can't start X window in enforce mode

can't start X window in enforce mode

[lky]

[-- Attachment #1: Type: text/plain, Size: 812 bytes --]

Hi, I have eliminated all the denied messages in permissive mode. But when I change to the enforce mode I can't start X window now.The error message is below:
-----------------------------------------------------------------------------------------
...............
(EE) NV(0): Cannot open /dev/mem
................
Fatal server error:
xf86MapVidMem: failed to open /dev/mem (Permission denied)
................
XIO:  fatal IO error 104 (Connection reset by peer) on X server ":0.0"
      after 0 requests (0 known processed) with 0 events remaining.
-----------------------------------------------------------------------------------------
Why the system didn't display the denied message if the opration violate the policy? How should I configure my policy in order to start the X window?
Thanks! 

[-- Attachment #2: Type: text/html, Size: 1564 bytes --]

Re: can't start X window in enforce mode

[Russell Coker]

On Mon, 13 Oct 2003 04:37, lky wrote:
>-------------- Why the system didn't display the denied message if the
> opration violate the policy? How should I configure my policy in order to
> start the X window? Thanks!

# memory_device_t access is needed if not using the frame buffer
dontaudit $1_xserver_t memory_device_t:chr_file read;

The above is the relevant section of policy in
macros/program/xserver_macros.te.  The X server tries to access /dev/mem even 
if it doesn't need to.  Change the dontaudit rule to an allow for 
rw_file_perms and it should work.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: can't start X window in enforce mode

[lky]

On Monday, October 13, 2003 6:11 AM,Russell Coker wrote:

> # memory_device_t access is needed if not using the frame buffer
> dontaudit $1_xserver_t memory_device_t:chr_file read;
> 
> The above is the relevant section of policy in
> macros/program/xserver_macros.te.  The X server tries to access /dev/mem even 
> if it doesn't need to.  Change the dontaudit rule to an allow for 
> rw_file_perms and it should work.

Absolutely right! It really works,Thanks a lot!



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: can't start X window in enforce mode

[Michael Reilly]

I had both problems.  I added the dontaudit memory devices
as mentioned in the file macros/program/xserver_macros.te.

I have the second problem and have not yet solved it.  Nothing is logged
and I cannot figure out what is wrong.

BTW - on my system /dev/tty0 is the same file as dev/console (both 4,0).
The man page indicates that it should be this way.  I tried labeling
/dev/tty0 as console_device_t (like /dev/console) but that did not help.

michael
lky wrote:
> Hi, I have eliminated all the denied messages in permissive mode. But when I change to the enforce mode I can't start X window now.The error message is below:
> -----------------------------------------------------------------------------------------
> ...............
> (EE) NV(0): Cannot open /dev/mem
> ................
> Fatal server error:
> xf86MapVidMem: failed to open /dev/mem (Permission denied)
> ................
> XIO:  fatal IO error 104 (Connection reset by peer) on X server ":0.0"
>       after 0 requests (0 known processed) with 0 events remaining.
> -----------------------------------------------------------------------------------------
> Why the system didn't display the denied message if the opration violate the policy? How should I configure my policy in order to start the X window?
> Thanks! 

-- 
---- ---- ----
Michael Reilly    michaelr@cisco.com
    Cisco Systems, Santa Cruz, CA


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: can't start X window in enforce mode

[Russell Coker]

On Mon, 13 Oct 2003 09:15, Michael Reilly wrote:
> I had both problems.  I added the dontaudit memory devices
> as mentioned in the file macros/program/xserver_macros.te.
>
> I have the second problem and have not yet solved it.  Nothing is logged
> and I cannot figure out what is wrong.

Try doing
grep -v dontaudit policy.conf > new-policy
mv new-policy policy.conf

Then load the policy and see what happens.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: can't start X window in enforce mode

[Stephen Smalley]

On Mon, 2003-10-13 at 03:52, Russell Coker wrote:
> On Mon, 13 Oct 2003 09:15, Michael Reilly wrote:
> > I had both problems.  I added the dontaudit memory devices
> > as mentioned in the file macros/program/xserver_macros.te.
> >
> > I have the second problem and have not yet solved it.  Nothing is logged
> > and I cannot figure out what is wrong.
> 
> Try doing
> grep -v dontaudit policy.conf > new-policy
> mv new-policy policy.conf
> 
> Then load the policy and see what happens.

There should likely be a policy Makefile target to generate and load
a policy that does not suppress any auditing.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: can't start X window in enforce mode

[Michael Reilly]

I agree :-)


I did find the problem - the X server needed DAC_OVERRIDE.  This was logged
as soon as I removed the dontaudit's

michael
On 14 Oct 2003 11:00:47 -0400
Stephen Smalley <sds@epoch.ncsc.mil> wrote:

> On Mon, 2003-10-13 at 03:52, Russell Coker wrote:
> > On Mon, 13 Oct 2003 09:15, Michael Reilly wrote:
> > > I had both problems.  I added the dontaudit memory devices
> > > as mentioned in the file macros/program/xserver_macros.te.
> > >
> > > I have the second problem and have not yet solved it.  Nothing is
> > > logged and I cannot figure out what is wrong.
> > 
> > Try doing
> > grep -v dontaudit policy.conf > new-policy
> > mv new-policy policy.conf
> > 
> > Then load the policy and see what happens.
> 
> There should likely be a policy Makefile target to generate and load
> a policy that does not suppress any auditing.
> 
> -- 
> Stephen Smalley <sds@epoch.ncsc.mil>
> National Security Agency


-- 
---- ---- ----
Michael Reilly    michaelr@cisco.com
    Cisco Systems, Santa Cruz, CA

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: can't start X window in enforce mode

[Russell Coker]

On Wed, 15 Oct 2003 05:02, Michael Reilly wrote:
> I did find the problem - the X server needed DAC_OVERRIDE.  This was logged
> as soon as I removed the dontaudit's

Why did it need DAC_OVERRIDE?

