X windows with i810 chip

X windows with i810 chip

[Justin Smith]

X windows presents special problems with this (unfortunately common)
graphics chip. Even with all of the standard allows declarations for X
windows (and a few extras), I get the following:



avc:  denied  { read } for  pid=1215 exe=/usr/X11R6/bin/XFree86
path=/dev/mem dev=03:01 ino=25224
   scontext=jsmith:user_r:user_t
   tcontext=system_u:object_r:memory_device_t
   tclass=chr_file

avc:  denied  { read write } for  pid=1215 exe=/usr/X11R6/bin/XFree86
path=/dev/mem dev=03:01 ino=25224
   scontext=jsmith:user_r:user_t
   tcontext=system_u:object_r:memory_device_t
   tclass=chr_file
Linux agpgart interface v0.99 (c) Jeff Hartmann
agpgart: Maximum main memory to use for agp memory: 261M
agpgart: Detected an Intel i810 E Chipset.
agpgart: detected 4MB dedicated video ram.
agpgart: AGP aperture is 64M @ 0xf8000000

avc:  denied  { read write } for  pid=1215 exe=/usr/X11R6/bin/XFree86
path=/dev/mem dev=03:01 ino=25224
   scontext=jsmith:user_r:user_t
   tcontext=system_u:object_r:memory_device_t
   tclass=chr_file



I have been unable to enable this access (perhaps there's a 'neverallow'
coded for it). Any suggestions would be appreciated! (I really need  X
windows --- to the extent that I would have to discontinue using SELinux
if it prohibits it). 

Is there a way to allow memory access for a RESTRICTED range of
addresses (if so, a hacker would at most be able to display pictures on
the screen)?  (Maybe this would require assigning types to PARTS of a
device, ranges of bytes).
-- 


--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: X windows with i810 chip

[Russell Coker]

On Sun, 2 Dec 2001 16:51, Justin Smith wrote:
> avc:  denied  { read write } for  pid=1215 exe=/usr/X11R6/bin/XFree86
> path=/dev/mem dev=03:01 ino=25224
>    scontext=jsmith:user_r:user_t
>    tcontext=system_u:object_r:memory_device_t
>    tclass=chr_file
>
>
>
> I have been unable to enable this access (perhaps there's a 'neverallow'
> coded for it). Any suggestions would be appreciated! (I really need  X
> windows --- to the extent that I would have to discontinue using SELinux
> if it prohibits it).
>
> Is there a way to allow memory access for a RESTRICTED range of
> addresses (if so, a hacker would at most be able to display pictures on
> the screen)?  (Maybe this would require assigning types to PARTS of a
> device, ranges of bytes).

The idea of changing ACLs whenever a hardware device changes it's settings 
(can potentially change at reboot, in future with hot-swap PCI it could 
change at run time) is unappealing.

Why not use VESA frame buffer and then run the FBDEV X server?  Setting the 
ACL to allow read/write access to /dev/fb/* is pretty safe.

-- 
http://www.coker.com.au/bonnie++/     Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/       Postal SMTP/POP benchmark
http://www.coker.com.au/projects.html Projects I am working on
http://www.coker.com.au/~russell/     My home page

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: X windows with i810 chip

[Stephen Smalley]

On 2 Dec 2001, Justin Smith wrote:

> X windows presents special problems with this (unfortunately common)
> graphics chip. Even with all of the standard allows declarations for X
> windows (and a few extras), I get the following:

I don't think that this has anything to do with the graphics chip.

> avc:  denied  { read } for  pid=1215 exe=/usr/X11R6/bin/XFree86
> path=/dev/mem dev=03:01 ino=25224
>    scontext=jsmith:user_r:user_t
>    tcontext=system_u:object_r:memory_device_t
>    tclass=chr_file

The X server should be running in the user_xserver_t domain, which has the
necessary permissions to /dev/mem.  On my systems, the X server is run
indirectly through /usr/X11R6/bin/Xwrapper, which is labeled with the
xserver_exec_t type.  This type causes a domain transition from user_t
to user_xserver_t.  So I don't know why your X server is running in the
wrong domain.

--
Stephen D. Smalley, NAI Labs
ssmalley@nai.com




--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: X windows with i810 chip

[Justin Smith]

On Mon, 2001-12-03 at 10:13, Stephen Smalley wrote:
> 
> indirectly through /usr/X11R6/bin/Xwrapper, which is labeled with the
> xserver_exec_t type.  This type causes a domain transition from user_t
> to user_xserver_t.  So I don't know why your X server is running in the
> wrong domain.
> 
Yes, I saw the reason for this problem. The file_contexts listing
only assigns xserver_t to /usr/X11R6/bin/Xwrapper when many systems name
the X server X or XFree86 (mine does the latter). I assigned  the
xserver_t type to both of these files and it solved the problem.

I am now able to run X windows and even gdm, although gdm has some
strange problems. When running under it, the newrole command gets the
error message: 'unable to find user in passwd'. I do not get this
message when running under ordinary X windows.

Another anomaly: in Redhat 7.1, /dev/hdc can be a hard drive OR a cdrom
(!). The gnome desktop wouldn't start initially because the system
thought it was trying to access a fixed disk.

In addition, MAKEDEV should be assigned a type that is some sort of
system script rather than a device_t.

Thanks very much for your comments. I'll create a domain for postgres.
> 
--


--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: X windows with i810 chip

[Stephen Smalley]

On 3 Dec 2001, Justin Smith wrote:

> I am now able to run X windows and even gdm, although gdm has some
> strange problems. When running under it, the newrole command gets the
> error message: 'unable to find user in passwd'. I do not get this
> message when running under ordinary X windows.

You should not use the unmodified gdm program, since it does not set the
security context for the user session.  If you want to use gdm, you'll
need the modified gdm program created by Mark Westerman.  He has a patch
for gdm that allows the user to select a security context from a menu and
that sets the security context appropriately.  I think that he has made it
available on his sourceforge selinux project site, although I'm not sure
if an up-to-date copy is available there at the moment.

--
Stephen D. Smalley, NAI Labs
ssmalley@nai.com




--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: X windows with i810 chip

[Stephen Smalley]

On 3 Dec 2001, Justin Smith wrote:

> Yes, I saw the reason for this problem. The file_contexts listing
> only assigns xserver_t to /usr/X11R6/bin/Xwrapper when many systems name
> the X server X or XFree86 (mine does the latter). I assigned  the
> xserver_t type to both of these files and it solved the problem.

On my RH7.1 systems, the real X server is in /usr/X11R6/bin/XFree86, but
it must be executed via a setuid wrapper program, /usr/X11R6/bin/Xwrapper.
Hence, we put the xserver_exec_t type on the wrapper program rather than
the server.  /usr/X11R6/bin/X is a symbolic link to Xwrapper.

--
Stephen D. Smalley, NAI Labs
ssmalley@nai.com




--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.