[prev in list] [next in list] [prev in thread] [next in thread] 

List:       selinux
Subject:    Re: Permissive mode for xace is broken.
From:       Eamon Walsh <ewalsh () tycho ! nsa ! gov>
Date:       2008-02-25 20:33:32
Message-ID: 47C3261C.1070508 () tycho ! nsa ! gov
[Download RAW message or body]

Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Stephen Smalley wrote:
>   
>> On Mon, 2008-02-25 at 09:48 -0500, Daniel J Walsh wrote:
>>     
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>> Stephen Smalley wrote:
>>>       
>>>> On Mon, 2008-02-25 at 09:12 -0500, Stephen Smalley wrote:
>>>>         
>>>>> On Mon, 2008-02-25 at 09:09 -0500, Daniel J Walsh wrote:
>>>>>           
>>>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>>>> Hash: SHA1
>>>>>>
>>>>>> If I turn on xserver_object_manager in rawhide and log in as staff_t in
>>>>>> permissive mode, I get all sorts of things failing, which makes writing
>>>>>> policy for it very difficult.  And is very broken.
>>>>>>             
>>>>> Hmmm...as I understood it, XSELinux should follow the kernel's enforcing
>>>>> status by default (i.e. if the kernel is permissive, then so should
>>>>> XSELinux), unless you explicitly configure enforcing= in xorg.conf to
>>>>> specify a different setting for the X server than the kernel.  You are
>>>>> supposed to be able to make the X server permissive w/o making the
>>>>> kernel permissive via xorg configuration, I believe, although I'm not
>>>>> sure that made it into the rawhide xorg yet.
>>>>>           
>>>> Doesn't look like the rawhide xorg server has that support yet.
>>>>
>>>> But it should follow the kernel's enforcing status.  You should see log
>>>> messages with "received setenforce notice (enforcing=...)" in them from
>>>> both dbus and X in either /var/log/messages or /var/log/audit/audit.log.
>>>>
>>>>         
>>> Looking at the code, I do not see security_getenforce() in the code.
>>> Are you saying that this is not necessary, the kernel will return
>>> allowed but generate the AVC?
>>>       
>> Handling of enforcing status is hidden within the userspace AVC in
>> libselinux (libselinux/src/avc*.c).  avc_enforcing stores the current
>> value of the enforcing status and is updated when the kernel generates
>> the setenforce notification.  avc_setenforce is set if the object
>> manager explicitly sets its own enforcing mode to a specific value to
>> override the kernel status.
>>
>>     
>>> And the only one who mentions setenforce in /var/log/audit/audit.log in
>>> dbus not X?
>>>       
>> Hmmm...that's seems like a bug in X then, that it isn't getting the
>> notifications from the kernel (via netlink).
>>
>>     
> Yes XAce seems to be very broken in Rawhide.  Enforcing mode was working
> until I fixed the policy to allow xserver to talk to /selinux and run
> the validation routines.  Now xace is blowing up both in permissive and
> enforcing mode.
>
> Trying to start nm-applet is getting a BadWindow error.
>
> If you update to todays rawhide and try to login in permissive mode,
> metacity and gconf will blow up.
>   

I'll investigate the blowing up today.  I'm puzzled by the BadWindow 
error; permission denials should always be indicated by "BadAccess".  
This may be the bug fixed by the errno patch I posted on Friday.

There is no support for configuring the X server in permissive/enforcing 
in xorg.conf.  You can disable it from xorg.conf, but if it is not 
disabled, it will follow the system setting.  I proposed adding support 
for this to /etc/selinux/config, which was shot down on the list.  I 
have not moved forward with adding a permissive/enforcing switch to Xorg.

The X object manager logs all avc's and status messages (including the 
AVC netlink stuff) through the audit system using libaudit calls 
(audit_log_user_avc_message, etc.)   I disavow all responsibility for 
the messages once they enter libaudit.


-- 
Eamon Walsh <ewalsh@tycho.nsa.gov>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
[prev in list] [next in list] [prev in thread] [next in thread]