* can't start X window in enforce mode
@ 2003-10-12 18:37 lky
2003-10-12 22:11 ` Russell Coker
2003-10-12 23:15 ` Michael Reilly
0 siblings, 2 replies; 13+ messages in thread
From: lky @ 2003-10-12 18:37 UTC (permalink / raw)
To: SELINUX
[-- Attachment #1: Type: text/plain, Size: 812 bytes --]
Hi, I have eliminated all the denied messages in permissive mode. But when I change to the enforce mode I can't start X window now.The error message is below:
-----------------------------------------------------------------------------------------
...............
(EE) NV(0): Cannot open /dev/mem
................
Fatal server error:
xf86MapVidMem: failed to open /dev/mem (Permission denied)
................
XIO: fatal IO error 104 (Connection reset by peer) on X server ":0.0"
after 0 requests (0 known processed) with 0 events remaining.
-----------------------------------------------------------------------------------------
Why the system didn't display the denied message if the opration violate the policy? How should I configure my policy in order to start the X window?
Thanks!
[-- Attachment #2: Type: text/html, Size: 1564 bytes --]
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: can't start X window in enforce mode
2003-10-12 18:37 can't start X window in enforce mode lky
@ 2003-10-12 22:11 ` Russell Coker
2003-10-13 3:14 ` lky
2003-10-12 23:15 ` Michael Reilly
1 sibling, 1 reply; 13+ messages in thread
From: Russell Coker @ 2003-10-12 22:11 UTC (permalink / raw)
To: lky, SELINUX
On Mon, 13 Oct 2003 04:37, lky wrote:
>-------------- Why the system didn't display the denied message if the
> opration violate the policy? How should I configure my policy in order to
> start the X window? Thanks!
# memory_device_t access is needed if not using the frame buffer
dontaudit $1_xserver_t memory_device_t:chr_file read;
The above is the relevant section of policy in
macros/program/xserver_macros.te. The X server tries to access /dev/mem even
if it doesn't need to. Change the dontaudit rule to an allow for
rw_file_perms and it should work.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: can't start X window in enforce mode
2003-10-12 18:37 can't start X window in enforce mode lky
2003-10-12 22:11 ` Russell Coker
@ 2003-10-12 23:15 ` Michael Reilly
2003-10-13 7:52 ` Russell Coker
1 sibling, 1 reply; 13+ messages in thread
From: Michael Reilly @ 2003-10-12 23:15 UTC (permalink / raw)
To: lky; +Cc: SELINUX
I had both problems. I added the dontaudit memory devices
as mentioned in the file macros/program/xserver_macros.te.
I have the second problem and have not yet solved it. Nothing is logged
and I cannot figure out what is wrong.
BTW - on my system /dev/tty0 is the same file as dev/console (both 4,0).
The man page indicates that it should be this way. I tried labeling
/dev/tty0 as console_device_t (like /dev/console) but that did not help.
michael
lky wrote:
> Hi, I have eliminated all the denied messages in permissive mode. But when I change to the enforce mode I can't start X window now.The error message is below:
> -----------------------------------------------------------------------------------------
> ...............
> (EE) NV(0): Cannot open /dev/mem
> ................
> Fatal server error:
> xf86MapVidMem: failed to open /dev/mem (Permission denied)
> ................
> XIO: fatal IO error 104 (Connection reset by peer) on X server ":0.0"
> after 0 requests (0 known processed) with 0 events remaining.
> -----------------------------------------------------------------------------------------
> Why the system didn't display the denied message if the opration violate the policy? How should I configure my policy in order to start the X window?
> Thanks!
