fedora-selinux February 2008 archive
Main Archive Page > Month Archives  > fedora-selinux archives
fedora-selinux: Re: gnome login broken.... "null" avcs

Re: gnome login broken.... "null" avcs...

From: Daniel J Walsh <dwalsh_at_nospam>
Date: Fri Feb 29 2008 - 14:22:41 GMT
To: Tom London <selinux@gmail.com>


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Tom London wrote:
> On Thu, Feb 28, 2008 at 1:43 PM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
>> >> On Thu, 2008-02-28 at 13:38 -0800, Tom London wrote: >> > On Thu, Feb 28, 2008 at 12:21 PM, Eamon Walsh <ewalsh@tycho.nsa.gov> wrote: >> > > Tom London wrote: >> > > > On Thu, Feb 28, 2008 at 10:06 AM, Daniel J Walsh <dwalsh@redhat.com> wrote: >> > > > >> > > >> -----BEGIN PGP SIGNED MESSAGE----- >> > > >> Hash: SHA1 >> > > >> >> > > >> >> > > >> >> > > >> Tom London wrote: >> > > >> > On Thu, Feb 28, 2008 at 7:41 AM, Tom London <selinux@gmail.com> wrote: >> > > >> >> After applying today's selinux-policy* packages, gnome/gdm login >> > > >> >> fails: gdmgreeter runs, but X quickly dies after enter password and >> > > >> >> you're back to the greeter. >> > > >> >> >> > > >> >> Booting up in permissive lets me log in. >> > > >> >> >> > > >> >> Here are the borkages: >> > > >> >> >> > > >> >> >> > > >> >> #============= mono_t ============== >> > > >> >> allow mono_t xdm_xserver_t:x_device read; >> > > >> >> >> > > >> >> #============= unconfined_execmem_t ============== >> > > >> >> allow unconfined_execmem_t xdm_xserver_t:x_device read; >> > > >> >> >> > > >> >> #============= unconfined_t ============== >> > > >> >> allow unconfined_t mono_t:x_resource write; >> > > >> >> allow unconfined_t unconfined_execmem_t:x_resource { write read }; >> > > >> >> allow unconfined_t unlabeled_t:x_drawable { destroy getattr }; >> > > >> >> [root@localhost ~]# >> > > >> >> >> > > >> > > The "null" avc's are fixed in the upstream X server. This is a bad >> > > security hook call in the GLX code and affects GLX programs such as compiz. >> > > >> > > The unlabeled AVC is the result of a mislabeled program? >> > > >> > > >> > > >> > > -- >> > > Eamon Walsh <ewalsh@tycho.nsa.gov> >> > > National Security Agency >> > > >> > > >> > I've backed up policy to previous version, and checking for unlabeled >> > programs indicates nothing amiss. >> > >> > No programs were relabeled on install of poicy; something else I should check? >> >> grep 'invalidating context' /var/log/messages >> >> -- >> Stephen Smalley >> National Security Agency >> >>
> [root@localhost ~]# grep 'invalidating context' /var/log/messages
> Feb 27 07:13:31 localhost kernel: security: invalidating context
> unconfined_u:unconfined_r:samba_net_t:s0
Ok I removed the transition from unconfined_t to samba_net_t, and replaced it with samba_unconfined_net_t. But this removed the unconfined_r designation causing this.
> Feb 28 06:47:08 localhost kernel: security: invalidating context
> system_u:system_r:httpd_unconfined_script_t:s0-s0:c0.c1023
> Feb 28 06:47:08 localhost kernel: security: invalidating context
> unconfined_u:system_r:httpd_unconfined_script_t:s0
> Feb 28 06:47:08 localhost kernel: security: invalidating context
> unconfined_u:unconfined_r:httpd_unconfined_script_t:s0
> Feb 28 07:46:11 localhost kernel: security: invalidating context
> unconfined_u:system_r:httpd_user_script_t:s0
> Feb 28 07:46:11 localhost kernel: security: invalidating context
> unconfined_u:system_r:httpd_user_script_t:s0-s0:c0.c255
> Feb 28 07:46:11 localhost kernel: security: invalidating context
> system_u:system_r:httpd_user_script_t:s0-s0:c0.c1023
I have been working on switching apache scripts but not sure why this invalidated.
> [root@localhost ~]#
>
>
>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkfIFTEACgkQrlYvE4MpobNOVwCeKSlEX289AIk1iUGb28i2KYII b1cAoLlxZ3XmCj9OgKhRZ1XXMv3PB3HP
=gMDs
-----END PGP SIGNATURE----- -- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list