* SELinux: avc_has_perm: unexpected error 22 @ 2011-03-21 16:52 ` Justin P. Mattock 0 siblings, 0 replies; 24+ messages in thread From: Justin P. Mattock @ 2011-03-21 16:52 UTC (permalink / raw) To: refpolicy, selinux this is showing up with the latest Mainline kernel. gdm craps out..: [ 60.817] (II) Unloading synaptics [ 60.822] SELinux: avc_has_perm: unexpected error 22 [ 60.822] SELinux: avc_has_perm: unexpected error 22 [ 60.828] SELinux: avc_has_perm: unexpected error 22 [ 60.831] SELinux: avc_has_perm: unexpected error 22 [ 60.871] SELinux: avc_has_perm: unexpected error 22 [ 60.871] SELinux: avc_has_perm: unexpected error 22 [ 60.881] (II) UnloadModule: "mouse" [ 60.881] (II) Unloading mouse full xorg.0.log is here: http://fpaste.org/OOM2/ Justin P. Mattock -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 24+ messages in thread
* [refpolicy] SELinux: avc_has_perm: unexpected error 22 @ 2011-03-21 16:52 ` Justin P. Mattock 0 siblings, 0 replies; 24+ messages in thread From: Justin P. Mattock @ 2011-03-21 16:52 UTC (permalink / raw) To: refpolicy this is showing up with the latest Mainline kernel. gdm craps out..: [ 60.817] (II) Unloading synaptics [ 60.822] SELinux: avc_has_perm: unexpected error 22 [ 60.822] SELinux: avc_has_perm: unexpected error 22 [ 60.828] SELinux: avc_has_perm: unexpected error 22 [ 60.831] SELinux: avc_has_perm: unexpected error 22 [ 60.871] SELinux: avc_has_perm: unexpected error 22 [ 60.871] SELinux: avc_has_perm: unexpected error 22 [ 60.881] (II) UnloadModule: "mouse" [ 60.881] (II) Unloading mouse full xorg.0.log is here: http://fpaste.org/OOM2/ Justin P. Mattock ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: SELinux: avc_has_perm: unexpected error 22 2011-03-21 16:52 ` [refpolicy] " Justin P. Mattock @ 2011-03-23 18:07 ` Justin P. Mattock -1 siblings, 0 replies; 24+ messages in thread From: Justin P. Mattock @ 2011-03-23 18:07 UTC (permalink / raw) To: refpolicy, selinux, xorg On 03/21/2011 09:52 AM, Justin P. Mattock wrote: > this is showing up with the latest Mainline kernel. > gdm craps out..: > > [ 60.817] (II) Unloading synaptics > [ 60.822] SELinux: avc_has_perm: unexpected error 22 > [ 60.822] SELinux: avc_has_perm: unexpected error 22 > [ 60.828] SELinux: avc_has_perm: unexpected error 22 > [ 60.831] SELinux: avc_has_perm: unexpected error 22 > [ 60.871] SELinux: avc_has_perm: unexpected error 22 > [ 60.871] SELinux: avc_has_perm: unexpected error 22 > [ 60.881] (II) UnloadModule: "mouse" > [ 60.881] (II) Unloading mouse > > > full xorg.0.log is here: > http://fpaste.org/OOM2/ > > Justin P. Mattock seems doing a bisect right now during the merge window is breaking, anyways looking through the commits I think this: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=c53fa1ed92cd671a1dfb1e7569e9ab672612ddc6;hp=06dc94b1ed05f91e246315afeb1c652d6d0dc9ab might be what I am hitting, causing gdm to die out, as it starts. any ideas? Justin P. Mattock -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 24+ messages in thread
* [refpolicy] SELinux: avc_has_perm: unexpected error 22 @ 2011-03-23 18:07 ` Justin P. Mattock 0 siblings, 0 replies; 24+ messages in thread From: Justin P. Mattock @ 2011-03-23 18:07 UTC (permalink / raw) To: refpolicy On 03/21/2011 09:52 AM, Justin P. Mattock wrote: > this is showing up with the latest Mainline kernel. > gdm craps out..: > > [ 60.817] (II) Unloading synaptics > [ 60.822] SELinux: avc_has_perm: unexpected error 22 > [ 60.822] SELinux: avc_has_perm: unexpected error 22 > [ 60.828] SELinux: avc_has_perm: unexpected error 22 > [ 60.831] SELinux: avc_has_perm: unexpected error 22 > [ 60.871] SELinux: avc_has_perm: unexpected error 22 > [ 60.871] SELinux: avc_has_perm: unexpected error 22 > [ 60.881] (II) UnloadModule: "mouse" > [ 60.881] (II) Unloading mouse > > > full xorg.0.log is here: > http://fpaste.org/OOM2/ > > Justin P. Mattock seems doing a bisect right now during the merge window is breaking, anyways looking through the commits I think this: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=c53fa1ed92cd671a1dfb1e7569e9ab672612ddc6;hp=06dc94b1ed05f91e246315afeb1c652d6d0dc9ab might be what I am hitting, causing gdm to die out, as it starts. any ideas? Justin P. Mattock ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: SELinux: avc_has_perm: unexpected error 22 2011-03-23 18:07 ` [refpolicy] " Justin P. Mattock @ 2011-03-24 2:30 ` Justin P. Mattock -1 siblings, 0 replies; 24+ messages in thread From: Justin P. Mattock @ 2011-03-24 2:30 UTC (permalink / raw) To: refpolicy, selinux, xorg On 03/23/2011 11:07 AM, Justin P. Mattock wrote: > On 03/21/2011 09:52 AM, Justin P. Mattock wrote: >> this is showing up with the latest Mainline kernel. >> gdm craps out..: >> >> [ 60.817] (II) Unloading synaptics >> [ 60.822] SELinux: avc_has_perm: unexpected error 22 >> [ 60.822] SELinux: avc_has_perm: unexpected error 22 >> [ 60.828] SELinux: avc_has_perm: unexpected error 22 >> [ 60.831] SELinux: avc_has_perm: unexpected error 22 >> [ 60.871] SELinux: avc_has_perm: unexpected error 22 >> [ 60.871] SELinux: avc_has_perm: unexpected error 22 >> [ 60.881] (II) UnloadModule: "mouse" >> [ 60.881] (II) Unloading mouse >> >> >> full xorg.0.log is here: >> http://fpaste.org/OOM2/ >> >> Justin P. Mattock > > seems doing a bisect right now during the merge window is breaking, > anyways looking through the commits I think this: > > http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=c53fa1ed92cd671a1dfb1e7569e9ab672612ddc6;hp=06dc94b1ed05f91e246315afeb1c652d6d0dc9ab > > > might be what I am hitting, causing gdm to die out, as it starts. > > any ideas? > > Justin P. Mattock not sure if anybody is seeing this or hitting this with the current, but reverting the above commit does not fix the problem. will try another bisect(hopefully) Justin P. Mattock -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 24+ messages in thread
