On Mon, 12 Apr 2004 20:36, Herald van der Breggen <herald(a)breggen.xs4all.nl>
wrote:
removed the line
#x:5:respawn:/etc/X11/prefdm -nodaemon
added the line
x:5:respawn:/usr/X11R6/bin/X -query 192.168.1.12
The current policy files don't allow init to start X (which is a symlink
to XFree in the same direcory).
avc: denied { execute } for pid=3058 exe=/sbin/init name=XFree86
dev=hda5 ino=395703 scontext=system_u:system_r:init_t
tcontext=system_u:object_r:policy_config_t tclass=file
Firstly there is something very wrong in having the file labeled as
policy_config_t. Please use setfiles to relabel /usr/X11R6 before trying it
again.
Question one: should the default set of policy rules not allow this?
Yes, I think it should.
Question two: what is the best way to allow to start the X server by
init? I am new to selinux and have trouble to find my way. I struggled
with the newrules.pl script (which not seemed to right way to solve this
problem) and tried rules like
can_exec(init_t, xserver_exec_t);
can_exec(init_t, xserver_log_t);
I don't know why a log file is being executed, I guess that there is a
mislabeled file. Maybe relabelling your system would be a good idea.
As for solving the problem, what you want is for init_t to transition to
xdm_xserver_t (the domain for system X server processes). The following
policy should work:
domain_auto_trans(init_t, xserver_exec_t, xdm_xserver_t)
Please try it and let me know how it works (very important). I don't have a
network setup for testing X terms so I need positive feedback from you if I
am to include this policy in my tree. If you want to have this work on a
default Fedora SE Linux install then let me know how it works, if it doesn't
work then tell me the AVC messages you get.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page