On Thu, Feb 28, 2008 at 1:50 PM, Tom London <selinux(a)gmail.com> wrote:
On Thu, Feb 28, 2008 at 1:43 PM, Stephen Smalley <sds(a)tycho.nsa.gov> wrote:
>
>
> On Thu, 2008-02-28 at 13:38 -0800, Tom London wrote:
> > On Thu, Feb 28, 2008 at 12:21 PM, Eamon Walsh <ewalsh(a)tycho.nsa.gov>
wrote:
> > > Tom London wrote:
> > > > On Thu, Feb 28, 2008 at 10:06 AM, Daniel J Walsh
<dwalsh(a)redhat.com> wrote:
> > > >
> > > >> -----BEGIN PGP SIGNED MESSAGE-----
> > > >> Hash: SHA1
> > > >>
> > > >>
> > > >>
> > > >> Tom London wrote:
> > > >> > On Thu, Feb 28, 2008 at 7:41 AM, Tom London
<selinux(a)gmail.com> wrote:
> > > >> >> After applying today's selinux-policy* packages,
gnome/gdm login
> > > >> >> fails: gdmgreeter runs, but X quickly dies after
enter password and
> > > >> >> you're back to the greeter.
> > > >> >>
> > > >> >> Booting up in permissive lets me log in.
> > > >> >>
> > > >> >> Here are the borkages:
> > > >> >>
> > > >> >>
> > > >> >> #============= mono_t ==============
> > > >> >> allow mono_t xdm_xserver_t:x_device read;
> > > >> >>
> > > >> >> #============= unconfined_execmem_t ==============
> > > >> >> allow unconfined_execmem_t xdm_xserver_t:x_device
read;
> > > >> >>
> > > >> >> #============= unconfined_t ==============
> > > >> >> allow unconfined_t mono_t:x_resource write;
> > > >> >> allow unconfined_t unconfined_execmem_t:x_resource
{ write read };
> > > >> >> allow unconfined_t unlabeled_t:x_drawable { destroy
getattr };
> > > >> >> [root@localhost ~]#
> > > >> >>
> > >
> > > The "null" avc's are fixed in the upstream X server.
This is a bad
> > > security hook call in the GLX code and affects GLX programs such as
compiz.
> > >
> > > The unlabeled AVC is the result of a mislabeled program?
> > >
> > >
> > >
> > > --
> > > Eamon Walsh <ewalsh(a)tycho.nsa.gov>
> > > National Security Agency
> > >
> > >
> > I've backed up policy to previous version, and checking for unlabeled
> > programs indicates nothing amiss.
> >
> > No programs were relabeled on install of poicy; something else I should
check?
>
> grep 'invalidating context' /var/log/messages
>
> --
> Stephen Smalley
> National Security Agency
>
>
[root@localhost ~]# grep 'invalidating context' /var/log/messages
Feb 27 07:13:31 localhost kernel: security: invalidating context
unconfined_u:unconfined_r:samba_net_t:s0
Feb 28 06:47:08 localhost kernel: security: invalidating context
system_u:system_r:httpd_unconfined_script_t:s0-s0:c0.c1023
Feb 28 06:47:08 localhost kernel: security: invalidating context
unconfined_u:system_r:httpd_unconfined_script_t:s0
Feb 28 06:47:08 localhost kernel: security: invalidating context
unconfined_u:unconfined_r:httpd_unconfined_script_t:s0
Feb 28 07:46:11 localhost kernel: security: invalidating context
unconfined_u:system_r:httpd_user_script_t:s0
Feb 28 07:46:11 localhost kernel: security: invalidating context
unconfined_u:system_r:httpd_user_script_t:s0-s0:c0.c255
Feb 28 07:46:11 localhost kernel: security: invalidating context
system_u:system_r:httpd_user_script_t:s0-s0:c0.c1023
[root@localhost ~]#
Dowloading latest selinux-policy and xorg-x11-server packages from
koji fix this for me:
[root@localhost ~]# rpm -qa selinux\* xorg-x11-server\*
xorg-x11-server-utils-7.3-3.fc9.i386
selinux-policy-targeted-3.3.1-7.fc9.noarch
xorg-x11-server-common-1.4.99.1-0.26.20080227.fc9.i386
selinux-policy-devel-3.3.1-7.fc9.noarch
selinux-policy-3.3.1-7.fc9.noarch
xorg-x11-server-Xorg-1.4.99.1-0.26.20080227.fc9.i386
[root@localhost ~]#
"grep 'invalidating context' /var/log/messages" shows nothing.
Thanks for the quick work on this!
tom
--
Tom London