Dominick Grift wrote:
> On Tue, 2009-05-19 at 23:11 -0400, Eamon Walsh wrote:
>
>
>> I found the cause of the "x_device" null avc's. It was a bad hook call.
>>
>> I'm still stumped on the GLXMakeCurrent null avc's though. I can't
>> reproduce the problem here running glxinfo/glxgears. I suspect it
>> depends on the video driver / acceleration architecture being used.
>>
>
> For what it is worth, that particular system has nvidia geforce 8600M GT and is using the proprietary blob (kmod-nvidia)
>
> Thanks
>
If you're willing to compile the X server from source, you could apply
the attached patch and use gdb to attach to the running X server (this
has to be done over an ssh connection).
Break on the SELinuxNullPermissionHappened function and reproduce the
GLXMakeCurrent avc, hopefully the breakpoint will fire and you can get a
backtrace.
Also there is another patch that will fix the x_device null avc's
(attached).
--
Eamon Walsh <ewalsh@xxxxxxxxxxxxx>
National Security Agency
diff --git a/Xext/xselinux.c b/Xext/xselinux.c
index 3a6f096..c0b9c19 100644
--- a/Xext/xselinux.c
+++ b/Xext/xselinux.c
@@ -424,6 +424,13 @@ SELinuxTypeToClass(RESTYPE type)
return knownTypes[type];
}
+int
+SELinuxNullPermissionHappened(void)
+{
+ ErrorF("SELinux: null permission!\n");
+ return 0;
+}
+
/*
* Performs an SELinux permission check.
*/
@@ -438,6 +445,9 @@ SELinuxDoCheck(SELinuxSubjectRec *subj, SELinuxObjectRec *obj,
auditdata->command = subj->command;
errno = 0;
+ if (mode == DixUnknownAccess)
+ SELinuxNullPermissionHappened();
+
if (avc_has_perm(subj->sid, obj->sid, class, mode, &subj->aeref,
auditdata) < 0) {
if (mode == DixUnknownAccess)
diff --git a/configure.ac b/configure.ac
index daddd09..5fd9cb1 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1219,7 +1219,7 @@ PKG_CHECK_MODULES([XSERVERLIBS], [$REQUIRED_LIBS])
# XSERVER_SYS_LIBS is the set of out-of-tree libraries which all servers
# require.
#
-XSERVER_CFLAGS="${XSERVERCFLAGS_CFLAGS} ${SHA1_CFLAGS}"
+XSERVER_CFLAGS="${XSERVERCFLAGS_CFLAGS} ${SHA1_CFLAGS} -O0 -g3"
XSERVER_LIBS="$DIX_LIB $CONFIG_LIB $MI_LIB $OS_LIB"
XSERVER_SYS_LIBS="${XSERVERLIBS_LIBS} ${SYS_LIBS} ${LIBS} ${SHA1_LIB}"
AC_SUBST([XSERVER_LIBS])
commit 3cea176d5abcb0f14eefbdcbe17fed0847524dd4
Author: Eamon Walsh <ewalsh@xxxxxxxxxxxxx>
Date: Tue May 19 19:30:33 2009 -0400
xace: Fix a bad device access hook call.
Add a proper access mode, and reverse the logic of the return value.
Zero ("Success") is returned on success from the hook calls.
Signed-off-by: Eamon Walsh <ewalsh@xxxxxxxxxxxxx>
diff --git a/dix/events.c b/dix/events.c
index 157f9a8..b3caec8 100644
--- a/dix/events.c
+++ b/dix/events.c
@@ -4088,10 +4088,10 @@ CoreFocusEvent(DeviceIntPtr dev, int type, int mode, int detail, WindowPtr pWin)
{
xKeymapEvent ke;
ClientPtr client = clients[CLIENT_ID(pWin->drawable.id)];
- if (XaceHook(XACE_DEVICE_ACCESS, client, dev, FALSE))
- memmove((char *)&ke.map[0], (char *)&dev->key->down[1], 31);
- else
+ if (XaceHook(XACE_DEVICE_ACCESS, client, dev, DixReadAccess))
bzero((char *)&ke.map[0], 31);
+ else
+ memmove((char *)&ke.map[0], (char *)&dev->key->down[1], 31);
ke.type = KeymapNotify;
DeliverEventsToWindow(dev, pWin, (xEvent *)&ke, 1,
