[prev in list] [next in list] [prev in thread] [next in thread] 

List:       selinux
Subject:    Re: Permissive mode for xace is broken.
From:       Daniel J Walsh <dwalsh () redhat ! com>
Date:       2008-02-26 13:09:25
Message-ID: 47C40F85.60407 () redhat ! com
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Stephen Smalley wrote:
> On Mon, 2008-02-25 at 20:12 -0500, Eamon Walsh wrote:
>> Eamon Walsh wrote:
>>> The X object manager logs all avc's and status messages (including the 
>>> AVC netlink stuff) through the audit system using libaudit calls 
>>> (audit_log_user_avc_message, etc.)   I disavow all responsibility for 
>>> the messages once they enter libaudit
>> It's being black-holed in rawhide.  To see for yourself, add the 
>> attached patch to the spec file and rebuild the xserver from SRPM.  It 
>> will tee the avc messages into /var/log/Xorg.0.log.
> 
> Looking at the corresponding code in dbus, I see that dbus is calling
> both audit_log_user_avc_message() (if HAVE_LIBAUDIT) and
> vsyslog(LOG_INFO...) with the message.
> 
> Can you verify that the X server was able to create the audit socket
> successfully?
> 
> Things that could go wrong:
> - X server uses privilege bracketing (switching uids or capabilities)
> and lacks the necessary audit capabilities.
> - X server shuts down all descriptors _after_ you've opened the audit
> socket, thereby closing it down too.
> - Policy doesn't allow X server to write audit messages (requires
> audit_write capability and netlink_audit_socket perms).
> 
> Dan, what policy are you using?  trunk?  or xselinux branch?
> I don't think Chris has merged xselinux branch to trunk yet, or that it
> is necessarily safe to work from that branch (i.e. things could change
> as part of the merge in an incompatible way).
> 
>> Also, pull libselinux from upstream.  The BadWindow error may be fixed.
>>
>> You'll have to report to me what you see in the X server output.  I'm 
>> seeing tons of avc's: it doesn't appear as though staff_t is even 
>> getting X permissions allowed.
>>
>>
>>
>>
>>
I have merged changes from the xselinux into the Fedora pool.  I am now
seeing AVC messages in the /var/log/audit/audit.log with an unreleased
policy.  My current policy does not generate AVC's with staff_t, but in
permissive mode/without the xserver_object_manager boolean set, lots of
XApps (toolbar apps) with BadWindow.  In enforcing mode with the
xserver_object_manager boolean set they are also failing.  I have
updated to the latest libselinux and am still seeing the problem.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkfED4QACgkQrlYvE4MpobPcQwCguQfD9qHcfDQV+Zy12JqUJREz
RAIAnihuzWBm5dU66RDMHamaHoScH1OJ
=UfCr
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
[prev in list] [next in list] [prev in thread] [next in thread]