FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 12-03-2009, 02:22 AM
Tyler Durvik
 
Default Tutorial on setting up SELinux / X Server

Greetings,

I am looking for a tutorial, or instructions, on how to set up an X
Server to work with SELinux. I have fedora 12 installed and ready to
go. Does anyone have links/pages to where I may find this
information?

Thanks

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 12-03-2009, 09:05 AM
Dominick Grift
 
Default Tutorial on setting up SELinux / X Server

On Wed, Dec 02, 2009 at 10:22:03PM -0500, Tyler Durvik wrote:
> Greetings,
>
> I am looking for a tutorial, or instructions, on how to set up an X
> Server to work with SELinux. I have fedora 12 installed and ready to
> go. Does anyone have links/pages to where I may find this
> information?

setsebool -P xserver_object_manager on
shutdown -r now

Might not work with every graphics card. See Xorg.0.log about its status.
>
> Thanks
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 12-04-2009, 12:59 AM
Richard Chapman
 
Default Tutorial on setting up SELinux / X Server

I have a Cetos 5.4 system ruining x - and I also have some boot time x
related denials. I therefore tried the below setsebool but got the
following errors:


setsebool -P xserver_object_manager on

ibsemanage.dbase_llist_set: record not found in the database
libsemanage.dbase_llist_set: could not set record value
Could not change boolean xserver_object_manager
Could not change policy booleans


Is this because Centos is different - or is there a typo in the above
command?


Richard.


Dominick Grift wrote:

On Wed, Dec 02, 2009 at 10:22:03PM -0500, Tyler Durvik wrote:


Greetings,

I am looking for a tutorial, or instructions, on how to set up an X
Server to work with SELinux. I have fedora 12 installed and ready to
go. Does anyone have links/pages to where I may find this
information?



setsebool -P xserver_object_manager on
shutdown -r now

Might not work with every graphics card. See Xorg.0.log about its status.


Thanks

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

------------------------------------------------------------------------


--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list


--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 12-04-2009, 01:25 AM
Eamon Walsh
 
Default Tutorial on setting up SELinux / X Server

On 12/03/2009 08:59 PM, Richard Chapman wrote:
> I have a Cetos 5.4 system ruining x - and I also have some boot time x
> related denials. I therefore tried the below setsebool but got the
> following errors:
>
> setsebool -P xserver_object_manager on
>
> ibsemanage.dbase_llist_set: record not found in the database
> libsemanage.dbase_llist_set: could not set record value
> Could not change boolean xserver_object_manager
> Could not change policy booleans
>
>
> Is this because Centos is different - or is there a typo in the above
> command?
>
> Richard.
>
>


I don't think that RHEL 5.4 has this boolean. Look in /selinux/booleans
and see if there is a file called xserver_object_manager.

However, if you are getting boot-time X denials then it's probably not
anything to do with the X object manager. That sounds like a kernel
policy problem. What are the denials?



--

Eamon Walsh
National Security Agency

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 12-04-2009, 01:56 AM
Richard Chapman
 
Default Tutorial on setting up SELinux / X Server

Eamon Walsh wrote:

On 12/03/2009 08:59 PM, Richard Chapman wrote:

I have a Cetos 5.4 system ruining x - and I also have some boot time x
related denials. I therefore tried the below setsebool but got the
following errors:


setsebool -P xserver_object_manager on

ibsemanage.dbase_llist_set: record not found in the database
libsemanage.dbase_llist_set: could not set record value
Could not change boolean xserver_object_manager
Could not change policy booleans


Is this because Centos is different - or is there a typo in the above
command?


Richard.






I don't think that RHEL 5.4 has this boolean. Look in /selinux/booleans
and see if there is a file called xserver_object_manager.

However, if you are getting boot-time X denials then it's probably not
anything to do with the X object manager. That sounds like a kernel
policy problem. What are the denials?




Hi Eamon

You are right - that there is no such file in /selinux/booleans on my
rhel 5.4 system.


I have been getting these for ages - and have discussed with Daniel -
but not found the problem:
Here is the first - and the others are similar. I have tried the
suggested re-labelling, and moved /tmp to a tmpfs volume - but still the
errors persist:


Summary
SELinux is preventing the setxkbmap from using potentially mislabeled
files (./.X11-unix).

Detailed Description
[SELinux is in permissive mode, the operation would have been denied but
was permitted due to permissive mode.]


