLS in the future or is it too
>> much of a security risk.(xserver).
>
> The X server only has relatively well tested TE policy right now, and
> only in the non object manager sense. The object manager TE policy is
> still early and needs more time to mature. The MLS policy for the X
> server is being looked at now, but still has a ways to go.
>
> --
> Chris PeBenito
> Tresys Technology, LLC
> (410) 290-1411 x150
>
>
Thanks for the response and info, I have to say I really like what I
see with MLS. As for now
using refpolicy(standard) is just fine. But when I see the different
sensitivity levels, and categories
I can't help, but to want to know how to use a policy with those
features. Anyways; time will tell, with what happens.
regards;
--
Justin P. Mattock
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