* [refpolicy] SELinux: avc_has_perm: unexpected error 22 @ 2011-03-24 2:30 ` Justin P. Mattock 0 siblings, 0 replies; 24+ messages in thread From: Justin P. Mattock @ 2011-03-24 2:30 UTC (permalink / raw) To: refpolicy On 03/23/2011 11:07 AM, Justin P. Mattock wrote: > On 03/21/2011 09:52 AM, Justin P. Mattock wrote: >> this is showing up with the latest Mainline kernel. >> gdm craps out..: >> >> [ 60.817] (II) Unloading synaptics >> [ 60.822] SELinux: avc_has_perm: unexpected error 22 >> [ 60.822] SELinux: avc_has_perm: unexpected error 22 >> [ 60.828] SELinux: avc_has_perm: unexpected error 22 >> [ 60.831] SELinux: avc_has_perm: unexpected error 22 >> [ 60.871] SELinux: avc_has_perm: unexpected error 22 >> [ 60.871] SELinux: avc_has_perm: unexpected error 22 >> [ 60.881] (II) UnloadModule: "mouse" >> [ 60.881] (II) Unloading mouse >> >> >> full xorg.0.log is here: >> http://fpaste.org/OOM2/ >> >> Justin P. Mattock > > seems doing a bisect right now during the merge window is breaking, > anyways looking through the commits I think this: > > http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=c53fa1ed92cd671a1dfb1e7569e9ab672612ddc6;hp=06dc94b1ed05f91e246315afeb1c652d6d0dc9ab > > > might be what I am hitting, causing gdm to die out, as it starts. > > any ideas? > > Justin P. Mattock not sure if anybody is seeing this or hitting this with the current, but reverting the above commit does not fix the problem. will try another bisect(hopefully) Justin P. Mattock ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: SELinux: avc_has_perm: unexpected error 22 2011-03-24 2:30 ` [refpolicy] " Justin P. Mattock @ 2011-03-24 13:58 ` Stephen Smalley -1 siblings, 0 replies; 24+ messages in thread From: Stephen Smalley @ 2011-03-24 13:58 UTC (permalink / raw) To: Justin P. Mattock; +Cc: refpolicy, selinux On Wed, 2011-03-23 at 19:30 -0700, Justin P. Mattock wrote: > On 03/23/2011 11:07 AM, Justin P. Mattock wrote: > > On 03/21/2011 09:52 AM, Justin P. Mattock wrote: > >> this is showing up with the latest Mainline kernel. > >> gdm craps out..: > >> > >> [ 60.817] (II) Unloading synaptics > >> [ 60.822] SELinux: avc_has_perm: unexpected error 22 > >> [ 60.822] SELinux: avc_has_perm: unexpected error 22 > >> [ 60.828] SELinux: avc_has_perm: unexpected error 22 > >> [ 60.831] SELinux: avc_has_perm: unexpected error 22 > >> [ 60.871] SELinux: avc_has_perm: unexpected error 22 > >> [ 60.871] SELinux: avc_has_perm: unexpected error 22 > >> [ 60.881] (II) UnloadModule: "mouse" > >> [ 60.881] (II) Unloading mouse > >> > >> > >> full xorg.0.log is here: > >> http://fpaste.org/OOM2/ > >> > >> Justin P. Mattock > > > > seems doing a bisect right now during the merge window is breaking, > > anyways looking through the commits I think this: > > > > http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=c53fa1ed92cd671a1dfb1e7569e9ab672612ddc6;hp=06dc94b1ed05f91e246315afeb1c652d6d0dc9ab > > > > > > might be what I am hitting, causing gdm to die out, as it starts. > > > > any ideas? > > > > Justin P. Mattock > > not sure if anybody is seeing this or hitting this with the current, > but reverting the above commit does not fix the problem. > will try another bisect(hopefully) Are you sure it is a kernel issue? Seems more likely that it would be a policy problem. What AVC denials are you getting? -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 24+ messages in thread
* [refpolicy] SELinux: avc_has_perm: unexpected error 22 @ 2011-03-24 13:58 ` Stephen Smalley 0 siblings, 0 replies; 24+ messages in thread From: Stephen Smalley @ 2011-03-24 13:58 UTC (permalink / raw) To: refpolicy On Wed, 2011-03-23 at 19:30 -0700, Justin P. Mattock wrote: > On 03/23/2011 11:07 AM, Justin P. Mattock wrote: > > On 03/21/2011 09:52 AM, Justin P. Mattock wrote: > >> this is showing up with the latest Mainline kernel. > >> gdm craps out..: > >> > >> [ 60.817] (II) Unloading synaptics > >> [ 60.822] SELinux: avc_has_perm: unexpected error 22 > >> [ 60.822] SELinux: avc_has_perm: unexpected error 22 > >> [ 60.828] SELinux: avc_has_perm: unexpected error 22 > >> [ 60.831] SELinux: avc_has_perm: unexpected error 22 > >> [ 60.871] SELinux: avc_has_perm: unexpected error 22 > >> [ 60.871] SELinux: avc_has_perm: unexpected error 22 > >> [ 60.881] (II) UnloadModule: "mouse" > >> [ 60.881] (II) Unloading mouse > >> > >> > >> full xorg.0.log is here: > >> http://fpaste.org/OOM2/ > >> > >> Justin P. Mattock > > > > seems doing a bisect right now during the merge window is breaking, > > anyways looking through the commits I think this: > > > > http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=c53fa1ed92cd671a1dfb1e7569e9ab672612ddc6;hp=06dc94b1ed05f91e246315afeb1c652d6d0dc9ab > > > > > > might be what I am hitting, causing gdm to die out, as it starts. > > > > any ideas? > > > > Justin P. Mattock > > not sure if anybody is seeing this or hitting this with the current, > but reverting the above commit does not fix the problem. > will try another bisect(hopefully) Are you sure it is a kernel issue? Seems more likely that it would be a policy problem. What AVC denials are you getting? -- Stephen Smalley National Security Agency ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: SELinux: avc_has_perm: unexpected error 22 2011-03-24 13:58 ` [refpolicy] " Stephen Smalley @ 2011-03-24 16:26 ` Justin P. Mattock -1 siblings, 0 replies; 24+ messages in thread From: Justin P. Mattock @ 2011-03-24 16:26 UTC (permalink / raw) To: Stephen Smalley; +Cc: refpolicy, selinux On 03/24/2011 06:58 AM, Stephen Smalley wrote: > On Wed, 2011-03-23 at 19:30 -0700, Justin P. Mattock wrote: >> On 03/23/2011 11:07 AM, Justin P. Mattock wrote: >>> On 03/21/2011 09:52 AM, Justin P. Mattock wrote: >>>> this is showing up with the latest Mainline kernel. >>>> gdm craps out..: >>>> >>>> [ 60.817] (II) Unloading synaptics >>>> [ 60.822] SELinux: avc_has_perm: