* Tutorial on setting up SELinux / X Server
@ 2009-12-03 3:22 Tyler Durvik
2009-12-04 3:07 ` Eamon Walsh
0 siblings, 1 reply; 4+ messages in thread
From: Tyler Durvik @ 2009-12-03 3:22 UTC (permalink / raw)
To: fedora-selinux-list, selinux
Greetings,
I am looking for a tutorial, or instructions, on how to set up an X
Server to work with SELinux. I have fedora 12 installed and ready to
go. Does anyone have links/pages to where I may find this
information?
Thanks
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Tutorial on setting up SELinux / X Server
2009-12-03 3:22 Tutorial on setting up SELinux / X Server Tyler Durvik
@ 2009-12-04 3:07 ` Eamon Walsh
2009-12-04 15:59 ` Tyler Durvik
0 siblings, 1 reply; 4+ messages in thread
From: Eamon Walsh @ 2009-12-04 3:07 UTC (permalink / raw)
To: Tyler Durvik; +Cc: fedora-selinux-list, selinux
On 12/02/2009 10:22 PM, Tyler Durvik wrote:
> Greetings,
>
> I am looking for a tutorial, or instructions, on how to set up an X
> Server to work with SELinux. I have fedora 12 installed and ready to
> go. Does anyone have links/pages to where I may find this
> information?
>
> Thanks
>
Turn on the xserver_object_manager boolean and restart X, as described
by Dominick. AVC's generated by X will go in Xorg.0.log as well as
audit.log (as type "USER_AVC").
The current X policy in F12 probably will generate AVC's on a full
desktop session. There is a much improved X policy upstream that is not
in F12 yet. I will bug Dan to ship it in his next update.
If you want to run the X server in permissive mode but keep the rest of
the system enforcing put the following in xorg.conf:
Section "Module"
SubSection "extmod"
Option "SELinux mode permissive"
EndSubSection
EndSection
--
Eamon Walsh
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Tutorial on setting up SELinux / X Server
2009-12-04 3:07 ` Eamon Walsh
@ 2009-12-04 15:59 ` Tyler Durvik
2009-12-04 22:51 ` Eamon Walsh
0 siblings, 1 reply; 4+ messages in thread
From: Tyler Durvik @ 2009-12-04 15:59 UTC (permalink / raw)
To: Eamon Walsh; +Cc: fedora-selinux-list, selinux
I turned on the boolean:
setsebool -P xserver_object_manager on
and now I get the following in my Xorg.0.log file:
SELinux: Invalid object class mapping, disabling SELinux support.
Should I try the latest policy from oss.tresys.com? Would the
upstream reference policy fix this error?
Thanks,
Mark
On Thu, Dec 3, 2009 at 10:07 PM, Eamon Walsh <ewalsh@tycho.nsa.gov> wrote:
> On 12/02/2009 10:22 PM, Tyler Durvik wrote:
>> Greetings,
>>
>> I am looking for a tutorial, or instructions, on how to set up an X
>> Server to work with SELinux. I have fedora 12 installed and ready to
>> go. Does anyone have links/pages to where I may find this
>> information?
>>
>> Thanks
>>
>
>
> Turn on the xserver_object_manager boolean and restart X, as described
> by Dominick. AVC's generated by X will go in Xorg.0.log as well as
> audit.log (as type "USER_AVC").
>
> The current X policy in F12 probably will generate AVC's on a full
> desktop session. There is a much improved X policy upstream that is not
> in F12 yet. I will bug Dan to ship it in his next update.
>
> If you want to run the X server in permissive mode but keep the rest of
> the system enforcing put the following in xorg.conf:
>
> Section "Module"
> SubSection "extmod"
> Option "SELinux mode permissive"
> EndSubSection
> EndSection
>
>
>
>
> --
>
> Eamon Walsh
> National Security Agency
>
>
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Tutorial on setting up SELinux / X Server
2009-12-04 15:59 ` Tyler Durvik
@ 2009-12-04 22:51 ` Eamon Walsh
0 siblings, 0 replies; 4+ messages in thread
From: Eamon Walsh @ 2009-12-04 22:51 UTC (permalink / raw)
To: Tyler Durvik; +Cc: fedora-selinux-list, selinux
[-- Attachment #1: Type: text/plain, Size: 1083 bytes --]
On 12/04/2009 10:59 AM, Tyler Durvik wrote:
> I turned on the boolean:
>
> setsebool -P xserver_object_manager on
>
> and now I get the following in my Xorg.0.log file:
>
> SELinux: Invalid object class mapping, disabling SELinux support.
>
> Should I try the latest policy from oss.tresys.com? Would the
> upstream reference policy fix this error?
>
> Thanks,
> Mark
>
>
OK, that error is because the x_pointer and x_keyboard object classes
haven't made it into F-12 policy yet.
You could try the upstream policy. I'd recommend sticking with the
Fedora policy though, because I'm getting AVC's from upstream (at least
on rawhide) and upstream is not tuned for Fedora. If you do compile
from upstream make sure to set the "init_upstart" boolean to true or
everything gets out of whack at boot time.
If you're willing to rebuild the F-12 policy, you can add the attached
patch which will fix the error above and allow the SELinux extension to
run. As soon as I can get the rest of the new X policy ported I'll send
it to Dan.
--
Eamon Walsh
National Security Agency
[-- Attachment #2: policy-X1.patch --]
[-- Type: text/x-patch, Size: 1398 bytes --]
diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
index 43c951f..6760c95 100644
--- a/policy/flask/access_vectors
+++ b/policy/flask/access_vectors
@@ -94,6 +94,33 @@ common database
}
#
+# Define a common prefix for pointer and keyboard access vectors.
+#
+
+common x_device
+{
+ getattr
+ setattr
+ use
+ read
+ write
+ getfocus
+ setfocus
+ bell
+ force_cursor
+ freeze
+ grab
+ manage
+ list_property
+ get_property
+ set_property
+ add
+ remove
+ create
+ destroy
+}
+
+#
# Define the access vectors.
#
# class class_name [ inherits common_name ] { permission_name ... }
@@ -526,27 +553,7 @@ class x_client
}
class x_device
-{
- getattr
- setattr
- use
- read
- write
- getfocus
- setfocus
- bell
- force_cursor
- freeze
- grab
- manage
- list_property
- get_property
- set_property
- add
- remove
- create
- destroy
-}
+inherits x_device
class x_server
{
@@ -803,3 +810,9 @@ class kernel_service
class tun_socket
inherits socket
+
+class x_pointer
+inherits x_device
+
+class x_keyboard
+inherits x_device
diff --git a/policy/flask/security_classes b/policy/flask/security_classes
index 2bd1bf6..fa65db2 100644
--- a/policy/flask/security_classes
+++ b/policy/flask/security_classes
@@ -121,4 +121,8 @@ class kernel_service
class tun_socket
+# Still More SE-X Windows stuff
+class x_pointer # userspace
+class x_keyboard # userspace
+
# FLASK
^ permalink raw reply related [flat|nested] 4+ messages in thread
end of thread, other threads:[~2009-12-04 22:51 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2009-12-03 3:22 Tutorial on setting up SELinux / X Server Tyler Durvik
2009-12-04 3:07 ` Eamon Walsh
2009-12-04 15:59 ` Tyler Durvik
2009-12-04 22:51 ` Eamon Walsh
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.