--
---- ---- ----
Michael Reilly michaelr@cisco.com
Cisco Systems, Santa Cruz, CA
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: can't start X window in enforce mode
2003-10-12 22:11 ` Russell Coker
@ 2003-10-13 3:14 ` lky
0 siblings, 0 replies; 13+ messages in thread
From: lky @ 2003-10-13 3:14 UTC (permalink / raw)
To: russell, SELINUX
On Monday, October 13, 2003 6:11 AM,Russell Coker wrote:
> # memory_device_t access is needed if not using the frame buffer
> dontaudit $1_xserver_t memory_device_t:chr_file read;
>
> The above is the relevant section of policy in
> macros/program/xserver_macros.te. The X server tries to access /dev/mem even
> if it doesn't need to. Change the dontaudit rule to an allow for
> rw_file_perms and it should work.
Absolutely right! It really works,Thanks a lot!
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: can't start X window in enforce mode
2003-10-12 23:15 ` Michael Reilly
@ 2003-10-13 7:52 ` Russell Coker
2003-10-14 15:00 ` Stephen Smalley
0 siblings, 1 reply; 13+ messages in thread
From: Russell Coker @ 2003-10-13 7:52 UTC (permalink / raw)
To: Michael Reilly, lky; +Cc: SELINUX
On Mon, 13 Oct 2003 09:15, Michael Reilly wrote:
> I had both problems. I added the dontaudit memory devices
> as mentioned in the file macros/program/xserver_macros.te.
>
> I have the second problem and have not yet solved it. Nothing is logged
> and I cannot figure out what is wrong.
Try doing
grep -v dontaudit policy.conf > new-policy
mv new-policy policy.conf
Then load the policy and see what happens.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: can't start X window in enforce mode
2003-10-13 7:52 ` Russell Coker
@ 2003-10-14 15:00 ` Stephen Smalley
2003-10-14 19:02 ` Michael Reilly
0 siblings, 1 reply; 13+ messages in thread
From: Stephen Smalley @ 2003-10-14 15:00 UTC (permalink / raw)
To: Russell Coker; +Cc: Michael Reilly, lky, SELINUX
On Mon, 2003-10-13 at 03:52, Russell Coker wrote:
> On Mon, 13 Oct 2003 09:15, Michael Reilly wrote:
> > I had both problems. I added the dontaudit memory devices
> > as mentioned in the file macros/program/xserver_macros.te.
> >
> > I have the second problem and have not yet solved it. Nothing is logged
> > and I cannot figure out what is wrong.
>
> Try doing
> grep -v dontaudit policy.conf > new-policy
> mv new-policy policy.conf
>
> Then load the policy and see what happens.
There should likely be a policy Makefile target to generate and load
a policy that does not suppress any auditing.
--
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: can't start X window in enforce mode
2003-10-14 15:00 ` Stephen Smalley
@ 2003-10-14 19:02 ` Michael Reilly
2003-10-15 0:18 ` Russell Coker
0 siblings, 1 reply; 13+ messages in thread
From: Michael Reilly @ 2003-10-14 19:02 UTC (permalink / raw)
To: Stephen Smalley; +Cc: Russell Coker, lky, SELINUX
I agree :-)
I did find the problem - the X server needed DAC_OVERRIDE. This was logged
as soon as I removed the dontaudit's
michael
On 14 Oct 2003 11:00:47 -0400
Stephen Smalley <sds@epoch.ncsc.mil> wrote:
> On Mon, 2003-10-13 at 03:52, Russell Coker wrote:
> > On Mon, 13 Oct 2003 09:15, Michael Reilly wrote:
> > > I had both problems. I added the dontaudit memory devices
> > > as mentioned in the file macros/program/xserver_macros.te.
> > >
> > > I have the second problem and have not yet solved it. Nothing is
> > > logged and I cannot figure out what is wrong.
> >
> > Try doing
> > grep -v dontaudit policy.conf > new-policy
> > mv new-policy policy.conf
> >
> > Then load the policy and see what happens.
>
> There should likely be a policy Makefile target to generate and load
> a policy that does not suppress any auditing.