unexpected error 22 >>>> [ 60.822] SELinux: avc_has_perm: unexpected error 22 >>>> [ 60.828] SELinux: avc_has_perm: unexpected error 22 >>>> [ 60.831] SELinux: avc_has_perm: unexpected error 22 >>>> [ 60.871] SELinux: avc_has_perm: unexpected error 22 >>>> [ 60.871] SELinux: avc_has_perm: unexpected error 22 >>>> [ 60.881] (II) UnloadModule: "mouse" >>>> [ 60.881] (II) Unloading mouse >>>> >>>> >>>> full xorg.0.log is here: >>>> http://fpaste.org/OOM2/ >>>> >>>> Justin P. Mattock >>> >>> seems doing a bisect right now during the merge window is breaking, >>> anyways looking through the commits I think this: >>> >>> http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=c53fa1ed92cd671a1dfb1e7569e9ab672612ddc6;hp=06dc94b1ed05f91e246315afeb1c652d6d0dc9ab >>> >>> >>> might be what I am hitting, causing gdm to die out, as it starts. >>> >>> any ideas? >>> >>> Justin P. Mattock >> >> not sure if anybody is seeing this or hitting this with the current, >> but reverting the above commit does not fix the problem. >> will try another bisect(hopefully) > > Are you sure it is a kernel issue? Seems more likely that it would be a > policy problem. What AVC denials are you getting? > strange.. was not even thinking of the avc's because the policy has already been customized and has been working for a while now without adding any rules. Anyways your right, seems the labels get changed or something with this kernel or something: http://fpaste.org/w4nK/ Justin P. Mattock -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 24+ messages in thread
* [refpolicy] SELinux: avc_has_perm: unexpected error 22 @ 2011-03-24 16:26 ` Justin P. Mattock 0 siblings, 0 replies; 24+ messages in thread From: Justin P. Mattock @ 2011-03-24 16:26 UTC (permalink / raw) To: refpolicy On 03/24/2011 06:58 AM, Stephen Smalley wrote: > On Wed, 2011-03-23 at 19:30 -0700, Justin P. Mattock wrote: >> On 03/23/2011 11:07 AM, Justin P. Mattock wrote: >>> On 03/21/2011 09:52 AM, Justin P. Mattock wrote: >>>> this is showing up with the latest Mainline kernel. >>>> gdm craps out..: >>>> >>>> [ 60.817] (II) Unloading synaptics >>>> [ 60.822] SELinux: avc_has_perm: unexpected error 22 >>>> [ 60.822] SELinux: avc_has_perm: unexpected error 22 >>>> [ 60.828] SELinux: avc_has_perm: unexpected error 22 >>>> [ 60.831] SELinux: avc_has_perm: unexpected error 22 >>>> [ 60.871] SELinux: avc_has_perm: unexpected error 22 >>>> [ 60.871] SELinux: avc_has_perm: unexpected error 22 >>>> [ 60.881] (II) UnloadModule: "mouse" >>>> [ 60.881] (II) Unloading mouse >>>> >>>> >>>> full xorg.0.log is here: >>>> http://fpaste.org/OOM2/ >>>> >>>> Justin P. Mattock >>> >>> seems doing a bisect right now during the merge window is breaking, >>> anyways looking through the commits I think this: >>> >>> http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=c53fa1ed92cd671a1dfb1e7569e9ab672612ddc6;hp=06dc94b1ed05f91e246315afeb1c652d6d0dc9ab >>> >>> >>> might be what I am hitting, causing gdm to die out, as it starts. >>> >>> any ideas? >>> >>> Justin P. Mattock >> >> not sure if anybody is seeing this or hitting this with the current, >> but reverting the above commit does not fix the problem. >> will try another bisect(hopefully) > > Are you sure it is a kernel issue? Seems more likely that it would be a > policy problem. What AVC denials are you getting? > strange.. was not even thinking of the avc's because the policy has already been customized and has been working for a while now without adding any rules. Anyways your right, seems the labels get changed or something with this kernel or something: http://fpaste.org/w4nK/ Justin P. Mattock ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: SELinux: avc_has_perm: unexpected error 22 2011-03-24 16:26 ` [refpolicy] " Justin P. Mattock (?) @ 2011-03-24 20:13 ` Stephen Smalley 2011-03-24 20:22 ` Justin P. Mattock -1 siblings, 1 reply; 24+ messages in thread From: Stephen Smalley @ 2011-03-24 20:13 UTC (permalink / raw) To: Justin P. Mattock; +Cc: selinux, Eric Paris, Harry Ciao On Thu, 2011-03-24 at 09:26 -0700, Justin P. Mattock wrote: > On 03/24/2011 06:58 AM, Stephen Smalley wrote: > > On Wed, 2011-03-23 at 19:30 -0700, Justin P. Mattock wrote: > >> On 03/23/2011 11:07 AM, Justin P. Mattock wrote: > >>> On 03/21/2011 09:52 AM, Justin P. Mattock wrote: > >>>> this is showing up with the latest Mainline kernel. > >>>> gdm craps out..: > >>>> > >>>> [ 60.817] (II) Unloading synaptics > >>>> [ 60.822] SELinux: avc_has_perm: unexpected error 22 > >>>> [ 60.822] SELinux: avc_has_perm: unexpected error 22 > >>>> [ 60.828] SELinux: avc_has_perm: unexpected error 22 > >>>> [ 60.831] SELinux: avc_has_perm: unexpected error 22 > >>>> [ 60.871] SELinux: avc_has_perm: unexpected error 22 > >>>> [ 60.871] SELinux: avc_has_perm: unexpected error 22 > >>>> [ 60.881] (II) UnloadModule: "mouse" > >>>> [ 60.881] (II) Unloading mouse > >>>> > >>>> > >>>> full xorg.0.log is here: > >>>> http://fpaste.org/OOM2/ > >>>> > >>>> Justin P. Mattock > >>> > >>> seems doing a bisect right now during the merge window is breaking, > >>> anyways looking through the commits I think this: > >>> > >>> http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=c53fa1ed92cd671a1dfb1e7569e9ab672612ddc6;hp=06dc94b1ed05f91e246315afeb1c652d6d0dc9ab > >>> > >>> > >>> might be what I am hitting, causing gdm to die out, as it starts. > >>> > >>> any ideas? > >>> > >>> Justin P. Mattock > >> > >> not sure if anybody is seeing this or hitting this with the current, > >> but reverting the above commit does not fix the problem. > >> will try another bisect(hopefully) > > > > Are you sure it is a kernel issue? Seems more likely that it would be a > > policy problem. What AVC denials are you getting? > > > > > strange.. was not even thinking of the avc's because the policy has > already been customized and has been working for a while now without > adding any rules. > > Anyways your right, seems the labels get changed or something with this > kernel or something: > http://fpaste.org/w4nK/ audit(1300983537.941:34): security_compute_sid: invalid context system_u:system_r:root_xdrawable_t:s0-s0:c0.c1023 for scontext=system_u:system_r:xserver_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xserver_t:s0-s0:c0.c1023 tclass=x_drawable This looks like it might be a kernel regression after all. security_compute_sid should return object_r for tclass x_drawable, not system_r. Likely due to the recent changes there to support socket type transitions. Not sure exactly what is going wrong, as it should only happen on the socket classes. