[prev in list] [next in list] [prev in thread] [next in thread] 

List:       selinux
Subject:    Re: Permissive mode for xace is broken.
From:       Daniel J Walsh <dwalsh () redhat ! com>
Date:       2008-02-25 19:28:47
Message-ID: 47C316EF.5090206 () redhat ! com
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Stephen Smalley wrote:
> On Mon, 2008-02-25 at 09:48 -0500, Daniel J Walsh wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Stephen Smalley wrote:
>>> On Mon, 2008-02-25 at 09:12 -0500, Stephen Smalley wrote:
>>>> On Mon, 2008-02-25 at 09:09 -0500, Daniel J Walsh wrote:
>>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>>> Hash: SHA1
>>>>>
>>>>> If I turn on xserver_object_manager in rawhide and log in as staff_t in
>>>>> permissive mode, I get all sorts of things failing, which makes writing
>>>>> policy for it very difficult.  And is very broken.
>>>> Hmmm...as I understood it, XSELinux should follow the kernel's enforcing
>>>> status by default (i.e. if the kernel is permissive, then so should
>>>> XSELinux), unless you explicitly configure enforcing= in xorg.conf to
>>>> specify a different setting for the X server than the kernel.  You are
>>>> supposed to be able to make the X server permissive w/o making the
>>>> kernel permissive via xorg configuration, I believe, although I'm not
>>>> sure that made it into the rawhide xorg yet.
>>> Doesn't look like the rawhide xorg server has that support yet.
>>>
>>> But it should follow the kernel's enforcing status.  You should see log
>>> messages with "received setenforce notice (enforcing=...)" in them from
>>> both dbus and X in either /var/log/messages or /var/log/audit/audit.log.
>>>
>> Looking at the code, I do not see security_getenforce() in the code.
>> Are you saying that this is not necessary, the kernel will return
>> allowed but generate the AVC?
> 
> Handling of enforcing status is hidden within the userspace AVC in
> libselinux (libselinux/src/avc*.c).  avc_enforcing stores the current
> value of the enforcing status and is updated when the kernel generates
> the setenforce notification.  avc_setenforce is set if the object
> manager explicitly sets its own enforcing mode to a specific value to
> override the kernel status.
> 
>> And the only one who mentions setenforce in /var/log/audit/audit.log in
>> dbus not X?
> 
> Hmmm...that's seems like a bug in X then, that it isn't getting the
> notifications from the kernel (via netlink).
> 
Yes XAce seems to be very broken in Rawhide.  Enforcing mode was working
until I fixed the policy to allow xserver to talk to /selinux and run
the validation routines.  Now xace is blowing up both in permissive and
enforcing mode.

Trying to start nm-applet is getting a BadWindow error.

If you update to todays rawhide and try to login in permissive mode,
metacity and gconf will blow up.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkfDFu4ACgkQrlYvE4MpobM2dQCfXP1SkniRYwFpx/tBKMJyNLK7
WkEAmwcUaOmOJtYZwbmRTrqOgrRb8r6l
=N2VI
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
[prev in list] [next in list] [prev in thread] [next in thread]