---------- Forwarded message ---------- From: Xavier Toth <txtoth@xxxxxxxxx> Date: Thu, Jul 10, 2008 at 10:06 AM Subject: Re: newrole assertion - should be gnome-terminal assertion To: Stephen Smalley <sds@xxxxxxxxxxxxx> On Thu, Jul 10, 2008 at 9:38 AM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote: > > On Thu, 2008-07-10 at 09:33 -0500, Xavier Toth wrote: >> On Thu, Jul 10, 2008 at 7:09 AM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote: >> > >> > On Wed, 2008-07-09 at 17:17 -0500, Xavier Toth wrote: >> >> On Wed, Jul 9, 2008 at 1:24 PM, Ted X Toth <txtoth@xxxxxxxxx> wrote: >> >> > Stephen Smalley wrote: >> >> >> >> >> >> On Tue, 2008-07-08 at 14:02 -0500, Xavier Toth wrote: >> >> >> >> >> >>> >> >> >>> Using MLS enforcing in a gnome-terminal with context >> >> >>> user_u:user_r:user_t:s0-s15:c0.c1023 I run newrole and get these >> >> >>> results >> >> >>> >> >> >>> newrole -l s1-s1 -- -c "gnome-terminal --disable-factory" >> >> >>> Password: >> >> >>> ** >> >> >>> ** ERROR:(terminal.c:1016):new_terminal_with_options: assertion >> >> >>> failed: (profile) >> >> >>> >> >> >>> >> >> >>> I think Joe straced this and has a little more info if he'd like to chime >> >> >>> in. >> >> >>> >> >> >> >> >> >> So, I assume that this does not happen if in permissive mode? >> >> >> What AVC denials occur? Run semodule -DB and retry if there are no AVCs >> >> >> by default. >> >> >> >> >> >> What is the application trying to do at that point (look at the source >> >> >> code and/or ask on the gnome lists)? What are the possible failure >> >> >> conditions there? What external dependencies does it have? >> >> >> strace output might help if you have it. >> >> >> >> >> >> >> >> > >> >> > Sorry to have bothered you. Looks like it has something to do with >> >> > polyinstantiation of ~/.gnome or ~/.gnome2. We haven't seen this with >> >> > previous versions even when polyinstantiating :( >> >> > >> >> > >> >> >> >> Hmmm this was a bit of a rush to judgment :( It actually turned out >> >> that if I don't polyinstantiate /tmp then I can start gnome-terminal >> >> as shown in permissive but it still doesn't work in enforcing. I tried >> >> turning off dontaudit but I'm not seeing any AVC out of >> >> gnome-terminal. I've attached a strace maybe you'll see something that >> >> I don't. >> > >> > Look for any avcs at all - they might be occurring during the >> > polyinstantiation, or from dbus, or from the X server. >> > >> > Also, run the strace while permissive and diff the two strace outputs to >> > see how they differ (imperfect, there will be noise, but helpful >> > nonetheless). >> > >> > I see quite a few ENOENTs in there, e.g. on the .gnome2 files, not sure >> > how many of those are expected/harmless. >> > >> > -- >> > Stephen Smalley >> > National Security Agency >> > >> > >> >> Any idea how to capture strace output in enforcing? I've tried using >> the -o option but strace can't write to tmp or the users home dir in >> enforcing. > > Not sure I follow - why can't it write to its polyinstantiated /tmp > directory? > > -- > Stephen Smalley > National Security Agency > > You're right that does work a long as you've got an instance directory at the right level ;) which I didn't previously. The assertion points to a problem of not having a 'profile' so I've looked through the strace output but don't see anything that is related to loading 'profiles'. -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