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: SELinux: avc_has_perm: unexpected error 22 2011-03-24 20:13 ` Stephen Smalley @ 2011-03-24 20:22 ` Justin P. Mattock 2011-03-24 20:24 ` Stephen Smalley 0 siblings, 1 reply; 24+ messages in thread From: Justin P. Mattock @ 2011-03-24 20:22 UTC (permalink / raw) To: Stephen Smalley; +Cc: selinux, Eric Paris, Harry Ciao On 03/24/2011 01:13 PM, Stephen Smalley wrote: > On Thu, 2011-03-24 at 09:26 -0700, Justin P. Mattock wrote: >> On 03/24/2011 06:58 AM, Stephen Smalley wrote: >>> On Wed, 2011-03-23 at 19:30 -0700, Justin P. Mattock wrote: >>>> On 03/23/2011 11:07 AM, Justin P. Mattock wrote: >>>>> On 03/21/2011 09:52 AM, Justin P. Mattock wrote: >>>>>> this is showing up with the latest Mainline kernel. >>>>>> gdm craps out..: >>>>>> >>>>>> [ 60.817] (II) Unloading synaptics >>>>>> [ 60.822] SELinux: avc_has_perm: unexpected error 22 >>>>>> [ 60.822] SELinux: avc_has_perm: unexpected error 22 >>>>>> [ 60.828] SELinux: avc_has_perm: unexpected error 22 >>>>>> [ 60.831] SELinux: avc_has_perm: unexpected error 22 >>>>>> [ 60.871] SELinux: avc_has_perm: unexpected error 22 >>>>>> [ 60.871] SELinux: avc_has_perm: unexpected error 22 >>>>>> [ 60.881] (II) UnloadModule: "mouse" >>>>>> [ 60.881] (II) Unloading mouse >>>>>> >>>>>> >>>>>> full xorg.0.log is here: >>>>>> http://fpaste.org/OOM2/ >>>>>> >>>>>> Justin P. Mattock >>>>> >>>>> seems doing a bisect right now during the merge window is breaking, >>>>> anyways looking through the commits I think this: >>>>> >>>>> http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=c53fa1ed92cd671a1dfb1e7569e9ab672612ddc6;hp=06dc94b1ed05f91e246315afeb1c652d6d0dc9ab >>>>> >>>>> >>>>> might be what I am hitting, causing gdm to die out, as it starts. >>>>> >>>>> any ideas? >>>>> >>>>> Justin P. Mattock >>>> >>>> not sure if anybody is seeing this or hitting this with the current, >>>> but reverting the above commit does not fix the problem. >>>> will try another bisect(hopefully) >>> >>> Are you sure it is a kernel issue? Seems more likely that it would be a >>> policy problem. What AVC denials are you getting? >>> >> >> >> strange.. was not even thinking of the avc's because the policy has >> already been customized and has been working for a while now without >> adding any rules. >> >> Anyways your right, seems the labels get changed or something with this >> kernel or something: >> http://fpaste.org/w4nK/ > > audit(1300983537.941:34): security_compute_sid: invalid context > system_u:system_r:root_xdrawable_t:s0-s0:c0.c1023 for > scontext=system_u:system_r:xserver_t:s0-s0:c0.c1023 > tcontext=system_u:system_r:xserver_t:s0-s0:c0.c1023 tclass=x_drawable > > This looks like it might be a kernel regression after all. > security_compute_sid should return object_r for tclass x_drawable, not > system_r. Likely due to the recent changes there to support socket type > transitions. Not sure exactly what is going wrong, as it should only > happen on the socket classes. > alright!! as for good kernel: 2.6.38-00071-g5a69473 is the last good one I have, so bisecting wont be too much but if I hit the breakage like last time it might slow things down and/or ruin the bisect. Justin P. Mattock -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: SELinux: avc_has_perm: unexpected error 22 2011-03-24 20:22 ` Justin P. Mattock @ 2011-03-24 20:24 ` Stephen Smalley 2011-03-24 20:43 ` Justin P. Mattock 0 siblings, 1 reply; 24+ messages in thread From: Stephen Smalley @ 2011-03-24 20:24 UTC (permalink / raw) To: Justin P. Mattock; +Cc: selinux, Eric Paris, Harry Ciao On Thu, 2011-03-24 at 13:22 -0700, Justin P. Mattock wrote: > On 03/24/2011 01:13 PM, Stephen Smalley wrote: > > On Thu, 2011-03-24 at 09:26 -0700, Justin P. Mattock wrote: > >> On 03/24/2011 06:58 AM, Stephen Smalley wrote: > >>> On Wed, 2011-03-23 at 19:30 -0700, Justin P. Mattock wrote: > >>>> On 03/23/2011 11:07 AM, Justin P. Mattock wrote: > >>>>> On 03/21/2011 09:52 AM, Justin P. Mattock wrote: > >>>>>> this is showing up with the latest Mainline kernel. > >>>>>> gdm craps out..: > >>>>>> > >>>>>> [ 60.817] (II) Unloading synaptics > >>>>>> [ 60.822] SELinux: avc_has_perm: unexpected error 22 > >>>>>> [ 60.822] SELinux: avc_has_perm: unexpected error 22 > >>>>>> [ 60.828] SELinux: avc_has_perm: unexpected error 22 > >>>>>> [ 60.831] SELinux: avc_has_perm: unexpected error 22 > >>>>>> [ 60.871] SELinux: avc_has_perm: unexpected error 22 > >>>>>> [ 60.871] SELinux: avc_has_perm: unexpected error 22 > >>>>>> [ 60.881] (II) UnloadModule: "mouse" > >>>>>> [ 60.881] (II) Unloading mouse > >>>>>> > >>>>>> > >>>>>> full xorg.0.log is here: > >>>>>> http://fpaste.org/OOM2/ > >>>>>> > >>>>>> Justin P. Mattock > >>>>> > >>>>> seems doing a bisect right now during the merge window is breaking, > >>>>> anyways looking through the commits I think this: > >>>>> > >>>>> http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=c53fa1ed92cd671a1dfb1e7569e9ab672612ddc6;hp=06dc94b1ed05f91e246315afeb1c652d6d0dc9ab > >>>>> > >>>>> > >>>>> might be what I am hitting, causing gdm to die out, as it starts. > >>>>> > >>>>> any ideas? > >>>>> > >>>>> Justin P. Mattock > >>>> > >>>> not sure if anybody is seeing this or hitting this with