After applying today's selinux-policy* packages, gnome/gdm login fails: gdmgreeter runs, but X quickly dies after enter password and you're back to the greeter.
Booting up in permissive lets me log in.
Here are the borkages:
#============= mono_t ============== allow mono_t xdm_xserver_t:x_device read;
#============= unconfined_execmem_t ============== allow unconfined_execmem_t xdm_xserver_t:x_device read;
#============= unconfined_t ============== allow unconfined_t mono_t:x_resource write; allow unconfined_t unconfined_execmem_t:x_resource { write read }; allow unconfined_t unlabeled_t:x_drawable { destroy getattr }; [root@localhost ~]#
I attach complete log file.
This something to do with new X keyboard confinement stuff?
tom
On Thu, Feb 28, 2008 at 7:41 AM, Tom London selinux@gmail.com wrote:
After applying today's selinux-policy* packages, gnome/gdm login fails: gdmgreeter runs, but X quickly dies after enter password and you're back to the greeter.
Booting up in permissive lets me log in.
Here are the borkages:
#============= mono_t ============== allow mono_t xdm_xserver_t:x_device read;
#============= unconfined_execmem_t ============== allow unconfined_execmem_t xdm_xserver_t:x_device read;
#============= unconfined_t ============== allow unconfined_t mono_t:x_resource write; allow unconfined_t unconfined_execmem_t:x_resource { write read }; allow unconfined_t unlabeled_t:x_drawable { destroy getattr }; [root@localhost ~]#
I attach complete log file.
This something to do with new X keyboard confinement stuff?
tom
Tom London
Reverting to selinux-policy-3.3.1-4.fc9.noarch fixes.....
tom
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Tom London wrote:
On Thu, Feb 28, 2008 at 7:41 AM, Tom London selinux@gmail.com wrote:
After applying today's selinux-policy* packages, gnome/gdm login fails: gdmgreeter runs, but X quickly dies after enter password and you're back to the greeter.
Booting up in permissive lets me log in.
Here are the borkages:
#============= mono_t ============== allow mono_t xdm_xserver_t:x_device read;
#============= unconfined_execmem_t ============== allow unconfined_execmem_t xdm_xserver_t:x_device read;
#============= unconfined_t ============== allow unconfined_t mono_t:x_resource write; allow unconfined_t unconfined_execmem_t:x_resource { write read }; allow unconfined_t unlabeled_t:x_drawable { destroy getattr }; [root@localhost ~]#
I attach complete log file.
This something to do with new X keyboard confinement stuff?
tom
Tom London
Reverting to selinux-policy-3.3.1-4.fc9.noarch fixes.....
tom
Did you have the xserver_object_manager boolean turned on? This should only have effected those machines, that were dumb^wadventuresome enough to turn this on.
On Thu, Feb 28, 2008 at 10:06 AM, Daniel J Walsh dwalsh@redhat.com wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Tom London wrote:
On Thu, Feb 28, 2008 at 7:41 AM, Tom London selinux@gmail.com wrote:
After applying today's selinux-policy* packages, gnome/gdm login fails: gdmgreeter runs, but X quickly dies after enter password and you're back to the greeter.
Booting up in permissive lets me log in.
Here are the borkages:
#============= mono_t ============== allow mono_t xdm_xserver_t:x_device read;
#============= unconfined_execmem_t ============== allow unconfined_execmem_t xdm_xserver_t:x_device read;
#============= unconfined_t ============== allow unconfined_t mono_t:x_resource write; allow unconfined_t unconfined_execmem_t:x_resource { write read }; allow unconfined_t unlabeled_t:x_drawable { destroy getattr }; [root@localhost ~]#
I attach complete log file.
This something to do with new X keyboard confinement stuff?
tom
Tom London
Reverting to selinux-policy-3.3.1-4.fc9.noarch fixes.....
