From: Stephen Smalley <sds@tycho.nsa.gov>
To: "Justin P. Mattock" <justinmattock@gmail.com>
Cc: selinux@tycho.nsa.gov, Eric Paris <eparis@parisplace.org>,
Harry Ciao <qingtao.cao@windriver.com>
Subject: Re: SELinux: avc_has_perm: unexpected error 22
Date: Thu, 24 Mar 2011 16:13:57 -0400 [thread overview]
Message-ID: <1300997637.8157.44.camel@moss-pluto> (raw)
In-Reply-To: <4D8B70C8.3000800@gmail.com>
On Thu, 2011-03-24 at 09:26 -0700, Justin P. Mattock wrote:
> On 03/24/2011 06:58 AM, Stephen Smalley wrote:
> > On Wed, 2011-03-23 at 19:30 -0700, Justin P. Mattock wrote:
> >> On 03/23/2011 11:07 AM, Justin P. Mattock wrote:
> >>> On 03/21/2011 09:52 AM, Justin P. Mattock wrote:
> >>>> this is showing up with the latest Mainline kernel.
> >>>> gdm craps out..:
> >>>>
> >>>> [ 60.817] (II) Unloading synaptics
> >>>> [ 60.822] SELinux: avc_has_perm: unexpected error 22
> >>>> [ 60.822] SELinux: avc_has_perm: unexpected error 22
> >>>> [ 60.828] SELinux: avc_has_perm: unexpected error 22
> >>>> [ 60.831] SELinux: avc_has_perm: unexpected error 22
> >>>> [ 60.871] SELinux: avc_has_perm: unexpected error 22
> >>>> [ 60.871] SELinux: avc_has_perm: unexpected error 22
> >>>> [ 60.881] (II) UnloadModule: "mouse"
> >>>> [ 60.881] (II) Unloading mouse
> >>>>
> >>>>
> >>>> full xorg.0.log is here:
> >>>> http://fpaste.org/OOM2/
> >>>>
> >>>> Justin P. Mattock
> >>>
> >>> seems doing a bisect right now during the merge window is breaking,
> >>> anyways looking through the commits I think this:
> >>>
> >>> http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=c53fa1ed92cd671a1dfb1e7569e9ab672612ddc6;hp=06dc94b1ed05f91e246315afeb1c652d6d0dc9ab
> >>>
> >>>
> >>> might be what I am hitting, causing gdm to die out, as it starts.
> >>>
> >>> any ideas?
> >>>
> >>> Justin P. Mattock
> >>
> >> not sure if anybody is seeing this or hitting this with the current,
> >> but reverting the above commit does not fix the problem.
> >> will try another bisect(hopefully)
> >
> > Are you sure it is a kernel issue? Seems more likely that it would be a
> > policy problem. What AVC denials are you getting?
> >
>
>
> strange.. was not even thinking of the avc's because the policy has
> already been customized and has been working for a while now without
> adding any rules.
>
> Anyways your right, seems the labels get changed or something with this
> kernel or something:
> http://fpaste.org/w4nK/
audit(1300983537.941:34): security_compute_sid: invalid context
system_u:system_r:root_xdrawable_t:s0-s0:c0.c1023 for
scontext=system_u:system_r:xserver_t:s0-s0:c0.c1023
tcontext=system_u:system_r:xserver_t:s0-s0:c0.c1023 tclass=x_drawable
This looks like it might be a kernel regression after all.
security_compute_sid should return object_r for tclass x_drawable, not
system_r. Likely due to the recent changes there to support socket type
transitions. Not sure exactly what is going wrong, as it should only
happen on the socket classes.
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2011-03-24 20:13 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-03-21 16:52 SELinux: avc_has_perm: unexpected error 22 Justin P. Mattock
2011-03-21 16:52 ` [refpolicy] " Justin P. Mattock
2011-03-23 18:07 ` Justin P. Mattock
2011-03-23 18:07 ` [refpolicy] " Justin P. Mattock
2011-03-24 2:30 ` Justin P. Mattock
2011-03-24 2:30 ` [refpolicy] " Justin P. Mattock
2011-03-24 13:58 ` Stephen Smalley
2011-03-24 13:58 ` [refpolicy] " Stephen Smalley
2011-03-24 16:26 ` Justin P. Mattock
2011-03-24 16:26 ` [refpolicy] " Justin P. Mattock
2011-03-24 20:13 ` Stephen Smalley [this message]
2011-03-24 20:22 ` Justin P. Mattock
2011-03-24 20:24 ` Stephen Smalley
2011-03-24 20:43 ` Justin P. Mattock
2011-03-25 3:18 ` Harry Ciao
2011-03-25 12:26 ` Stephen Smalley
2011-03-25 12:34 ` Stephen Smalley
2011-03-25 14:13 ` [PATCH] selinux: Fix regression for Xorg Stephen Smalley
2011-03-25 18:04 ` Justin P. Mattock
2011-03-26 3:03 ` Justin P. Mattock
2011-03-28 12:42 ` Stephen Smalley
2011-03-28 14:24 ` Stephen Smalley
2011-03-28 16:20 ` Justin P. Mattock
2011-03-28 22:28 ` Justin P. Mattock
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1300997637.8157.44.camel@moss-pluto \
--to=sds@tycho.nsa.gov \
--cc=eparis@parisplace.org \
--cc=justinmattock@gmail.com \
--cc=qingtao.cao@windriver.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.