Re: Permissive mode for xace is broken.

From: Daniel J Walsh <dwalsh_at_nospam>
Date: Mon Feb 25 2008 - 14:48:50 GMT
To: Stephen Smalley <sds@tycho.nsa.gov>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Stephen Smalley wrote:
> On Mon, 2008-02-25 at 09:12 -0500, Stephen Smalley wrote:
>> On Mon, 2008-02-25 at 09:09 -0500, Daniel J Walsh wrote: >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA1 >>> >>> If I turn on xserver_object_manager in rawhide and log in as staff_t in >>> permissive mode, I get all sorts of things failing, which makes writing >>> policy for it very difficult. And is very broken. >> Hmmm...as I understood it, XSELinux should follow the kernel's enforcing >> status by default (i.e. if the kernel is permissive, then so should >> XSELinux), unless you explicitly configure enforcing= in xorg.conf to >> specify a different setting for the X server than the kernel. You are >> supposed to be able to make the X server permissive w/o making the >> kernel permissive via xorg configuration, I believe, although I'm not >> sure that made it into the rawhide xorg yet.
>
> Doesn't look like the rawhide xorg server has that support yet.
>
> But it should follow the kernel's enforcing status. You should see log
> messages with "received setenforce notice (enforcing=...)" in them from
> both dbus and X in either /var/log/messages or /var/log/audit/audit.log.
>

Looking at the code, I do not see security_getenforce() in the code. Are you saying that this is not necessary, the kernel will return allowed but generate the AVC?

And the only one who mentions setenforce in /var/log/audit/audit.log in dbus not X?

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkfC1VIACgkQrlYvE4MpobMGbgCgsApumkxRzzo21JtgjE8S1psc GpQAoNt6178sE4a0tWpICiErtJw1MzqH
=ZTuN
-----END PGP SIGNATURE----- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.

This message: [ Message body ]
Next message: Daniel J Walsh: "Re: So how would I write policy with xace/XSELinux to stop xspy from working?"
Previous message: Joshua Brindle: "RE: how to implement permissive domains + an old bug"
In reply to: Stephen Smalley: "Re: Permissive mode for xace is broken."
Next in thread: Stephen Smalley: "Re: Permissive mode for xace is broken."
Reply: Stephen Smalley: "Re: Permissive mode for xace is broken."

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ]