On Thu, Jul 19, 2012 at 12:01 PM, Richard Haines <richard_c_haines@xxxxxxxxxxxxxx> wrote: > Because the XSELinux extension is now in xorg source this is where the bug is located. I think it is an isolated case as the Xi services had been extended to introduce device ids 0 & 1 that are not real device IDs, this caused XSELinux a problem as they do not have devPrivates which means no context can be applied - hence crash. > > When X is built, xorg do check for errors in XSELinux as they have fixed an selabel_open problem. > > Richard > > --- On Thu, 19/7/12, Ole Kliemann <ole@xxxxxxxxxxxxxxx> wrote: > >> From: Ole Kliemann <ole@xxxxxxxxxxxxxxx> >> Subject: Re: Information about XSELinux >> To: "Richard Haines" <richard_c_haines@xxxxxxxxxxxxxx> >> Cc: selinux@xxxxxxxxxxxxx >> Date: Thursday, 19 July, 2012, 15:18 >> Thanks Richard, your X-setest tool is >> quite helpful to understand >> what's going on. >> >> Under Ubuntu I compiled the xserver-xorg package and >> manually >> enabled --enable-selinux. Now it's working here. (They are >> at >> 1.11.4). I'm now writing a simple policy from scratch to >> extend >> traditional linux user seperation to X. >> >> I have one question though: This bug that appears under >> Fedora >> and crashes the Xserver, is that a bug in the xorg sources >> or >> something that came with patches from Fedora? >> >> And how often have things like this happend in the past? I'm >> >> planing on using this on a production system and ask myself >> how >> careful I will have to be with updates to xorg in the >> future. >> >> On Tue, Jul 17, 2012 at 03:22:46PM +0100, Richard Haines >> wrote: >> > I've attached some updated XSELinux information that >> I've been working on for the next version of the SELinux >> Notebook (old XSELinux stuff at: http://selinuxproject.org/page/NB_XWIN). >> > >> > The XSELinux module is in the X source and always >> included with Fedora - I don't use other distributions so >> don't know whether they enable it in their builds or not. If >> they do build it, then you need the reference policy modules >> and then enable the xserver boolean as follows: >> > >> > setsebool xserver_object_manager true >> > >> > I'm not sure what the current development status is but >> I've submitted a couple of patches (the last one for >> xorg-x11-server-1.12.2 as it core dumps when XSELinux is >> enabled with the above boolean). >> > >> > I've written a few apps to 'play with XSELinux' that >> are mentioned in the text. Let me know if you would like the >> source (tested on Fedora 16/17). >> > >> > I have not really done anything with the XSELinux >> reference policy modules as they come with Fedora and seem >> to work (well for my limited use anyway). >> > >> > Richard >> > >> > --- On Mon, 16/7/12, Ole Kliemann <ole@xxxxxxxxxxxxxxx> >> wrote: >> > >> > > From: Ole Kliemann <ole@xxxxxxxxxxxxxxx> >> > > Subject: Information about XSELinux >> > > To: selinux@xxxxxxxxxxxxx >> > > Date: Monday, 16 July, 2012, 17:10 >> > > Hi everyone! >> > > >> > > I'm desperately trying to implement proper >> privilege >> > > seperation >> > > while using X. >> > > >> > > Currently I'm looking into XSELinux but am having >> a really >> > > hard >> > > time finding any information, documention etc. >> > > >> > > What's the development status? >> > > Where can I get it? >> > > Is it included in any major distributions? >> (Currently using >> > > >> > > Ubuntu 12.04) >> > > >> > > Any hint on where to find information would be >> highly >> > > appreciated! >> > > >> > > Many thanks in advance and best regards, >> > > Ole >> > > >> >> >> > > > -- > This message was distributed to subscribers of the selinux mailing list. > If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with > the words "unsubscribe selinux" without quotes as the message. FWIW we have a custom distro of RHEL 6 running MLS policy with X in enforcing however as you might imagine getting all of this working was non-trival. Because of schedule/budget/complexity we do not run GNOME but rather Openbox, fbpanel and idesk all of which we wrote policy for. Many apps (Firefox, OpenOffice) require policy tweeks with many of those due to our particular security requirements. We have dozens of custom X applications all of which require policy modules. Getting things like copy/paste to work under MLS is particularly challenging because of lack of visibility into what the X server (XACE) is doing. Ted -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