tom
Did you have the xserver_object_manager boolean turned on? This should only have effected those machines, that were dumb^wadventuresome enough to turn this on. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkfG+BQACgkQrlYvE4MpobNnRQCfbNeuVabGA9dUfo9X1yBlvGKH 73QAnjcUlJH1Xgabj3Mbopz7rCgMMwxr =+82k -----END PGP SIGNATURE-----
Nope:
[root@localhost ~]# getsebool -a | grep xserver allow_xserver_execmem --> on xserver_object_manager --> off [root@localhost ~]#
compiz/glx? I get this in Xorg.0.log:
Backtrace: 0: /usr/bin/Xorg(xf86SigHandler+0x79) [0x80bc9a9] 1: [0x110400] 2: /usr/lib/xorg/modules/extensions//libglx.so(__glXDeassociateContext+0x19) [0x1d73b9] 3: /usr/lib/xorg/modules/extensions//libglx.so(__glXContextDestroy+0x23) [0x1d35b3] 4: /usr/lib/xorg/modules/extensions//libglx.so [0x20dfe8] 5: /usr/lib/xorg/modules/extensions//libglx.so(__glXFreeContext+0x89) [0x1d5c09] 6: /usr/lib/xorg/modules/extensions//libglx.so [0x1d5c57] 7: /usr/bin/Xorg(FreeClientResources+0xe6) [0x806d4e6] 8: /usr/bin/Xorg(CloseDownClient+0x1ec) [0x807f33c] 9: /usr/bin/Xorg(Dispatch+0x208) [0x8085588] 10: /usr/bin/Xorg(main+0x475) [0x806b1d5] 11: /lib/libc.so.6(__libc_start_main+0xe6) [0x444516] 12: /usr/bin/Xorg(FontFileCompleteXLFD+0x215) [0x806a5c1]
tom
Tom London wrote:
On Thu, Feb 28, 2008 at 10:06 AM, Daniel J Walsh dwalsh@redhat.com wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Tom London wrote:
On Thu, Feb 28, 2008 at 7:41 AM, Tom London selinux@gmail.com wrote:
After applying today's selinux-policy* packages, gnome/gdm login fails: gdmgreeter runs, but X quickly dies after enter password and you're back to the greeter.
Booting up in permissive lets me log in.
Here are the borkages:
#============= mono_t ============== allow mono_t xdm_xserver_t:x_device read;
#============= unconfined_execmem_t ============== allow unconfined_execmem_t xdm_xserver_t:x_device read;
#============= unconfined_t ============== allow unconfined_t mono_t:x_resource write; allow unconfined_t unconfined_execmem_t:x_resource { write read }; allow unconfined_t unlabeled_t:x_drawable { destroy getattr }; [root@localhost ~]#
The "null" avc's are fixed in the upstream X server. This is a bad security hook call in the GLX code and affects GLX programs such as compiz.
The unlabeled AVC is the result of a mislabeled program?
On Thu, Feb 28, 2008 at 12:21 PM, Eamon Walsh ewalsh@tycho.nsa.gov wrote:
Tom London wrote:
On Thu, Feb 28, 2008 at 10:06 AM, Daniel J Walsh dwalsh@redhat.com wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Tom London wrote:
On Thu, Feb 28, 2008 at 7:41 AM, Tom London selinux@gmail.com wrote:
After applying today's selinux-policy* packages, gnome/gdm login fails: gdmgreeter runs, but X quickly dies after enter password and you're back to the greeter.
Booting up in permissive lets me log in.
Here are the borkages:
#============= mono_t ============== allow mono_t xdm_xserver_t:x_device read;
#============= unconfined_execmem_t ============== allow unconfined_execmem_t xdm_xserver_t:x_device read;
#============= unconfined_t ============== allow unconfined_t mono_t:x_resource write; allow unconfined_t unconfined_execmem_t:x_resource { write read }; allow unconfined_t unlabeled_t:x_drawable { destroy getattr }; [root@localhost ~]#
The "null" avc's are fixed in the upstream X server. This is a bad security hook call in the GLX code and affects GLX programs such as compiz.
The unlabeled AVC is the result of a mislabeled program?
-- Eamon Walsh ewalsh@tycho.nsa.gov National Security Agency
I've backed up policy to previous version, and checking for unlabeled programs indicates nothing amiss.
No programs were relabeled on install of poicy; something else I should check?
tom
On Thu, 2008-02-28 at 13:38 -0800, Tom London wrote:
On Thu, Feb 28, 2008 at 12:21 PM, Eamon Walsh ewalsh@tycho.nsa.gov wrote:
Tom London wrote:
On Thu, Feb 28, 2008 at 10:06 AM, Daniel J Walsh dwalsh@redhat.com wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Tom London wrote:
On Thu, Feb 28, 2008 at 7:41 AM, Tom London selinux@gmail.com wrote:
After applying today's selinux-policy* packages, gnome/gdm login fails: gdmgreeter runs, but X quickly dies after enter password and you're back to the greeter.
Booting up in permissive lets me log in.
Here are the borkages:
#============= mono_t ============== allow mono_t xdm_xserver_t:x_device read;
#============= unconfined_execmem_t ============== allow unconfined_execmem_t xdm_xserver_t:x_device read;
#============= unconfined_t ============== allow unconfined_t mono_t:x_resource write; allow unconfined_t unconfined_execmem_t:x_resource { write read }; allow unconfined_t unlabeled_t:x_drawable { destroy getattr }; [root@localhost ~]#
The "null" avc's are fixed in the upstream X server. This is a bad security hook call in the GLX code and affects GLX programs such as compiz.