the current, > >>>> but reverting the above commit does not fix the problem. > >>>> will try another bisect(hopefully) > >>> > >>> Are you sure it is a kernel issue? Seems more likely that it would be a > >>> policy problem. What AVC denials are you getting? > >>> > >> > >> > >> strange.. was not even thinking of the avc's because the policy has > >> already been customized and has been working for a while now without > >> adding any rules. > >> > >> Anyways your right, seems the labels get changed or something with this > >> kernel or something: > >> http://fpaste.org/w4nK/ > > > > audit(1300983537.941:34): security_compute_sid: invalid context > > system_u:system_r:root_xdrawable_t:s0-s0:c0.c1023 for > > scontext=system_u:system_r:xserver_t:s0-s0:c0.c1023 > > tcontext=system_u:system_r:xserver_t:s0-s0:c0.c1023 tclass=x_drawable > > > > This looks like it might be a kernel regression after all. > > security_compute_sid should return object_r for tclass x_drawable, not > > system_r. Likely due to the recent changes there to support socket type > > transitions. Not sure exactly what is going wrong, as it should only > > happen on the socket classes. > > > > alright!! > > as for good kernel: > 2.6.38-00071-g5a69473 > is the last good one I have, so bisecting wont be too much but if I hit > the breakage like last time it might slow things down and/or ruin the > bisect. If it is what I think it is, then the breakage would be commit 6f5317e730505d5cbc851c435a2dfe3d5a21d343 -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: SELinux: avc_has_perm: unexpected error 22 2011-03-24 20:24 ` Stephen Smalley @ 2011-03-24 20:43 ` Justin P. Mattock 2011-03-25 3:18 ` Harry Ciao 0 siblings, 1 reply; 24+ messages in thread From: Justin P. Mattock @ 2011-03-24 20:43 UTC (permalink / raw) To: Stephen Smalley; +Cc: selinux, Eric Paris, Harry Ciao On 03/24/2011 01:24 PM, Stephen Smalley wrote: > On Thu, 2011-03-24 at 13:22 -0700, Justin P. Mattock wrote: >> On 03/24/2011 01:13 PM, Stephen Smalley wrote: >>> On Thu, 2011-03-24 at 09:26 -0700, Justin P. Mattock wrote: >>>> On 03/24/2011 06:58 AM, Stephen Smalley wrote: >>>>> On Wed, 2011-03-23 at 19:30 -0700, Justin P. Mattock wrote: >>>>>> On 03/23/2011 11:07 AM, Justin P. Mattock wrote: >>>>>>> On 03/21/2011 09:52 AM, Justin P. Mattock wrote: >>>>>>>> this is showing up with the latest Mainline kernel. >>>>>>>> gdm craps out..: >>>>>>>> >>>>>>>> [ 60.817] (II) Unloading synaptics >>>>>>>> [ 60.822] SELinux: avc_has_perm: unexpected error 22 >>>>>>>> [ 60.822] SELinux: avc_has_perm: unexpected error 22 >>>>>>>> [ 60.828] SELinux: avc_has_perm: unexpected error 22 >>>>>>>> [ 60.831] SELinux: avc_has_perm: unexpected error 22 >>>>>>>> [ 60.871] SELinux: avc_has_perm: unexpected error 22 >>>>>>>> [ 60.871] SELinux: avc_has_perm: unexpected error 22 >>>>>>>> [ 60.881] (II) UnloadModule: "mouse" >>>>>>>> [ 60.881] (II) Unloading mouse >>>>>>>> >>>>>>>> >>>>>>>> full xorg.0.log is here: >>>>>>>> http://fpaste.org/OOM2/ >>>>>>>> >>>>>>>> Justin P. Mattock >>>>>>> >>>>>>> seems doing a bisect right now during the merge window is breaking, >>>>>>> anyways looking through the commits I think this: >>>>>>> >>>>>>> http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=c53fa1ed92cd671a1dfb1e7569e9ab672612ddc6;hp=06dc94b1ed05f91e246315afeb1c652d6d0dc9ab >>>>>>> >>>>>>> >>>>>>> might be what I am hitting, causing gdm to die out, as it starts. >>>>>>> >>>>>>> any ideas? >>>>>>> >>>>>>> Justin P. Mattock >>>>>> >>>>>> not sure if anybody is seeing this or hitting this with the current, >>>>>> but reverting the above commit does not fix the problem. >>>>>> will try another bisect(hopefully) >>>>> >>>>> Are you sure it is a kernel issue? Seems more likely that it would be a >>>>> policy problem. What AVC denials are you getting? >>>>> >>>> >>>> >>>> strange.. was not even thinking of the avc's because the policy has >>>> already been customized and has been working for a while now without >>>> adding any rules. >>>> >>>> Anyways your right, seems the labels get changed or something with this >>>> kernel or something: >>>> http://fpaste.org/w4nK/ >>> >>> audit(1300983537.941:34): security_compute_sid: invalid context >>> system_u:system_r:root_xdrawable_t:s0-s0:c0.c1023 for >>> scontext=system_u:system_r:xserver_t:s0-s0:c0.c1023 >>> tcontext=system_u:system_r:xserver_t:s0-s0:c0.c1023 tclass=x_drawable >>> >>> This looks like it might be a kernel regression after all. >>> security_compute_sid should return object_r for tclass x_drawable, not >>> system_r. Likely due to the recent changes there to support socket type >>> transitions. Not sure exactly what is going wrong, as it should only >>> happen on the socket classes. >>> >> >> alright!! >> >> as for good kernel: >> 2.6.38-00071-g5a69473 >> is the last good one I have, so bisecting wont be too much but if I hit >> the breakage like last time it might slow things down and/or ruin the >> bisect. > > If it is what I think it is, then the breakage would be commit > 6f5317e730505d5cbc851c435a2dfe3d5a21d343 > yep! reverting that commit gets gdm to not crap out. full dmesg here: http://fpaste.org/34DC/ Justin P. Mattock -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: SELinux: avc_has_perm: unexpected error 22 2011-03-24 20:43 ` Justin P. Mattock @ 2011-03-25 3:18 ` Harry Ciao 2011-03-25 12:26 ` Stephen Smalley 0 siblings, 1 reply; 24+ messages in thread From: Harry Ciao @ 2011-03-25 3:18 UTC (permalink / raw) To: Justin P. Mattock; +Cc: Stephen Smalley, selinux, Eric Paris Hi Justin, Justin P. Mattock 写道: > On 03/24/2011 01:24 PM, Stephen Smalley wrote: >> On Thu, 2011-03-24 at 13:22 -0700, Justin P. Mattock wrote: >>> On 03/24/2011 01:13 PM, Stephen Smalley wrote: >>>> On Thu, 2011-03-24 at 09:26 -0700, Justin P. Mattock wrote: >>>>> On 03/24/2011 06:58 AM, Stephen Smalley wrote: >>>>>> On Wed, 2011-03-23 at 19:30 -0700, Justin