[prev in list] [next in list] [prev in thread] [next in thread] 

List:       selinux
Subject:    Re: Permissive mode for xace is broken.
From:       Stephen Smalley <sds () tycho ! nsa ! gov>
Date:       2008-02-25 14:24:59
Message-ID: 1203949499.2804.188.camel () moss-spartans ! epoch ! ncsc ! mil
[Download RAW message or body]


On Mon, 2008-02-25 at 09:12 -0500, Stephen Smalley wrote:
> On Mon, 2008-02-25 at 09:09 -0500, Daniel J Walsh wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> > 
> > If I turn on xserver_object_manager in rawhide and log in as staff_t in
> > permissive mode, I get all sorts of things failing, which makes writing
> > policy for it very difficult.  And is very broken.
> 
> Hmmm...as I understood it, XSELinux should follow the kernel's enforcing
> status by default (i.e. if the kernel is permissive, then so should
> XSELinux), unless you explicitly configure enforcing= in xorg.conf to
> specify a different setting for the X server than the kernel.  You are
> supposed to be able to make the X server permissive w/o making the
> kernel permissive via xorg configuration, I believe, although I'm not
> sure that made it into the rawhide xorg yet.

Doesn't look like the rawhide xorg server has that support yet.

But it should follow the kernel's enforcing status.  You should see log
messages with "received setenforce notice (enforcing=...)" in them from
both dbus and X in either /var/log/messages or /var/log/audit/audit.log.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
[prev in list] [next in list] [prev in thread] [next in thread]