The unlabeled AVC is the result of a mislabeled program?
-- Eamon Walsh ewalsh@tycho.nsa.gov National Security Agency
I've backed up policy to previous version, and checking for unlabeled programs indicates nothing amiss.
No programs were relabeled on install of poicy; something else I should check?
grep 'invalidating context' /var/log/messages
On Thu, Feb 28, 2008 at 1:43 PM, Stephen Smalley sds@tycho.nsa.gov wrote:
On Thu, 2008-02-28 at 13:38 -0800, Tom London wrote:
On Thu, Feb 28, 2008 at 12:21 PM, Eamon Walsh ewalsh@tycho.nsa.gov wrote:
Tom London wrote:
On Thu, Feb 28, 2008 at 10:06 AM, Daniel J Walsh dwalsh@redhat.com wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Tom London wrote:
On Thu, Feb 28, 2008 at 7:41 AM, Tom London selinux@gmail.com wrote: > After applying today's selinux-policy* packages, gnome/gdm login > fails: gdmgreeter runs, but X quickly dies after enter password and > you're back to the greeter. > > Booting up in permissive lets me log in. > > Here are the borkages: > > > #============= mono_t ============== > allow mono_t xdm_xserver_t:x_device read; > > #============= unconfined_execmem_t ============== > allow unconfined_execmem_t xdm_xserver_t:x_device read; > > #============= unconfined_t ============== > allow unconfined_t mono_t:x_resource write; > allow unconfined_t unconfined_execmem_t:x_resource { write read }; > allow unconfined_t unlabeled_t:x_drawable { destroy getattr }; > [root@localhost ~]# >
The "null" avc's are fixed in the upstream X server. This is a bad security hook call in the GLX code and affects GLX programs such as compiz.
The unlabeled AVC is the result of a mislabeled program?
-- Eamon Walsh ewalsh@tycho.nsa.gov National Security Agency
I've backed up policy to previous version, and checking for unlabeled programs indicates nothing amiss.
No programs were relabeled on install of poicy; something else I should check?
grep 'invalidating context' /var/log/messages
-- Stephen Smalley National Security Agency
[root@localhost ~]# grep 'invalidating context' /var/log/messages Feb 27 07:13:31 localhost kernel: security: invalidating context unconfined_u:unconfined_r:samba_net_t:s0 Feb 28 06:47:08 localhost kernel: security: invalidating context system_u:system_r:httpd_unconfined_script_t:s0-s0:c0.c1023 Feb 28 06:47:08 localhost kernel: security: invalidating context unconfined_u:system_r:httpd_unconfined_script_t:s0 Feb 28 06:47:08 localhost kernel: security: invalidating context unconfined_u:unconfined_r:httpd_unconfined_script_t:s0 Feb 28 07:46:11 localhost kernel: security: invalidating context unconfined_u:system_r:httpd_user_script_t:s0 Feb 28 07:46:11 localhost kernel: security: invalidating context unconfined_u:system_r:httpd_user_script_t:s0-s0:c0.c255 Feb 28 07:46:11 localhost kernel: security: invalidating context system_u:system_r:httpd_user_script_t:s0-s0:c0.c1023 [root@localhost ~]#
On Thu, Feb 28, 2008 at 1:50 PM, Tom London selinux@gmail.com wrote:
On Thu, Feb 28, 2008 at 1:43 PM, Stephen Smalley sds@tycho.nsa.gov wrote:
On Thu, 2008-02-28 at 13:38 -0800, Tom London wrote:
On Thu, Feb 28, 2008 at 12:21 PM, Eamon Walsh ewalsh@tycho.nsa.gov wrote:
Tom London wrote:
On Thu, Feb 28, 2008 at 10:06 AM, Daniel J Walsh dwalsh@redhat.com wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Tom London wrote: > On Thu, Feb 28, 2008 at 7:41 AM, Tom London selinux@gmail.com wrote: >> After applying today's selinux-policy* packages, gnome/gdm login >> fails: gdmgreeter runs, but X quickly dies after enter password and >> you're back to the greeter. >> >> Booting up in permissive lets me log in. >> >> Here are the borkages: >> >> >> #============= mono_t ============== >> allow mono_t xdm_xserver_t:x_device read; >> >> #============= unconfined_execmem_t ============== >> allow unconfined_execmem_t xdm_xserver_t:x_device read; >> >> #============= unconfined_t ============== >> allow unconfined_t mono_t:x_resource write; >> allow unconfined_t unconfined_execmem_t:x_resource { write read }; >> allow unconfined_t unlabeled_t:x_drawable { destroy getattr }; >> [root@localhost ~]# >>
The "null" avc's are fixed in the upstream X server. This is a bad security hook call in the GLX code and affects GLX programs such as compiz.