P. Mattock wrote: >>>>>>> On 03/23/2011 11:07 AM, Justin P. Mattock wrote: >>>>>>>> On 03/21/2011 09:52 AM, Justin P. Mattock wrote: >>>>>>>>> this is showing up with the latest Mainline kernel. >>>>>>>>> gdm craps out..: >>>>>>>>> >>>>>>>>> [ 60.817] (II) Unloading synaptics >>>>>>>>> [ 60.822] SELinux: avc_has_perm: unexpected error 22 >>>>>>>>> [ 60.822] SELinux: avc_has_perm: unexpected error 22 >>>>>>>>> [ 60.828] SELinux: avc_has_perm: unexpected error 22 >>>>>>>>> [ 60.831] SELinux: avc_has_perm: unexpected error 22 >>>>>>>>> [ 60.871] SELinux: avc_has_perm: unexpected error 22 >>>>>>>>> [ 60.871] SELinux: avc_has_perm: unexpected error 22 >>>>>>>>> [ 60.881] (II) UnloadModule: "mouse" >>>>>>>>> [ 60.881] (II) Unloading mouse >>>>>>>>> >>>>>>>>> >>>>>>>>> full xorg.0.log is here: >>>>>>>>> http://fpaste.org/OOM2/ >>>>>>>>> >>>>>>>>> Justin P. Mattock >>>>>>>> >>>>>>>> seems doing a bisect right now during the merge window is >>>>>>>> breaking, >>>>>>>> anyways looking through the commits I think this: >>>>>>>> >>>>>>>> http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=c53fa1ed92cd671a1dfb1e7569e9ab672612ddc6;hp=06dc94b1ed05f91e246315afeb1c652d6d0dc9ab >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> might be what I am hitting, causing gdm to die out, as it starts. >>>>>>>> >>>>>>>> any ideas? >>>>>>>> >>>>>>>> Justin P. Mattock >>>>>>> >>>>>>> not sure if anybody is seeing this or hitting this with the >>>>>>> current, >>>>>>> but reverting the above commit does not fix the problem. >>>>>>> will try another bisect(hopefully) >>>>>> >>>>>> Are you sure it is a kernel issue? Seems more likely that it >>>>>> would be a >>>>>> policy problem. What AVC denials are you getting? >>>>>> >>>>> >>>>> >>>>> strange.. was not even thinking of the avc's because the policy has >>>>> already been customized and has been working for a while now without >>>>> adding any rules. >>>>> >>>>> Anyways your right, seems the labels get changed or something with >>>>> this >>>>> kernel or something: >>>>> http://fpaste.org/w4nK/ >>>> >>>> audit(1300983537.941:34): security_compute_sid: invalid context >>>> system_u:system_r:root_xdrawable_t:s0-s0:c0.c1023 for >>>> scontext=system_u:system_r:xserver_t:s0-s0:c0.c1023 >>>> tcontext=system_u:system_r:xserver_t:s0-s0:c0.c1023 tclass=x_drawable >>>> >>>> This looks like it might be a kernel regression after all. >>>> security_compute_sid should return object_r for tclass x_drawable, not >>>> system_r. Likely due to the recent changes there to support socket >>>> type >>>> transitions. Not sure exactly what is going wrong, as it should only >>>> happen on the socket classes. >>>> >>> >>> alright!! >>> >>> as for good kernel: >>> 2.6.38-00071-g5a69473 >>> is the last good one I have, so bisecting wont be too much but if I hit >>> the breakage like last time it might slow things down and/or ruin the >>> bisect. >> >> If it is what I think it is, then the breakage would be commit >> 6f5317e730505d5cbc851c435a2dfe3d5a21d343 >> > > yep! > > reverting that commit gets gdm to not crap out. > full dmesg here: > http://fpaste.org/34DC/ > > Justin P. Mattock > So far I have not got an environment as your to reproduce this problem. Could you please kindly print the orig_class and the sock boolean in your case? It's weird since so far only the process and socket classes could retain the creator's role, any other classes object should have "object_r" as usual. Many thanks for your help! Best regards, Harry -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: SELinux: avc_has_perm: unexpected error 22 2011-03-25 3:18 ` Harry Ciao @ 2011-03-25 12:26 ` Stephen Smalley 2011-03-25 12:34 ` Stephen Smalley 0 siblings, 1 reply; 24+ messages in thread From: Stephen Smalley @ 2011-03-25 12:26 UTC (permalink / raw) To: qingtao.cao; +Cc: Justin P. Mattock, selinux, Eric Paris On Fri, 2011-03-25 at 11:18 +0800, Harry Ciao wrote: > So far I have not got an environment as your to reproduce this problem. > Could you please kindly print the orig_class and the sock boolean in > your case? It's weird since so far only the process and socket classes > could retain the creator's role, any other classes object should have > "object_r" as usual. > > Many thanks for your help! You can exercise the code without using XACE/XSELinux by running the compute_create program from libselinux/utils, e.g. $ compute_create `id -Z` `id -Z` x_drawable I think the bug lies in map_class() handling of the case where the userspace object class has no corresponding kernel class, as would be the case for the x_* classes. map_class() should likely return 0 (SECCLASS_NULL) in that case rather than pol_value and thereby ensure that we won't match any legitimate kernel class value. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: SELinux: avc_has_perm: unexpected error 22 2011-03-25 12:26 ` Stephen Smalley @ 2011-03-25 12:34 ` Stephen Smalley 2011-03-25 14:13 ` [PATCH] selinux: Fix regression for Xorg Stephen Smalley 0 siblings, 1 reply; 24+ messages in thread From: Stephen Smalley @ 2011-03-25 12:34 UTC (permalink / raw) To: qingtao.cao; +Cc: Justin P. Mattock, selinux, Eric Paris On Fri, 2011-03-25 at 08:26 -0400, Stephen Smalley wrote: > On Fri, 2011-03-25 at 11:18 +0800, Harry Ciao wrote: > > So far I have not got an environment as your to reproduce this problem. > > Could you please kindly print the orig_class and the sock boolean in > > your case? It's weird since so far only the process and socket classes > > could retain the creator's role, any other classes object should have > > "object_r" as usual. > > > > Many thanks for your help! > > You can exercise the code without using XACE/XSELinux by running the > compute_create program from libselinux/utils, e.g. > $ compute_create `id -Z` `id -Z` x_drawable > > I think the bug lies in map_class() handling of the case where the > userspace object class has no corresponding kernel class, as would be > the case for the x_* classes. map_class() should likely return 0 > (SECCLASS_NULL) in that case rather than pol_value and thereby ensure > that we won't match any legitimate kernel class value. To test this theory, Justin, can you try this patch? diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index 3e7544d..ea7c01f 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c @@ -213,7 +213,7 @@ static u16 map_class(u16 pol_value) return i; } - return pol_value; + return SECCLASS_NULL; } static void map_decision(u16 tclass, struct av_decision *avd, -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply related [flat|nested] 24+ messages in thread
