SELinux Mailing List - NSA/CSS

Skip All Menus Skip Top Menu

Top Navigation Menus

Research Skip Research Menus Research Menu Security Enhanced Linux What's New Frequently Asked Questions Background Documents License Download Participating Mail List Archives Remaining Work Contributors Related Work Press Releases Information Assurance Research NIARL In-house Research Areas Mathematical Sciences Program Sabbaticals Computer & Information Sciences Research Technology Transfer Advanced Computing Advanced Mathematics Communications & Networking Information Processing Microelectronics Other Technologies Technology Fact Sheets Publications Related Links	Skip Search Box Searchbox SELinux Mailing List [Fwd: Re: [Fwd: f8 X policy]] This message: [ Message body ] [ More options ] Related messages: [ Next message ] [ Previous message ] From: Ted X Toth <txtoth_at_gmail.com> Date: Mon, 17 Dec 2007 16:08:04 -0600 Sorry I should have put this on the list. attached mail follows: On Mon, 2007-12-17 at 15:32 -0500, Stephen Smalley wrote: > On Mon, 2007-12-17 at 15:18 -0500, Christopher J. PeBenito wrote: > > On Mon, 2007-12-17 at 14:59 -0500, Eamon Walsh wrote: > > > -------- Original Message -------- > > > Subject: f8 X policy > > > Date: Mon, 17 Dec 2007 13:37:54 -0600 > > > From: Xavier Toth <txtoth@gmail.com> > > > To: Eamon Walsh <ewalsh@tycho.nsa.gov> > > > > > > > > > > > > I'm starting to look more closely at X related avcs and have some > > > questions related to file contexts. Looking at the xserver.fc I see > > > that there are defaults for tmp files and directories with level s0. > > > So when clients at level try to write X0 avcs like: > > > > > > type=AVC msg=audit(1197913061.254:3125): avc: denied { write } for > > > pid=15405 comm="QBrowser" name="X0" dev=dm-0 ino=25853956 > > > scontext=user_u:user_r:user_t:s2:c0.c254 > > > tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=sock_file > > > > > > occur. I'm thinking this is an mls constraint violation and I'm trying > > > to figure out how to deal with it. What do you think? > > > > It is indeed a MLS denial, so the options would be: > > > > 1. make xdm_tmp_t ranged > > 2. make xdm_tmp_t a trusted object > > > > The more I look at it, the more they look like the same option. > > Opinions? > > Can we get a discrete type applied to that socket file that is not used > for any other file? So that we are only making that socket a MLS > trusted object and no other /tmp file created by X? Yes, I that is another option. Only seems useful in the MLS policy though. We could add a xdm_socket_t that is an alias of xdm_tmp_t in the standard (TE-only) or mcs configs. Or is there a reason to keep it separate in all cases? -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150 -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. Received on Mon 17 Dec 2007 - 17:10:38 EST This message: [ Message body ] Next message: David Howells: "Re: [PATCH 10/28] FS-Cache: Recruit a couple of page flags for cache management [try #2]" Previous message: Paul Moore: "Re: [RFC PATCH v8 10/18] SELinux: Add a network node caching mechanism similar to the sel_netif_*() functions" Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]
	Date Posted: Jan 15, 2009 \| Last Modified: Jan 15, 2009 \| Last Reviewed: Jan 15, 2009

bottom