[prev in list] [next in list] [prev in thread] [next in thread] 

List:       selinux
Subject:    Re: Permissive mode for xace is broken.
From:       Eamon Walsh <ewalsh () tycho ! nsa ! gov>
Date:       2008-02-26 1:12:07
Message-ID: 47C36767.7030503 () tycho ! nsa ! gov
[Download RAW message or body]

Eamon Walsh wrote:
> The X object manager logs all avc's and status messages (including the 
> AVC netlink stuff) through the audit system using libaudit calls 
> (audit_log_user_avc_message, etc.)   I disavow all responsibility for 
> the messages once they enter libaudit

It's being black-holed in rawhide.  To see for yourself, add the 
attached patch to the spec file and rebuild the xserver from SRPM.  It 
will tee the avc messages into /var/log/Xorg.0.log.

Also, pull libselinux from upstream.  The BadWindow error may be fixed.

You'll have to report to me what you see in the X server output.  I'm 
seeing tons of avc's: it doesn't appear as though staff_t is even 
getting X permissions allowed.





-- 
Eamon Walsh <ewalsh@tycho.nsa.gov>
National Security Agency


["xserver-1.4.99-xselinux-debug.patch" (text/x-patch)]

From d4112defb9ab2b099c67a0a7c2ae7ac772d67751 Mon Sep 17 00:00:00 2001
From: Stupid McStupidson <stupid@example.com>
Date: Mon, 7 Jan 2008 15:41:22 -0500
Subject: Debugging Test

---
--- a/Xext/xselinux.c.orig	2008-02-25 18:43:14.000000000 -0500
+++ a/Xext/xselinux.c	2008-02-25 18:44:14.000000000 -0500
@@ -496,6 +496,8 @@
     vsnprintf(buf, MAX_AUDIT_MESSAGE_LENGTH, fmt, ap);
     rc = audit_log_user_avc_message(audit_fd, aut, buf, NULL, NULL, NULL, 0);
     va_end(ap);
+
+    ErrorF("%s", buf);
     return 0;
 }
 

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[prev in list] [next in list] [prev in thread] [next in thread]