On Thu, 2011-03-24 at 09:26 -0700, Justin P. Mattock wrote: > On 03/24/2011 06:58 AM, Stephen Smalley wrote: > > On Wed, 2011-03-23 at 19:30 -0700, Justin P. Mattock wrote: > >> On 03/23/2011 11:07 AM, Justin P. Mattock wrote: > >>> On 03/21/2011 09:52 AM, Justin P. Mattock wrote: > >>>> this is showing up with the latest Mainline kernel. > >>>> gdm craps out..: > >>>> > >>>> [ 60.817] (II) Unloading synaptics > >>>> [ 60.822] SELinux: avc_has_perm: unexpected error 22 > >>>> [ 60.822] SELinux: avc_has_perm: unexpected error 22 > >>>> [ 60.828] SELinux: avc_has_perm: unexpected error 22 > >>>> [ 60.831] SELinux: avc_has_perm: unexpected error 22 > >>>> [ 60.871] SELinux: avc_has_perm: unexpected error 22 > >>>> [ 60.871] SELinux: avc_has_perm: unexpected error 22 > >>>> [ 60.881] (II) UnloadModule: "mouse" > >>>> [ 60.881] (II) Unloading mouse > >>>> > >>>> > >>>> full xorg.0.log is here: > >>>> http://fpaste.org/OOM2/ > >>>> > >>>> Justin P. Mattock > >>> > >>> seems doing a bisect right now during the merge window is breaking, > >>> anyways looking through the commits I think this: > >>> > >>> http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=c53fa1ed92cd671a1dfb1e7569e9ab672612ddc6;hp=06dc94b1ed05f91e246315afeb1c652d6d0dc9ab > >>> > >>> > >>> might be what I am hitting, causing gdm to die out, as it starts. > >>> > >>> any ideas? > >>> > >>> Justin P. Mattock > >> > >> not sure if anybody is seeing this or hitting this with the current, > >> but reverting the above commit does not fix the problem. > >> will try another bisect(hopefully) > > > > Are you sure it is a kernel issue? Seems more likely that it would be a > > policy problem. What AVC denials are you getting? > > > > > strange.. was not even thinking of the avc's because the policy has > already been customized and has been working for a while now without > adding any rules. > > Anyways your right, seems the labels get changed or something with this > kernel or something: > http://fpaste.org/w4nK/ audit(1300983537.941:34): security_compute_sid: invalid context system_u:system_r:root_xdrawable_t:s0-s0:c0.c1023 for scontext=system_u:system_r:xserver_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xserver_t:s0-s0:c0.c1023 tclass=x_drawable This looks like it might be a kernel regression after all. security_compute_sid should return object_r for tclass x_drawable, not system_r. Likely due to the recent changes there to support socket type transitions. Not sure exactly what is going wrong, as it should only happen on the socket classes. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