>
> --
> Stephen Smalley <sds@epoch.ncsc.mil>
> National Security Agency
--
---- ---- ----
Michael Reilly michaelr@cisco.com
Cisco Systems, Santa Cruz, CA
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: can't start X window in enforce mode
2003-10-14 19:02 ` Michael Reilly
@ 2003-10-15 0:18 ` Russell Coker
2003-10-15 0:26 ` Michael Reilly
2003-10-16 1:43 ` Michael Reilly
0 siblings, 2 replies; 13+ messages in thread
From: Russell Coker @ 2003-10-15 0:18 UTC (permalink / raw)
To: Michael Reilly; +Cc: SELINUX
On Wed, 15 Oct 2003 05:02, Michael Reilly wrote:
> I did find the problem - the X server needed DAC_OVERRIDE. This was logged
> as soon as I removed the dontaudit's
Why did it need DAC_OVERRIDE?
Why not DAC_READ_SEARCH?
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: can't start X window in enforce mode
2003-10-15 0:18 ` Russell Coker
@ 2003-10-15 0:26 ` Michael Reilly
2003-10-16 1:43 ` Michael Reilly
1 sibling, 0 replies; 13+ messages in thread
From: Michael Reilly @ 2003-10-15 0:26 UTC (permalink / raw)
To: russell; +Cc: SELINUX
Didn't try DAC_READ_SEARCH yet (that is part of this evenings project) The
dontaudit line was for DAC_OVERRIDE so I just commented out that line and
added DAC_OVERRIDE to the other capabilities.
michael
On Wed, 15 Oct 2003 10:18:09 +1000
Russell Coker <russell@coker.com.au> wrote:
> On Wed, 15 Oct 2003 05:02, Michael Reilly wrote:
> > I did find the problem - the X server needed DAC_OVERRIDE. This was
> > logged as soon as I removed the dontaudit's
>
> Why did it need DAC_OVERRIDE?
>
> Why not DAC_READ_SEARCH?
>
> --
> http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
> http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
> http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
> http://www.coker.com.au/~russell/ My home page
--
---- ---- ----
Michael Reilly michaelr@cisco.com
Cisco Systems, Santa Cruz, CA
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: can't start X window in enforce mode
2003-10-15 0:18 ` Russell Coker
2003-10-15 0:26 ` Michael Reilly
@ 2003-10-16 1:43 ` Michael Reilly
2003-10-16 3:17 ` Russell Coker
1 sibling, 1 reply; 13+ messages in thread
From: Michael Reilly @ 2003-10-16 1:43 UTC (permalink / raw)
To: russell; +Cc: SELINUX
Tried last night with DAC_READ_SEARCH instead of DAC_OVERRIDE - X server no
go. Same error about /dev/tty0 not being found.
If it matters I am running the VESA frame buffer X server. The HW vendor
used an ATI video chip in a non-standard way to integrate a flat panel
display so the ATI server doesn't find the flat panel.
michael
On Wed, 15 Oct 2003 10:18:09 +1000
Russell Coker <russell@coker.com.au> wrote:
> On Wed, 15 Oct 2003 05:02, Michael Reilly wrote:
> > I did find the problem - the X server needed DAC_OVERRIDE. This was
> > logged as soon as I removed the dontaudit's
>
> Why did it need DAC_OVERRIDE?
>
> Why not DAC_READ_SEARCH?
>
> --
> http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
> http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
> http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
> http://www.coker.com.au/~russell/ My home page
--
---- ---- ----
Michael Reilly michaelr@cisco.com
Cisco Systems, Santa Cruz, CA
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: can't start X window in enforce mode
2003-10-16 1:43 ` Michael Reilly
@ 2003-10-16 3:17 ` Russell Coker
0 siblings, 0 replies; 13+ messages in thread
From: Russell Coker @ 2003-10-16 3:17 UTC (permalink / raw)
To: Michael Reilly; +Cc: SELINUX
On Thu, 16 Oct 2003 11:43, Michael Reilly wrote:
> Tried last night with DAC_READ_SEARCH instead of DAC_OVERRIDE - X server no
> go. Same error about /dev/tty0 not being found.