* [PATCH] selinux: Fix regression for Xorg 2011-03-25 12:34 ` Stephen Smalley @ 2011-03-25 14:13 ` Stephen Smalley 2011-03-25 18:04 ` Justin P. Mattock 2011-03-26 3:03 ` Justin P. Mattock 0 siblings, 2 replies; 24+ messages in thread From: Stephen Smalley @ 2011-03-25 14:13 UTC (permalink / raw) To: Eric Paris, James Morris; +Cc: qingtao.cao, Justin P. Mattock, selinux Commit 6f5317e730505d5cbc851c435a2dfe3d5a21d343 introduced a bug in the handling of userspace object classes that is causing breakage for Xorg when XSELinux is enabled. Fix the bug by changing map_class() to return SECCLASS_NULL when the class cannot be mapped to a kernel object class. Reported-by: "Justin P. Mattock" <justinmattock@gmail.com> Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> --- security/selinux/ss/services.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index 3e7544d..ea7c01f 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c @@ -213,7 +213,7 @@ static u16 map_class(u16 pol_value) return i; } - return pol_value; + return SECCLASS_NULL; } static void map_decision(u16 tclass, struct av_decision *avd, -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply related [flat|nested] 24+ messages in thread
* Re: [PATCH] selinux: Fix regression for Xorg 2011-03-25 14:13 ` [PATCH] selinux: Fix regression for Xorg Stephen Smalley @ 2011-03-25 18:04 ` Justin P. Mattock 2011-03-26 3:03 ` Justin P. Mattock 1 sibling, 0 replies; 24+ messages in thread From: Justin P. Mattock @ 2011-03-25 18:04 UTC (permalink / raw) To: Stephen Smalley; +Cc: Eric Paris, James Morris, qingtao.cao, selinux alright!! patch applied to the current Mainline.. Yes this fixes the issue of gdm crapping out. full dmesg below: http://fpaste.org/Sgy7/ > Commit 6f5317e730505d5cbc851c435a2dfe3d5a21d343 introduced a bug in the > handling of userspace object classes that is causing breakage for Xorg > when XSELinux is enabled. Fix the bug by changing map_class() to return > SECCLASS_NULL when the class cannot be mapped to a kernel object class. > > Reported-by: "Justin P. Mattock"<justinmattock@gmail.com> > Signed-off-by: Stephen Smalley<sds@tycho.nsa.gov> > > --- > > security/selinux/ss/services.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c > index 3e7544d..ea7c01f 100644 > --- a/security/selinux/ss/services.c > +++ b/security/selinux/ss/services.c > @@ -213,7 +213,7 @@ static u16 map_class(u16 pol_value) > return i; > } > > - return pol_value; > + return SECCLASS_NULL; > } > > static void map_decision(u16 tclass, struct av_decision *avd, > > -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [PATCH] selinux: Fix regression for Xorg 2011-03-25 14:13 ` [PATCH] selinux: Fix regression for Xorg Stephen Smalley 2011-03-25 18:04 ` Justin P. Mattock @ 2011-03-26 3:03 ` Justin P. Mattock 2011-03-28 12:42 ` Stephen Smalley 1 sibling, 1 reply; 24+ messages in thread From: Justin P. Mattock @ 2011-03-26 3:03 UTC (permalink / raw) To: Stephen Smalley; +Cc: Eric Paris, James Morris, qingtao.cao, selinux not sure whats going on now.. but loading up the latest on my iMac with the below patch makes no difference I still hit the bug macbook pro works fine(maybe something with the different video drivers or something) full dmesg of my iMac here: http://fpaste.org/SNFC/ > Commit 6f5317e730505d5cbc851c435a2dfe3d5a21d343 introduced a bug in the > handling of userspace object classes that is causing breakage for Xorg > when XSELinux is enabled. Fix the bug by changing map_class() to return > SECCLASS_NULL when the class cannot be mapped to a kernel object class. > > Reported-by: "Justin P. Mattock"<justinmattock@gmail.com> > Signed-off-by: Stephen Smalley<sds@tycho.nsa.gov> > > --- > > security/selinux/ss/services.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c > index 3e7544d..ea7c01f 100644 > --- a/security/selinux/ss/services.c > +++ b/security/selinux/ss/services.c > @@ -213,7 +213,7 @@ static u16 map_class(u16 pol_value) > return i; > } > > - return pol_value; > + return SECCLASS_NULL; > } > > static void map_decision(u16 tclass, struct av_decision *avd, > -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [PATCH] selinux: Fix regression for Xorg 2011-03-26 3:03 ` Justin P. Mattock @ 2011-03-28 12:42 ` Stephen Smalley 2011-03-28 14:24 ` Stephen Smalley 0 siblings, 1 reply; 24+ messages in thread From: Stephen Smalley @ 2011-03-28 12:42 UTC (permalink / raw) To: Justin P. Mattock; +Cc: Eric Paris, James Morris, qingtao.cao, selinux On Fri, 2011-03-25 at 20:03 -0700, Justin P. Mattock wrote: > not sure whats going on now.. but loading up the latest on my iMac with > the below patch makes no difference I still hit the bug macbook pro > works fine(maybe something with the different video drivers or something) > > full dmesg of my iMac here: > http://fpaste.org/SNFC/ Hi Justin, I did before and after testing using the compute_create utility from libselinux/utils, and it showed that the kernel returned the wrong context prior to the patch and the right context afterward. I'm guessing you aren't booting the right kernel or didn't apply the patch correctly. You can run: compute_create `id -Z` `id -Z` x_drawable and see whether the returned context has object_r or not. