* "denied null" AVCs from qemu-kvm with latest rawhide policy
@ 2009-01-06 18:46 Tom London
2009-01-06 21:09 ` Eamon Walsh
0 siblings, 1 reply; 2+ messages in thread
From: Tom London @ 2009-01-06 18:46 UTC (permalink / raw)
To: SELinux List
Running the latest Fedora rawhide policy packages
(selinux-policy-targeted-3.6.2-2.fc11.noarch,
selinux-policy-3.6.2-2.fc11.noarch), I observe the following "null"
AVCs reported in /var/log/Xorg.0.log:
(WW) avc: denied null for request=X11:MapWindow comm=qemu-kvm
xdevice="Virtual core keyboard"
scontext=unconfined_u:unconfined_r:qemu_t:s0-s0:c0.c1023
tcontext=system_u:system_r:xserver_t:s0-s0:c0.c1023 tclass=x_device
exaCopyDirty: Pending damage region empty!
(WW) avc: denied null for request=X11:GetInputFocus comm=qemu-kvm
xdevice="Virtual core keyboard"
scontext=unconfined_u:unconfined_r:qemu_t:s0-s0:c0.c1023
tcontext=system_u:system_r:xserver_t:s0-s0:c0.c1023 tclass=x_device
(WW) avc: denied null for request=X11:GetInputFocus comm=qemu-kvm
xdevice="Virtual core keyboard"
scontext=unconfined_u:unconfined_r:qemu_t:s0-s0:c0.c1023
tcontext=system_u:system_r:xserver_t:s0-s0:c0.c1023 tclass=x_device
(WW) avc: denied null for request=X11:QueryPointer comm=qemu-kvm
xdevice="Virtual core keyboard"
scontext=unconfined_u:unconfined_r:qemu_t:s0-s0:c0.c1023
tcontext=system_u:system_r:xserver_t:s0-s0:c0.c1023 tclass=x_device
(WW) avc: denied null for request=X11:GetInputFocus comm=qemu-kvm
xdevice="Virtual core keyboard"
scontext=unconfined_u:unconfined_r:qemu_t:s0-s0:c0.c1023
tcontext=system_u:system_r:xserver_t:s0-s0:c0.c1023 tclass=x_device
(WW) avc: denied null for request=X11:GetInputFocus comm=qemu-kvm
xdevice="Virtual core keyboard"
scontext=unconfined_u:unconfined_r:qemu_t:s0-s0:c0.c1023
tcontext=system_u:system_r:xserver_t:s0-s0:c0.c1023 tclass=x_device
(WW) avc: denied null for request=X11:GetInputFocus comm=qemu-kvm
xdevice="Virtual core keyboard"
scontext=unconfined_u:unconfined_r:qemu_t:s0-s0:c0.c1023
tcontext=system_u:system_r:xserver_t:s0-s0:c0.c1023 tclass=x_device
(WW) avc: denied null for request=X11:GetInputFocus comm=qemu-kvm
xdevice="Virtual core keyboard"
scontext=unconfined_u:unconfined_r:qemu_t:s0-s0:c0.c1023
tcontext=system_u:system_r:xserver_t:s0-s0:c0.c1023 tclass=x_device
(WW) avc: denied null for request=X11:GetInputFocus comm=qemu-kvm
xdevice="Virtual core keyboard"
scontext=unconfined_u:unconfined_r:qemu_t:s0-s0:c0.c1023
tcontext=system_u:system_r:xserver_t:s0-s0:c0.c1023 tclass=x_device
(WW) avc: denied null for request=X11:GetInputFocus comm=qemu-kvm
xdevice="Virtual core keyboard"
scontext=unconfined_u:unconfined_r:qemu_t:s0-s0:c0.c1023
tcontext=system_u:system_r:xserver_t:s0-s0:c0.c1023 tclass=x_device
(WW) avc: denied null for request=X11:GetInputFocus comm=qemu-kvm
xdevice="Virtual core keyboard"
scontext=unconfined_u:unconfined_r:qemu_t:s0-s0:c0.c1023
tcontext=system_u:system_r:xserver_t:s0-s0:c0.c1023 tclass=x_device
(WW) avc: denied null for request=X11:GetInputFocus comm=qemu-kvm
xdevice="Virtual core keyboard"
scontext=unconfined_u:unconfined_r:qemu_t:s0-s0:c0.c1023
tcontext=system_u:system_r:xserver_t:s0-s0:c0.c1023 tclass=x_device
(WW) avc: denied null for request=X11:GetInputFocus comm=qemu-kvm
xdevice="Virtual core keyboard"
scontext=unconfined_u:unconfined_r:qemu_t:s0-s0:c0.c1023
tcontext=system_u:system_r:xserver_t:s0-s0:c0.c1023 tclass=x_device
Doesn't appear that they affect the running process (qemu-kvm, in this case).
What are they and does something need to be adjusted?
