SE-X available

SE-X available

[Eamon Walsh]

The Security-Enhanced Linux support for X lives in the XACE-SELINUX
branch of the X.org CVS tree, which is hosted at freedesktop.org.

To obtain the code via anonymous CVS, use:

$ cvs -d :pserver:anoncvs@cvs.freedesktop.org:/cvs/xorg login
CVS password: <hit return>
$ cvs -d :pserver:anoncvs@cvs.freedesktop.org:/cvs/xorg co -P
-rXACE-SELINUX xc

You'll need the latest SELinux release which contains the new X security
classes, attributes, and supporting types.

When building the X server, make sure your config/cf/host.def includes
the following:

#define BuildXACE       YES
#define BuildXSELinux   YES
#define ExtraLibraries -lselinux

Note that there is no policy written yet, so nothing is allowed; you'll
need to be in permissive mode.  The denied messages should appear in the
log file, /var/log/Xorg.0.log, and on the X server's stderr also I
believe.  They don't start with the "avc:  " pattern that audit2allow
uses, so that program will have to be modified to work.

The security architecture in the X server is more or less based on the
paper, "Securing the X Window System with SELinux" that is available in
our documentation section.  There are some minor differences, notably
the property and xextension classes.  I'll try to come up with
class/access vector descriptions similar to the ones that were posted
earlier.

-- 
Eamon Walsh <ewalsh@epoch.ncsc.mil>
Information Assurance Research
National Security Agency

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SE-X available

[Charles R Martin]

By the way, this heading managed to put this into my junk mail 
folder.... apparently 'SE-X available' looked like spam....

ewalsh@epoch.ncsc.mil wrote:

>The Security-Enhanced Linux support for X lives in the XACE-SELINUX
>branch of the X.org CVS tree, which is hosted at freedesktop.org.
>
>To obtain the code via anonymous CVS, use:
>
>$ cvs -d :pserver:anoncvs@cvs.freedesktop.org:/cvs/xorg login
>CVS password: <hit return>
>$ cvs -d :pserver:anoncvs@cvs.freedesktop.org:/cvs/xorg co -P
>-rXACE-SELINUX xc
>
>You'll need the latest SELinux release which contains the new X security
>classes, attributes, and supporting types.
>
>When building the X server, make sure your config/cf/host.def includes
>the following:
>
>#define BuildXACE       YES
>#define BuildXSELinux   YES
>#define ExtraLibraries -lselinux
>
>Note that there is no policy written yet, so nothing is allowed; you'll
>need to be in permissive mode.  The denied messages should appear in the
>log file, /var/log/Xorg.0.log, and on the X server's stderr also I
>believe.  They don't start with the "avc:  " pattern that audit2allow
>uses, so that program will have to be modified to work.
>
>The security architecture in the X server is more or less based on the
>paper, "Securing the X Window System with SELinux" that is available in
>our documentation section.  There are some minor differences, notably
>the property and xextension classes.  I'll try to come up with
>class/access vector descriptions similar to the ones that were posted
>earlier.
>
>  
>


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.