|Main Archive Page > Month Archives > selinux archives|
-----BEGIN PGP SIGNED MESSAGE-----
Stephen Smalley wrote:
> On Mon, 2008-02-25 at 09:12 -0500, Stephen Smalley wrote:
>> On Mon, 2008-02-25 at 09:09 -0500, Daniel J Walsh wrote: >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA1 >>> >>> If I turn on xserver_object_manager in rawhide and log in as staff_t in >>> permissive mode, I get all sorts of things failing, which makes writing >>> policy for it very difficult. And is very broken. >> Hmmm...as I understood it, XSELinux should follow the kernel's enforcing >> status by default (i.e. if the kernel is permissive, then so should >> XSELinux), unless you explicitly configure enforcing= in xorg.conf to >> specify a different setting for the X server than the kernel. You are >> supposed to be able to make the X server permissive w/o making the >> kernel permissive via xorg configuration, I believe, although I'm not >> sure that made it into the rawhide xorg yet.
> Doesn't look like the rawhide xorg server has that support yet.
> But it should follow the kernel's enforcing status. You should see log
> messages with "received setenforce notice (enforcing=...)" in them from
> both dbus and X in either /var/log/messages or /var/log/audit/audit.log.
Looking at the code, I do not see security_getenforce() in the code. Are you saying that this is not necessary, the kernel will return allowed but generate the AVC?
And the only one who mentions setenforce in /var/log/audit/audit.log in dbus not X?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
-----END PGP SIGNATURE----- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to email@example.com with the words "unsubscribe selinux" without quotes as the message.