SELinux Mailing List - NSA/CSS

Skip All Menus Skip Top Menu

Top Navigation Menus

Skip Research Menus

Research Menu

Research Security Enhanced Linux What's New Frequently Asked Questions Background Documents License Download Participating Mail List Archives Remaining Work Contributors Related Work Press Releases Information Assurance Research NIARL In-house Research Areas Mathematical Sciences Program Sabbaticals Computer & Information Sciences Research Technology Transfer Advanced Computing Advanced Mathematics Communications & Networking Information Processing Microelectronics Other Technologies Technology Fact Sheets Publications Related Links	Skip Search Box Searchbox SELinux Mailing List Re: X avcs This message: [ Message body ] [ More options ] Related messages: [ Next message ] [ Previous message ] [ In reply to ] [ Next in thread ] [ Replies ] From: Eamon Walsh <ewalsh_at_tycho.nsa.gov> Date: Fri, 28 Dec 2007 14:34:35 -0500 Xavier Toth wrote: > What about labeling notification-daemon as other gnome apps have been > labeled (user_xpriv_t)? > > On Dec 26, 2007 3:01 PM, Xavier Toth <txtoth@gmail.com> wrote: > >> swo_u who is running ranged (systemlow-systemhigh) uses newrole to >> launch an X windows app at systemhigh and then I get avcs like the >> following: >> >> avc: denied { receive } for request=X11:ChangeWindowAttributes >> comm=/usr/libexec/notification-daemon resid=3800036 restype=WINDOW >> scontext=swo_u:user_r:user_t:s0-s15:c0.c1023 >> tcontext=swo_u:object_r:user_t:s15:c0.c1023 tclass=x_drawable >> avc: denied { get_property } for request=X11:GetProperty >> comm=/usr/libexec/notification-daemon resid=3800036 restype=WINDOW >> scontext=swo_u:user_r:user_t:s0-s15:c0.c1023 >> tcontext=swo_u:object_r:user_t:s15:c0.c1023 tclass=x_drawable >> avc: denied { receive } for comm=/usr/libexec/notification-daemon >> event=X11:MapNotify scontext=swo_u:user_r:user_t:s0-s15:c0.c1023 >> tcontext=swo_u:object_r:user_manage_xevent_t:s15:c0.c1023 >> tclass=x_event >> avc: denied { receive } for comm=/usr/libexec/notification-daemon >> event=X11:VisibilityNotify >> scontext=swo_u:user_r:user_t:s0-s15:c0.c1023 >> tcontext=swo_u:object_r:user_default_xevent_t:s15:c0.c1023 >> tclass=x_event >> avc: denied { receive } for comm=/usr/libexec/notification-daemon >> event=X11:PropertyNotify scontext=swo_u:user_r:user_t:s0-s15:c0.c1023 >> tcontext=swo_u:object_r:user_property_xevent_t:s15:c0.c1023 >> tclass=x_event >> avc: denied { receive } for comm=/usr/libexec/notification-daemon >> event=X11:FocusIn scontext=swo_u:user_r:user_t:s0-s15:c0.c1023 >> tcontext=swo_u:object_r:user_focus_xevent_t:s15:c0.c1023 >> tclass=x_event >> avc: denied { getattr } for request=X11:GetGeometry >> comm=/usr/libexec/notification-daemon resid=3800036 restype=WINDOW >> scontext=swo_u:user_r:user_t:s0-s15:c0.c1023 >> tcontext=swo_u:object_r:user_t:s15:c0.c1023 tclass=x_drawable >> avc: denied { read } for request=X11:GetProperty >> comm=/usr/libexec/notification-daemon property=WM_NAME >> scontext=swo_u:user_r:user_t:s0-s15:c0.c1023 >> tcontext=swo_u:object_r:user_default_xproperty_t:s15:c0.c1023 >> tclass=x_property >> These are all allowed by the TE rules. So I think this is a MLS issue. I committed read-to-clearance and write-to-clearance interfaces and went ahead and granted read-to-clearance in the per-role template. The patch I committed is below. So update from SVN and see if that solves the problem. Index: policy/modules/kernel/mls.if policy/modules/kernel/mls.if (revision 2565) +++ policy/modules/kernel/mls.if (working copy) @@ -612,6 +612,26 @@ ######################################## ## <summary> ## Make specified domain MLS trusted +## for reading from X objects up to its clearance. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`mls_xwin_read_to_clearance',` + gen_require(` + attribute mlsxwinreadtoclr; + ') + + typeattribute $1 mlsxwinreadtoclr; +') + +######################################## +## <summary> +## Make specified domain MLS trusted ## for reading from X objects at any level. ## </summary> ## <param name="domain"> @@ -632,6 +652,26 @@ ######################################## ## <summary> ## Make specified domain MLS trusted +## for write to X objects up to its clearance. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`mls_xwin_write_to_clearance',` + gen_require(` + attribute mlsxwinwritetoclr; + ') + + typeattribute $1 mlsxwinwritetoclr; +') + +######################################## +## <summary> +## Make specified domain MLS trusted ## for writing to X objects at any level. ## </summary> ## <param name="domain"> Index: policy/modules/services/xwindows.if policy/modules/services/xwindows.if (revision 2565) +++ policy/modules/services/xwindows.if (working copy) @@ -374,6 +374,7 @@ # xwindows_domain_template($1,$1,$2,$3) + mls_xwin_read_to_clearance($2) # FIXME: this domain should be removed xwindows_domain_template($1,$1_xpriv,$1_xpriv_t,$3) -- Eamon Walsh <ewalsh@tycho.nsa.gov> National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. Received on Fri 28 Dec 2007 - 14:34:53 EST This message: [ Message body ] Next message: James Antill: "Re: What happened to source for targeted?" Previous message: Dave Quigley: "Re: What happened to source for targeted?" In reply to: Xavier Toth: "Re: X avcs" Next in thread: Xavier Toth: "Re: X avcs" Reply: Xavier Toth: "Re: X avcs" Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]
	Date Posted: Jan 15, 2009 \| Last Modified: Jan 15, 2009 \| Last Reviewed: Jan 15, 2009

bottom