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [PATCH] selinux: Fix regression for Xorg 2011-03-28 12:42 ` Stephen Smalley @ 2011-03-28 14:24 ` Stephen Smalley 2011-03-28 16:20 ` Justin P. Mattock 2011-03-28 22:28 ` Justin P. Mattock 0 siblings, 2 replies; 24+ messages in thread From: Stephen Smalley @ 2011-03-28 14:24 UTC (permalink / raw) To: Justin P. Mattock; +Cc: Eric Paris, James Morris, qingtao.cao, selinux On Mon, 2011-03-28 at 08:42 -0400, Stephen Smalley wrote: > On Fri, 2011-03-25 at 20:03 -0700, Justin P. Mattock wrote: > > not sure whats going on now.. but loading up the latest on my iMac with > > the below patch makes no difference I still hit the bug macbook pro > > works fine(maybe something with the different video drivers or something) > > > > full dmesg of my iMac here: > > http://fpaste.org/SNFC/ > > Hi Justin, > > I did before and after testing using the compute_create utility from > libselinux/utils, and it showed that the kernel returned the wrong > context prior to the patch and the right context afterward. I'm > guessing you aren't booting the right kernel or didn't apply the patch > correctly. > > You can run: > compute_create `id -Z` `id -Z` x_drawable > and see whether the returned context has object_r or not. Also, I tested before and after the patch with Xorg, and confirmed that the compute_sid errors vanished when using a kernel with the patch applied. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [PATCH] selinux: Fix regression for Xorg 2011-03-28 14:24 ` Stephen Smalley @ 2011-03-28 16:20 ` Justin P. Mattock 2011-03-28 22:28 ` Justin P. Mattock 1 sibling, 0 replies; 24+ messages in thread From: Justin P. Mattock @ 2011-03-28 16:20 UTC (permalink / raw) To: Stephen Smalley; +Cc: Eric Paris, James Morris, qingtao.cao, selinux On 03/28/2011 07:24 AM, Stephen Smalley wrote: > On Mon, 2011-03-28 at 08:42 -0400, Stephen Smalley wrote: >> On Fri, 2011-03-25 at 20:03 -0700, Justin P. Mattock wrote: >>> not sure whats going on now.. but loading up the latest on my iMac with >>> the below patch makes no difference I still hit the bug macbook pro >>> works fine(maybe something with the different video drivers or something) >>> >>> full dmesg of my iMac here: >>> http://fpaste.org/SNFC/ >> >> Hi Justin, >> >> I did before and after testing using the compute_create utility from >> libselinux/utils, and it showed that the kernel returned the wrong >> context prior to the patch and the right context afterward. I'm >> guessing you aren't booting the right kernel or didn't apply the patch >> correctly. >> >> You can run: >> compute_create `id -Z` `id -Z` x_drawable >> and see whether the returned context has object_r or not. > > Also, I tested before and after the patch with Xorg, and confirmed that > the compute_sid errors vanished when using a kernel with the patch > applied. > I will retest that patch on that machine..(I was seeing crud with git) other than that on the macbook patch works fine. Justin P. Mattock -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [PATCH] selinux: Fix regression for Xorg 2011-03-28 14:24 ` Stephen Smalley 2011-03-28 16:20 ` Justin P. Mattock @ 2011-03-28 22:28 ` Justin P. Mattock 1 sibling, 0 replies; 24+ messages in thread From: Justin P. Mattock @ 2011-03-28 22:28 UTC (permalink / raw) To: Stephen Smalley; +Cc: Eric Paris, James Morris, qingtao.cao, selinux On 03/28/2011 07:24 AM, Stephen Smalley wrote: > On Mon, 2011-03-28 at 08:42 -0400, Stephen Smalley wrote: >> On Fri, 2011-03-25 at 20:03 -0700, Justin P. Mattock wrote: >>> not sure whats going on now.. but loading up the latest on my iMac with >>> the below patch makes no difference I still hit the bug macbook pro >>> works fine(maybe something with the different video drivers or something) >>> >>> full dmesg of my iMac here: >>> http://fpaste.org/SNFC/ >> >> Hi Justin, >> >> I did before and after testing using the compute_create utility from >> libselinux/utils, and it showed that the kernel returned the wrong >> context prior to the patch and the right context afterward. I'm >> guessing you aren't booting the right kernel or didn't apply the patch >> correctly. >> >> You can run: >> compute_create `id -Z` `id -Z` x_drawable >> and see whether the returned context has object_r or not. > > Also, I tested before and after the patch with Xorg, and confirmed that > the compute_sid errors vanished when using a kernel with the patch > applied. > appologize for that.. ended up putting the *_NULL in the wrong function(unmap).. after correcting that everything runs the way it should. Thanks for the help on this! Justin P. Mattock -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 24+ messages in thread
end of thread, other threads:[~2011-03-28 22:28 UTC | newest] Thread overview: 24+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2011-03-21 16:52 SELinux: avc_has_perm: unexpected error 22 Justin P. Mattock 2011-03-21 16:52 ` [refpolicy] " Justin P. Mattock 2011-03-23 18:07 ` Justin P. Mattock 2011-03-23 18:07 ` [refpolicy] " Justin P. Mattock 2011-03-24 2:30 ` Justin P. Mattock 2011-03-24 2:30 ` [refpolicy] " Justin P. Mattock 2011-03-24 13:58 ` Stephen Smalley 2011-03-24 13:58 ` [refpolicy] " Stephen Smalley 2011-03-24 16:26 ` Justin P. Mattock 2011-03-24 16:26 ` [refpolicy] " Justin P. Mattock 2011-03-24 20:13 ` Stephen Smalley 2011-03-24 20:22 ` Justin P. Mattock 2011-03-24 20:24 ` Stephen Smalley 2011-03-24 20:43 ` Justin P. Mattock 2011-03-25 3:18 ` Harry Ciao 2011-03-25 12:26 ` Stephen Smalley 2011-03-25 12:34 ` Stephen Smalley 2011-03-25 14:13 ` [PATCH] selinux: Fix regression for Xorg Stephen Smalley 2011-03-25 18:04 ` Justin P. Mattock 2011-03-26 3:03 ` Justin P. Mattock 2011-03-28 12:42 ` Stephen Smalley 2011-03-28 14:24 ` Stephen Smalley 2011-03-28 16:20 ` Justin P. Mattock 2011-03-28 22:28 ` Justin P. Mattock
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.