SELinux has denied setxkbmap access to potentially mislabeled file(s)
(./.X11-unix). This means that SELinux will not allow setxkbmap to use
these files. It is common for users to edit files in their home
directory or tmp directories and then move (mv) them to system
directories. The problem is that the files end up with the wrong file
context which confined applications are not allowed to access.


Allowing Access
If you want setxkbmap to access this files, you need to relabel them
using restorecon -v './.X11-unix'. You might want to relabel the entire
directory using restorecon -R -v './.X11-unix'.

Additional Information

Source Context: system_u:system_r:rhgb_t
Target Context: system_ubject_r:initrc_tmp_t
Target Objects: ./.X11-unix [ dir ]
Source: setxkbmap
Source Path: /usr/bin/setxkbmap
Port: <Unknown>
Host: C5.aardvark.com.au
Source RPM Packages: xorg-x11-xkb-utils-1.0.2-2.1
Target RPM Packages:
Policy RPM: selinux-policy-2.4.6-225.el5
Selinux Enabled: True
Policy Type: targeted
MLS Enabled: True
Enforcing Mode: Permissive
Plugin Name: home_tmp_bad_labels
Host Name: C5.aardvark.com.au
Platform: Linux C5.aardvark.com.au 2.6.18-164.el5 #1 SMP Thu Sep 3
03:28:30 EDT 2009 x86_64 x86_64

Alert Count: 43
First Seen: Sun Jan 11 17:55:13 2009
Last Seen: Tue Sep 29 12:03:49 2009
Local ID: 0950df01-cfad-420a-9e84-4996a8d31942
Line Numbers:

Raw Audit Messages :

host=C5.aardvark.com.au type=AVC msg=audit(1254197029.941:12): avc:
denied { search } for pid=4172 comm="setxkbmap" name=".X11-unix"
dev=tmpfs ino=13452 scontext=system_u:system_r:rhgb_t:s0
tcontext=system_ubject_r:initrc_tmp_t:s0 tclass=dir
host=C5.aardvark.com.au type=AVC msg=audit(1254197029.941:12): avc:
denied { search } for pid=4172 comm="setxkbmap" name=".X11-unix"
dev=tmpfs ino=13452 scontext=system_u:system_r:rhgb_t:s0
tcontext=system_ubject_r:initrc_tmp_t:s0 tclass=dir
host=C5.aardvark.com.au type=SYSCALL msg=audit(1254197029.941:12):
arch=c000003e syscall=42 success=no exit=-2 a0=3 a1=7fffd604c2a0 a2=13
a3=3be2b51a30 items=0 ppid=4171 pid=4172 auid=4294967295 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
comm="setxkbmap" exe="/usr/bin/setxkbmap"
subj=system_u:system_r:rhgb_t:s0 key=(null)
host=C5.aardvark.com.au type=SYSCALL msg=audit(1254197029.941:12):
arch=c000003e syscall=42 success=no exit=-2 a0=3 a1=7fffd604c2a0 a2=13
a3=3be2b51a30 items=0 ppid=4171 pid=4172 auid=4294967295 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
comm="setxkbmap" exe="/usr/bin/setxkbmap"
subj=system_u:system_r:rhgb_t:s0 key=(null)



Richard

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 12-04-2009, 02:07 AM
Eamon Walsh
 
Default Tutorial on setting up SELinux / X Server

On 12/02/2009 10:22 PM, Tyler Durvik wrote:
> Greetings,
>
> I am looking for a tutorial, or instructions, on how to set up an X
> Server to work with SELinux. I have fedora 12 installed and ready to
> go. Does anyone have links/pages to where I may find this
> information?
>
> Thanks
>


Turn on the xserver_object_manager boolean and restart X, as described
by Dominick. AVC's generated by X will go in Xorg.0.log as well as
audit.log (as type "USER_AVC").

The current X policy in F12 probably will generate AVC's on a full
desktop session. There is a much improved X policy upstream that is not
in F12 yet. I will bug Dan to ship it in his next update.

If you want to run the X server in permissive mode but keep the rest of
the system enforcing put the following in xorg.conf:

Section "Module"
SubSection "extmod"
Option "SELinux mode permissive"
EndSubSection
EndSection




--

Eamon Walsh
National Security Agency

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 12-04-2009, 02:59 PM
Tyler Durvik
 
Default Tutorial on setting up SELinux / X Server

I turned on the boolean:

setsebool -P xserver_object_manager on

and now I get the following in my Xorg.0.log file:

SELinux: Invalid object class mapping, disabling SELinux support.