The unlabeled AVC is the result of a mislabeled program?
-- Eamon Walsh ewalsh@tycho.nsa.gov National Security Agency
I've backed up policy to previous version, and checking for unlabeled programs indicates nothing amiss.
No programs were relabeled on install of poicy; something else I should check?
grep 'invalidating context' /var/log/messages
-- Stephen Smalley National Security Agency
[root@localhost ~]# grep 'invalidating context' /var/log/messages Feb 27 07:13:31 localhost kernel: security: invalidating context unconfined_u:unconfined_r:samba_net_t:s0 Feb 28 06:47:08 localhost kernel: security: invalidating context system_u:system_r:httpd_unconfined_script_t:s0-s0:c0.c1023 Feb 28 06:47:08 localhost kernel: security: invalidating context unconfined_u:system_r:httpd_unconfined_script_t:s0 Feb 28 06:47:08 localhost kernel: security: invalidating context unconfined_u:unconfined_r:httpd_unconfined_script_t:s0 Feb 28 07:46:11 localhost kernel: security: invalidating context unconfined_u:system_r:httpd_user_script_t:s0 Feb 28 07:46:11 localhost kernel: security: invalidating context unconfined_u:system_r:httpd_user_script_t:s0-s0:c0.c255 Feb 28 07:46:11 localhost kernel: security: invalidating context system_u:system_r:httpd_user_script_t:s0-s0:c0.c1023 [root@localhost ~]#
Dowloading latest selinux-policy and xorg-x11-server packages from koji fix this for me:
[root@localhost ~]# rpm -qa selinux* xorg-x11-server* xorg-x11-server-utils-7.3-3.fc9.i386 selinux-policy-targeted-3.3.1-7.fc9.noarch xorg-x11-server-common-1.4.99.1-0.26.20080227.fc9.i386 selinux-policy-devel-3.3.1-7.fc9.noarch selinux-policy-3.3.1-7.fc9.noarch xorg-x11-server-Xorg-1.4.99.1-0.26.20080227.fc9.i386 [root@localhost ~]#
"grep 'invalidating context' /var/log/messages" shows nothing.
Thanks for the quick work on this!
tom
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Tom London wrote:
On Thu, Feb 28, 2008 at 1:43 PM, Stephen Smalley sds@tycho.nsa.gov wrote:
On Thu, 2008-02-28 at 13:38 -0800, Tom London wrote:
On Thu, Feb 28, 2008 at 12:21 PM, Eamon Walsh ewalsh@tycho.nsa.gov wrote:
Tom London wrote:
On Thu, Feb 28, 2008 at 10:06 AM, Daniel J Walsh dwalsh@redhat.com wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Tom London wrote: > On Thu, Feb 28, 2008 at 7:41 AM, Tom London selinux@gmail.com wrote: >> After applying today's selinux-policy* packages, gnome/gdm login >> fails: gdmgreeter runs, but X quickly dies after enter password and >> you're back to the greeter. >> >> Booting up in permissive lets me log in. >> >> Here are the borkages: >> >> >> #============= mono_t ============== >> allow mono_t xdm_xserver_t:x_device read; >> >> #============= unconfined_execmem_t ============== >> allow unconfined_execmem_t xdm_xserver_t:x_device read; >> >> #============= unconfined_t ============== >> allow unconfined_t mono_t:x_resource write; >> allow unconfined_t unconfined_execmem_t:x_resource { write read }; >> allow unconfined_t unlabeled_t:x_drawable { destroy getattr }; >> [root@localhost ~]# >>
The "null" avc's are fixed in the upstream X server. This is a bad security hook call in the GLX code and affects GLX programs such as compiz.
The unlabeled AVC is the result of a mislabeled program?
-- Eamon Walsh ewalsh@tycho.nsa.gov National Security Agency
I've backed up policy to previous version, and checking for unlabeled programs indicates nothing amiss.
No programs were relabeled on install of poicy; something else I should check?
grep 'invalidating context' /var/log/messages
-- Stephen Smalley National Security Agency
[root@localhost ~]# grep 'invalidating context' /var/log/messages Feb 27 07:13:31 localhost kernel: security: invalidating context unconfined_u:unconfined_r:samba_net_t:s0
Ok I removed the transition from unconfined_t to samba_net_t, and replaced it with samba_unconfined_net_t. But this removed the unconfined_r designation causing this.