Why not DAC_READ_SEARCH?

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: can't start X window in enforce mode

[Michael Reilly]

Didn't try DAC_READ_SEARCH yet (that is part of this evenings project)  The
dontaudit line was for DAC_OVERRIDE so I just commented out that line and
added DAC_OVERRIDE to the other capabilities.

michael
On Wed, 15 Oct 2003 10:18:09 +1000
Russell Coker <russell@coker.com.au> wrote:

> On Wed, 15 Oct 2003 05:02, Michael Reilly wrote:
> > I did find the problem - the X server needed DAC_OVERRIDE.  This was
> > logged as soon as I removed the dontaudit's
> 
> Why did it need DAC_OVERRIDE?
> 
> Why not DAC_READ_SEARCH?
> 
> -- 
> http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
> http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
> http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
> http://www.coker.com.au/~russell/  My home page


-- 
---- ---- ----
Michael Reilly    michaelr@cisco.com
    Cisco Systems, Santa Cruz, CA


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: can't start X window in enforce mode

[Michael Reilly]

Tried last night with DAC_READ_SEARCH instead of DAC_OVERRIDE - X server no
go.  Same error about /dev/tty0 not being found.

If it matters I am running the VESA frame buffer X server.  The HW vendor
used an ATI video chip in a non-standard way to integrate a flat panel
display so the ATI server doesn't find the flat panel.

michael
On Wed, 15 Oct 2003 10:18:09 +1000
Russell Coker <russell@coker.com.au> wrote:

> On Wed, 15 Oct 2003 05:02, Michael Reilly wrote:
> > I did find the problem - the X server needed DAC_OVERRIDE.  This was
> > logged as soon as I removed the dontaudit's
> 
> Why did it need DAC_OVERRIDE?
> 
> Why not DAC_READ_SEARCH?
> 
> -- 
> http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
> http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
> http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
> http://www.coker.com.au/~russell/  My home page


-- 
---- ---- ----
Michael Reilly    michaelr@cisco.com
    Cisco Systems, Santa Cruz, CA


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: can't start X window in enforce mode

[Russell Coker]

On Thu, 16 Oct 2003 11:43, Michael Reilly wrote:
> Tried last night with DAC_READ_SEARCH instead of DAC_OVERRIDE - X server no
> go.  Same error about /dev/tty0 not being found.
>
> If it matters I am running the VESA frame buffer X server.  The HW vendor
> used an ATI video chip in a non-standard way to integrate a flat panel
> display so the ATI server doesn't find the flat panel.

The VESA frame buffer should not be a problem, it's what I use.

There may be some issues related to the differences between Debian and Red Hat 
X servers, I have not yet managed to get X working on a Red Hat machine due 
to kernel issues and lack of trying.

In any case I've changed my policy to allow dac_override.  It doesn't make any 
sense to allow setuid and setgid but deny dac_override.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

RE: can't start X window in enforce mode

[Kratzer, James R.]

I'm trying to get X-windows to start with enforce set to "1" without any
luck.  I have moved the xserver.te file from the domains/program/unused
directory to the domains/program directory.  I have changed the dontaudit
line to allow as described here in the email below.  Any help would be
appreciated.

-----Original Message-----
From: Russell Coker [mailto:russell@coker.com.au]
Sent: Sunday, October 12, 2003 6:11 PM
To: lky; SELINUX
Subject: Re: can't start X window in enforce mode


On Mon, 13 Oct 2003 04:37, lky wrote:
>-------------- Why the system didn't display the denied message if the
> opration violate the policy? How should I configure my policy in order to
> start the X window? Thanks!

# memory_device_t access is needed if not using the frame buffer
dontaudit $1_xserver_t memory_device_t:chr_file read;

The above is the relevant section of policy in
macros/program/xserver_macros.te.  The X server tries to access /dev/mem
even 
if it doesn't need to.  Change the dontaudit rule to an allow for 
rw_file_perms and it should work.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov
with
the words "unsubscribe selinux" without quotes as the message.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: can't start X window in enforce mode

[Russell Coker]

On Fri, 17 Oct 2003 00:21, Kratzer, James R. wrote:
> I'm trying to get X-windows to start with enforce set to "1" without any
> luck.  I have moved the xserver.te file from the domains/program/unused
> directory to the domains/program directory.  I have changed the dontaudit
> line to allow as described here in the email below.  Any help would be
> appreciated.

We really can't help until you provide more information.

When you have the dontaudit rules removed, what avc messages are logged when 
you try to run the X server?

What messages does the X server log to syslog?

What messages does it display on the terminal?

How are you running the X server?  Do you type "startx" after logging in or do 
you use an XDM program?

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.