Should I try the latest policy from oss.tresys.com? Would the
upstream reference policy fix this error?

Thanks,
Mark


On Thu, Dec 3, 2009 at 10:07 PM, Eamon Walsh <ewalsh@tycho.nsa.gov> wrote:
> On 12/02/2009 10:22 PM, Tyler Durvik wrote:
>> Greetings,
>>
>> I am looking for a tutorial, or instructions, on how to set up an X
>> Server to work with SELinux. *I have fedora 12 installed and ready to
>> go. *Does anyone have links/pages to where I may find this
>> information?
>>
>> Thanks
>>
>
>
> Turn on the xserver_object_manager boolean and restart X, as described
> by Dominick. *AVC's generated by X will go in Xorg.0.log as well as
> audit.log (as type "USER_AVC").
>
> The current X policy in F12 probably will generate AVC's on a full
> desktop session. *There is a much improved X policy upstream that is not
> in F12 yet. *I will bug Dan to ship it in his next update.
>
> If you want to run the X server in permissive mode but keep the rest of
> the system enforcing put the following in xorg.conf:
>
> Section "Module"
> * * * *SubSection "extmod"
> * * * * * * * *Option "SELinux mode permissive"
> * * * *EndSubSection
> EndSection
>
>
>
>
> --
>
> Eamon Walsh
> National Security Agency
>
>

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 12-04-2009, 09:51 PM
Eamon Walsh
 
Default Tutorial on setting up SELinux / X Server

On 12/04/2009 10:59 AM, Tyler Durvik wrote:
> I turned on the boolean:
>
> setsebool -P xserver_object_manager on
>
> and now I get the following in my Xorg.0.log file:
>
> SELinux: Invalid object class mapping, disabling SELinux support.
>
> Should I try the latest policy from oss.tresys.com? Would the
> upstream reference policy fix this error?
>
> Thanks,
> Mark
>
>

OK, that error is because the x_pointer and x_keyboard object classes
haven't made it into F-12 policy yet.

You could try the upstream policy. I'd recommend sticking with the
Fedora policy though, because I'm getting AVC's from upstream (at least
on rawhide) and upstream is not tuned for Fedora. If you do compile
from upstream make sure to set the "init_upstart" boolean to true or
everything gets out of whack at boot time.

If you're willing to rebuild the F-12 policy, you can add the attached
patch which will fix the error above and allow the SELinux extension to
run. As soon as I can get the rest of the new X policy ported I'll send
it to Dan.



--

Eamon Walsh
National Security Agency

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 12-07-2009, 01:26 PM
Richard Chapman
 
Default Tutorial on setting up SELinux / X Server

Richard Chapman wrote:

Eamon Walsh wrote:

On 12/03/2009 08:59 PM, Richard Chapman wrote:

I have a Cetos 5.4 system ruining x - and I also have some boot time
x related denials. I therefore tried the below setsebool but got the
following errors:


setsebool -P xserver_object_manager on

ibsemanage.dbase_llist_set: record not found in the database
libsemanage.dbase_llist_set: could not set record value
Could not change boolean xserver_object_manager
Could not change policy booleans


Is this because Centos is different - or is there a typo in the
above command?


Richard.





I don't think that RHEL 5.4 has this boolean. Look in /selinux/booleans
and see if there is a file called xserver_object_manager.

However, if you are getting boot-time X denials then it's probably not
anything to do with the X object manager. That sounds like a kernel
policy problem. What are the denials?




Hi Eamon

I think my previous attempt to send this probably failed. It looks like
your mail srver didn't want to talk to mine - so here goes again...


You are right - that there is no such file in /selinux/booleans on my
rhel 5.4 system.


I have been getting these for ages - and have discussed with Daniel -
but not found the problem:
Here is the first - and the others are similar. I have tried the
suggested re-labelling, and moved /tmp to a tmpfs volume - but still the
errors persist:


Summary
SELinux is preventing the setxkbmap from using potentially mislabeled
files (./.X11-unix).

Detailed Description
[SELinux is in permissive mode, the operation would have been denied but
was permitted due to permissive mode.]


SELinux has denied setxkbmap access to potentially mislabeled file(s)
(./.X11-unix). This means that SELinux will not allow setxkbmap to use
these files. It is common for users to edit files in their home
directory or tmp directories and then move (mv) them to system
directories. The problem is that the files end up with the wrong file
context which confined applications are not allowed to access.


