On Wed, 2008-07-09 at 17:17 -0500, Xavier Toth wrote: > On Wed, Jul 9, 2008 at 1:24 PM, Ted X Toth <txtoth@xxxxxxxxx> wrote: > > Stephen Smalley wrote: > >> > >> On Tue, 2008-07-08 at 14:02 -0500, Xavier Toth wrote: > >> > >>> > >>> Using MLS enforcing in a gnome-terminal with context > >>> user_u:user_r:user_t:s0-s15:c0.c1023 I run newrole and get these > >>> results > >>> > >>> newrole -l s1-s1 -- -c "gnome-terminal --disable-factory" > >>> Password: > >>> ** > >>> ** ERROR:(terminal.c:1016):new_terminal_with_options: assertion > >>> failed: (profile) > >>> > >>> > >>> I think Joe straced this and has a little more info if he'd like to chime > >>> in. > >>> > >> > >> So, I assume that this does not happen if in permissive mode? > >> What AVC denials occur? Run semodule -DB and retry if there are no AVCs > >> by default. > >> > >> What is the application trying to do at that point (look at the source > >> code and/or ask on the gnome lists)? What are the possible failure > >> conditions there? What external dependencies does it have? > >> strace output might help if you have it. > >> > >> > > > > Sorry to have bothered you. Looks like it has something to do with > > polyinstantiation of ~/.gnome or ~/.gnome2. We haven't seen this with > > previous versions even when polyinstantiating :( > > > > > > Hmmm this was a bit of a rush to judgment :( It actually turned out > that if I don't polyinstantiate /tmp then I can start gnome-terminal > as shown in permissive but it still doesn't work in enforcing. I tried > turning off dontaudit but I'm not seeing any AVC out of > gnome-terminal. I've attached a strace maybe you'll see something that > I don't. Look for any avcs at all - they might be occurring during the polyinstantiation, or from dbus, or from the X server. Also, run the strace while permissive and diff the two strace outputs to see how they differ (imperfect, there will be noise, but helpful nonetheless). I see quite a few ENOENTs in there, e.g. on the .gnome2 files, not sure how many of those are expected/harmless. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