Feb 28 06:47:08 localhost kernel: security: invalidating context system_u:system_r:httpd_unconfined_script_t:s0-s0:c0.c1023 Feb 28 06:47:08 localhost kernel: security: invalidating context unconfined_u:system_r:httpd_unconfined_script_t:s0 Feb 28 06:47:08 localhost kernel: security: invalidating context unconfined_u:unconfined_r:httpd_unconfined_script_t:s0 Feb 28 07:46:11 localhost kernel: security: invalidating context unconfined_u:system_r:httpd_user_script_t:s0 Feb 28 07:46:11 localhost kernel: security: invalidating context unconfined_u:system_r:httpd_user_script_t:s0-s0:c0.c255 Feb 28 07:46:11 localhost kernel: security: invalidating context system_u:system_r:httpd_user_script_t:s0-s0:c0.c1023
I have been working on switching apache scripts but not sure why this invalidated.
[root@localhost ~]#
Tom London wrote:
On Thu, Feb 28, 2008 at 12:21 PM, Eamon Walsh ewalsh@tycho.nsa.gov wrote:
The unlabeled AVC is the result of a mislabeled program?
-- Eamon Walsh ewalsh@tycho.nsa.gov National Security Agency
I've backed up policy to previous version, and checking for unlabeled programs indicates nothing amiss.
No programs were relabeled on install of poicy; something else I should check?
tom
I think I found the problem. The pixmaps created by XCompositeNameWindowPixmap were not being labeled.
I just pushed a fix upstream.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Tom London wrote:
On Thu, Feb 28, 2008 at 7:41 AM, Tom London selinux@gmail.com wrote:
After applying today's selinux-policy* packages, gnome/gdm login fails: gdmgreeter runs, but X quickly dies after enter password and you're back to the greeter.
Booting up in permissive lets me log in.
Here are the borkages:
#============= mono_t ============== allow mono_t xdm_xserver_t:x_device read;
#============= unconfined_execmem_t ============== allow unconfined_execmem_t xdm_xserver_t:x_device read;
#============= unconfined_t ============== allow unconfined_t mono_t:x_resource write; allow unconfined_t unconfined_execmem_t:x_resource { write read }; allow unconfined_t unlabeled_t:x_drawable { destroy getattr }; [root@localhost ~]#
I attach complete log file.
This something to do with new X keyboard confinement stuff?
tom
Tom London
Reverting to selinux-policy-3.3.1-4.fc9.noarch fixes.....
tom
What does the unlabeled_t x_drawable avc look like?
On Thu, Feb 28, 2008 at 10:14 AM, Daniel J Walsh dwalsh@redhat.com wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Tom London wrote:
On Thu, Feb 28, 2008 at 7:41 AM, Tom London selinux@gmail.com wrote:
After applying today's selinux-policy* packages, gnome/gdm login fails: gdmgreeter runs, but X quickly dies after enter password and you're back to the greeter.
Booting up in permissive lets me log in.
Here are the borkages:
#============= mono_t ============== allow mono_t xdm_xserver_t:x_device read;
#============= unconfined_execmem_t ============== allow unconfined_execmem_t xdm_xserver_t:x_device read;
#============= unconfined_t ============== allow unconfined_t mono_t:x_resource write; allow unconfined_t unconfined_execmem_t:x_resource { write read }; allow unconfined_t unlabeled_t:x_drawable { destroy getattr }; [root@localhost ~]#
I attach complete log file.
This something to do with new X keyboard confinement stuff?
tom
Tom London
Reverting to selinux-policy-3.3.1-4.fc9.noarch fixes.....
tom
What does the unlabeled_t x_drawable avc look like?
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkfG+hkACgkQrlYvE4MpobMYBQCdE5YwQGLw46SEAcUSzN2SK5L1 jc4An0hyMOX039jru5aKdJGMjiHyesJp =IW9S -----END PGP SIGNATURE-----
I attached the log file with the AVCs in the original message:
type=USER_AVC msg=audit(1204212866.270:29): user pid=2907 uid=0 auid=4294967295 subj=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 msg='avc: denied null for request=GLX:MakeCurrent comm=compiz resid=b0 restype=WINDOW scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=system_u:object_r:x_rootwindow_t:s0 tclass=x_drawable : exe="/usr/bin/Xorg" (sauid=0, hostname=?, addr=?, terminal=?)'
I am running compiz, and it sort of looked like DRM was failing in Xorg.0.log.
Could that be an issue?
selinux@lists.fedoraproject.org
-
Daniel J Walsh -
Eamon Walsh -
Stephen Smalley -
Tom London