Allowing Access
If you want setxkbmap to access this files, you need to relabel them
using restorecon -v './.X11-unix'. You might want to relabel the entire
directory using restorecon -R -v './.X11-unix'.

Additional Information

Source Context: system_u:system_r:rhgb_t
Target Context: system_ubject_r:initrc_tmp_t
Target Objects: ./.X11-unix [ dir ]
Source: setxkbmap
Source Path: /usr/bin/setxkbmap
Port: <Unknown>
Host: C5.aardvark.com.au
Source RPM Packages: xorg-x11-xkb-utils-1.0.2-2.1
Target RPM Packages:
Policy RPM: selinux-policy-2.4.6-225.el5

Selinux Enabled: True
Policy Type: targeted
MLS Enabled: True
Enforcing Mode: Permissive
Plugin Name: home_tmp_bad_labels
Host Name: C5.aardvark.com.au
Platform: Linux C5.aardvark.com.au 2.6.18-164.el5 #1 SMP Thu Sep 3
03:28:30 EDT 2009 x86_64 x86_64

Alert Count: 43
First Seen: Sun Jan 11 17:55:13 2009
Last Seen: Tue Sep 29 12:03:49 2009
Local ID: 0950df01-cfad-420a-9e84-4996a8d31942
Line Numbers:


Raw Audit Messages :

host=C5.aardvark.com.au type=AVC msg=audit(1254197029.941:12): avc:
denied { search } for pid=4172 comm="setxkbmap" name=".X11-unix"
dev=tmpfs ino=13452 scontext=system_u:system_r:rhgb_t:s0
tcontext=system_ubject_r:initrc_tmp_t:s0 tclass=dir
host=C5.aardvark.com.au type=AVC msg=audit(1254197029.941:12): avc:
denied { search } for pid=4172 comm="setxkbmap" name=".X11-unix"
dev=tmpfs ino=13452 scontext=system_u:system_r:rhgb_t:s0
tcontext=system_ubject_r:initrc_tmp_t:s0 tclass=dir
host=C5.aardvark.com.au type=SYSCALL msg=audit(1254197029.941:12):
arch=c000003e syscall=42 success=no exit=-2 a0=3 a1=7fffd604c2a0 a2=13
a3=3be2b51a30 items=0 ppid=4171 pid=4172 auid=4294967295 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
comm="setxkbmap" exe="/usr/bin/setxkbmap"
subj=system_u:system_r:rhgb_t:s0 key=(null)
host=C5.aardvark.com.au type=SYSCALL msg=audit(1254197029.941:12):
arch=c000003e syscall=42 success=no exit=-2 a0=3 a1=7fffd604c2a0 a2=13
a3=3be2b51a30 items=0 ppid=4171 pid=4172 auid=4294967295 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
comm="setxkbmap" exe="/usr/bin/setxkbmap"
subj=system_u:system_r:rhgb_t:s0 key=(null)



Richard

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 12-18-2009, 02:09 PM
Daniel J Walsh
 
Default Tutorial on setting up SELinux / X Server

On 12/04/2009 05:51 PM, Eamon Walsh wrote:
> On 12/04/2009 10:59 AM, Tyler Durvik wrote:
>> I turned on the boolean:
>>
>> setsebool -P xserver_object_manager on
>>
>> and now I get the following in my Xorg.0.log file:
>>
>> SELinux: Invalid object class mapping, disabling SELinux support.
>>
>> Should I try the latest policy from oss.tresys.com? Would the
>> upstream reference policy fix this error?
>>
>> Thanks,
>> Mark
>>
>>
>
> OK, that error is because the x_pointer and x_keyboard object classes
> haven't made it into F-12 policy yet.
>
> You could try the upstream policy. I'd recommend sticking with the
> Fedora policy though, because I'm getting AVC's from upstream (at least
> on rawhide) and upstream is not tuned for Fedora. If you do compile
> from upstream make sure to set the "init_upstart" boolean to true or
> everything gets out of whack at boot time.
>
> If you're willing to rebuild the F-12 policy, you can add the attached
> patch which will fix the error above and allow the SELinux extension to
> run. As soon as I can get the rest of the new X policy ported I'll send
> it to Dan.
>
>
>
>
>
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Latest XServer policy will be in selinux-policy-3.7.4-7.fc13.noarch

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 

Thread Tools




All times are GMT. The time now is 01:58 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org