Thanks,
tom
--
Tom London
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: "denied null" AVCs from qemu-kvm with latest rawhide policy
2009-01-06 18:46 "denied null" AVCs from qemu-kvm with latest rawhide policy Tom London
@ 2009-01-06 21:09 ` Eamon Walsh
0 siblings, 0 replies; 2+ messages in thread
From: Eamon Walsh @ 2009-01-06 21:09 UTC (permalink / raw)
To: Tom London; +Cc: SELinux List
Tom London wrote:
> Running the latest Fedora rawhide policy packages
> (selinux-policy-targeted-3.6.2-2.fc11.noarch,
> selinux-policy-3.6.2-2.fc11.noarch), I observe the following "null"
> AVCs reported in /var/log/Xorg.0.log:
>
It's probably a bad security hook callsite. I'll investigate this. The
server's operation shouldn't be affected.
Thanks for the report.
>
> (WW) avc: denied null for request=X11:MapWindow comm=qemu-kvm
> xdevice="Virtual core keyboard"
> scontext=unconfined_u:unconfined_r:qemu_t:s0-s0:c0.c1023
> tcontext=system_u:system_r:xserver_t:s0-s0:c0.c1023 tclass=x_device
> exaCopyDirty: Pending damage region empty!
> (WW) avc: denied null for request=X11:GetInputFocus comm=qemu-kvm
> xdevice="Virtual core keyboard"
> scontext=unconfined_u:unconfined_r:qemu_t:s0-s0:c0.c1023
> tcontext=system_u:system_r:xserver_t:s0-s0:c0.c1023 tclass=x_device
> (WW) avc: denied null for request=X11:GetInputFocus comm=qemu-kvm
> xdevice="Virtual core keyboard"
> scontext=unconfined_u:unconfined_r:qemu_t:s0-s0:c0.c1023
> tcontext=system_u:system_r:xserver_t:s0-s0:c0.c1023 tclass=x_device
> (WW) avc: denied null for request=X11:QueryPointer comm=qemu-kvm
> xdevice="Virtual core keyboard"
> scontext=unconfined_u:unconfined_r:qemu_t:s0-s0:c0.c1023
> tcontext=system_u:system_r:xserver_t:s0-s0:c0.c1023 tclass=x_device
> (WW) avc: denied null for request=X11:GetInputFocus comm=qemu-kvm
> xdevice="Virtual core keyboard"
> scontext=unconfined_u:unconfined_r:qemu_t:s0-s0:c0.c1023
> tcontext=system_u:system_r:xserver_t:s0-s0:c0.c1023 tclass=x_device
> (WW) avc: denied null for request=X11:GetInputFocus comm=qemu-kvm
> xdevice="Virtual core keyboard"
> scontext=unconfined_u:unconfined_r:qemu_t:s0-s0:c0.c1023
> tcontext=system_u:system_r:xserver_t:s0-s0:c0.c1023 tclass=x_device
> (WW) avc: denied null for request=X11:GetInputFocus comm=qemu-kvm
> xdevice="Virtual core keyboard"
> scontext=unconfined_u:unconfined_r:qemu_t:s0-s0:c0.c1023
> tcontext=system_u:system_r:xserver_t:s0-s0:c0.c1023 tclass=x_device
> (WW) avc: denied null for request=X11:GetInputFocus comm=qemu-kvm
> xdevice="Virtual core keyboard"
> scontext=unconfined_u:unconfined_r:qemu_t:s0-s0:c0.c1023
> tcontext=system_u:system_r:xserver_t:s0-s0:c0.c1023 tclass=x_device
> (WW) avc: denied null for request=X11:GetInputFocus comm=qemu-kvm
> xdevice="Virtual core keyboard"
> scontext=unconfined_u:unconfined_r:qemu_t:s0-s0:c0.c1023
> tcontext=system_u:system_r:xserver_t:s0-s0:c0.c1023 tclass=x_device
> (WW) avc: denied null for request=X11:GetInputFocus comm=qemu-kvm
> xdevice="Virtual core keyboard"
> scontext=unconfined_u:unconfined_r:qemu_t:s0-s0:c0.c1023
> tcontext=system_u:system_r:xserver_t:s0-s0:c0.c1023 tclass=x_device
> (WW) avc: denied null for request=X11:GetInputFocus comm=qemu-kvm
> xdevice="Virtual core keyboard"
> scontext=unconfined_u:unconfined_r:qemu_t:s0-s0:c0.c1023
> tcontext=system_u:system_r:xserver_t:s0-s0:c0.c1023 tclass=x_device
> (WW) avc: denied null for request=X11:GetInputFocus comm=qemu-kvm
> xdevice="Virtual core keyboard"
> scontext=unconfined_u:unconfined_r:qemu_t:s0-s0:c0.c1023
> tcontext=system_u:system_r:xserver_t:s0-s0:c0.c1023 tclass=x_device
> (WW) avc: denied null for request=X11:GetInputFocus comm=qemu-kvm
> xdevice="Virtual core keyboard"
> scontext=unconfined_u:unconfined_r:qemu_t:s0-s0:c0.c1023
> tcontext=system_u:system_r:xserver_t:s0-s0:c0.c1023 tclass=x_device
>
> Doesn't appear that they affect the running process (qemu-kvm, in this case).
>
> What are they and does something need to be adjusted?
>
> Thanks,
> tom
>
--
Eamon Walsh <ewalsh@tycho.nsa.gov>
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2009-01-06 21:09 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2009-01-06 18:46 "denied null" AVCs from qemu-kvm with latest rawhide policy Tom London
2009-01-06 21:09 ` Eamon Walsh
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.