>
> If it matters I am running the VESA frame buffer X server. The HW vendor
> used an ATI video chip in a non-standard way to integrate a flat panel
> display so the ATI server doesn't find the flat panel.
The VESA frame buffer should not be a problem, it's what I use.
There may be some issues related to the differences between Debian and Red Hat
X servers, I have not yet managed to get X working on a Red Hat machine due
to kernel issues and lack of trying.
In any case I've changed my policy to allow dac_override. It doesn't make any
sense to allow setuid and setgid but deny dac_override.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: can't start X window in enforce mode
2003-10-16 14:21 Kratzer, James R.
@ 2003-10-16 15:57 ` Russell Coker
0 siblings, 0 replies; 13+ messages in thread
From: Russell Coker @ 2003-10-16 15:57 UTC (permalink / raw)
To: Kratzer, James R., SELinux (E-mail)
On Fri, 17 Oct 2003 00:21, Kratzer, James R. wrote:
> I'm trying to get X-windows to start with enforce set to "1" without any
> luck. I have moved the xserver.te file from the domains/program/unused
> directory to the domains/program directory. I have changed the dontaudit
> line to allow as described here in the email below. Any help would be
> appreciated.
We really can't help until you provide more information.
When you have the dontaudit rules removed, what avc messages are logged when
you try to run the X server?
What messages does the X server log to syslog?
What messages does it display on the terminal?
How are you running the X server? Do you type "startx" after logging in or do
you use an XDM program?
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 13+ messages in thread
* RE: can't start X window in enforce mode
@ 2003-10-16 14:21 Kratzer, James R.
2003-10-16 15:57 ` Russell Coker
0 siblings, 1 reply; 13+ messages in thread
From: Kratzer, James R. @ 2003-10-16 14:21 UTC (permalink / raw)
To: SELinux (E-mail)
I'm trying to get X-windows to start with enforce set to "1" without any
luck. I have moved the xserver.te file from the domains/program/unused
directory to the domains/program directory. I have changed the dontaudit
line to allow as described here in the email below. Any help would be
appreciated.
-----Original Message-----
From: Russell Coker [mailto:russell@coker.com.au]
Sent: Sunday, October 12, 2003 6:11 PM
To: lky; SELINUX
Subject: Re: can't start X window in enforce mode
On Mon, 13 Oct 2003 04:37, lky wrote:
>-------------- Why the system didn't display the denied message if the
> opration violate the policy? How should I configure my policy in order to
> start the X window? Thanks!
# memory_device_t access is needed if not using the frame buffer
dontaudit $1_xserver_t memory_device_t:chr_file read;
The above is the relevant section of policy in
macros/program/xserver_macros.te. The X server tries to access /dev/mem
even
if it doesn't need to. Change the dontaudit rule to an allow for
rw_file_perms and it should work.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov
with
the words "unsubscribe selinux" without quotes as the message.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 13+ messages in thread
end of thread, other threads:[~2003-10-16 15:57 UTC | newest]
Thread overview: 13+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2003-10-12 18:37 can't start X window in enforce mode lky
2003-10-12 22:11 ` Russell Coker
2003-10-13 3:14 ` lky
2003-10-12 23:15 ` Michael Reilly
2003-10-13 7:52 ` Russell Coker
2003-10-14 15:00 ` Stephen Smalley
2003-10-14 19:02 ` Michael Reilly
2003-10-15 0:18 ` Russell Coker
2003-10-15 0:26 ` Michael Reilly
2003-10-16 1:43 ` Michael Reilly
2003-10-16 3:17 ` Russell Coker
2003-10-16 14:21 Kratzer, James R.
2003-10-16 15:57 ` Russell Coker
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.