[PATCH] refpolicy: add X object classes to unconfined_t

[PATCH] refpolicy: add X object classes to unconfined_t

[Eamon Walsh]

[-- Attachment #1: Type: text/plain, Size: 417 bytes --]

Hello,
I'm working on the XSELinux code, which has just been brought up to date
with the current X.org code base.

The following patch adds the X Windows userspace object classes to
unconfined_t.


Signed-off-by:  Eamon Walsh <ewalsh@tycho.nsa.gov>

 policy/modules/system/unconfined.if |   22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)


-- 
Eamon Walsh <ewalsh@tycho.nsa.gov>
National Security Agency

[-- Attachment #2: unconfined-x.patch --]
[-- Type: text/x-patch, Size: 1149 bytes --]

--- refpolicy/policy/modules/system/unconfined.if	2006-09-11 21:06:30.000000000 -0400
+++ refpolicy-new/policy/modules/system/unconfined.if	2006-09-11 21:08:55.000000000 -0400
@@ -15,6 +15,17 @@
 		class dbus all_dbus_perms;
 		class nscd all_nscd_perms;
 		class passwd all_passwd_perms;
+		class drawable all_drawable_perms;
+		class window all_window_perms;
+		class gc all_gc_perms;
+		class font all_font_perms;
+		class colormap all_colormap_perms;
+		class property all_property_perms;
+		class cursor all_cursor_perms;	
+		class xclient all_xclient_perms;
+		class xserver all_xserver_perms;
+		class xinput all_xinput_perms;
+		class xextension all_xextension_perms;
 	')
 
 	# Use any Linux capability.
@@ -31,6 +42,17 @@
 	allow $1 self:nscd *;
 	allow $1 self:dbus *;
 	allow $1 self:passwd *;
+	allow $1 self:drawable *;
+	allow $1 self:window *;
+	allow $1 self:gc *;
+	allow $1 self:font *;
+	allow $1 self:colormap *;
+	allow $1 self:property *;
+	allow $1 self:cursor *;
+	allow $1 self:xclient *;
+	allow $1 self:xserver *;
+	allow $1 self:xinput *;
+	allow $1 self:xextension *;
 
 	kernel_unconfined($1)
 	corenet_unconfined($1)

Re: [PATCH] refpolicy: add X object classes to unconfined_t

[Christopher J. PeBenito]

On Tue, 2006-09-12 at 15:11 -0400, Eamon Walsh wrote:
> I'm working on the XSELinux code, which has just been brought up to date
> with the current X.org code base.

Is there any idea when this is going to be merged into xorg trunk?

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH] refpolicy: add X object classes to unconfined_t

[Eamon Walsh]

On Wed, 2006-09-13 at 09:47 -0400, Christopher J. PeBenito wrote:
> On Tue, 2006-09-12 at 15:11 -0400, Eamon Walsh wrote:
> > I'm working on the XSELinux code, which has just been brought up to date
> > with the current X.org code base.
> 
> Is there any idea when this is going to be merged into xorg trunk?

X.org is on a 6-month cycle with the 7.2 release scheduled for November.
I'm targeting the 7.3 release, but I may be able to get the hooks layer
into 7.2.

In the meantime, the code can be checked out of the XACE-SELINUX branch
of the X.org "xserver" git repository.  It it fully up to date with the
trunk, and builds and runs fine, except that there isn't any policy
support for it yet other than what TCS has done.

-- 
Eamon Walsh <ewalsh@tycho.nsa.gov>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH] refpolicy: add X object classes to unconfined_t

[Joshua Brindle]

Eamon Walsh wrote:
> Hello,
> I'm working on the XSELinux code, which has just been brought up to date
> with the current X.org code base.
> 
> The following patch adds the X Windows userspace object classes to
> unconfined_t.
> 

This patch doesn't add the types necessary to run the default XSELinux 
installation. Do you have a module that adds those types so that we can 
test the codebase out?

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH] refpolicy: add X object classes to unconfined_t

[Joshua Brindle]

On Thu, 2006-09-14 at 10:10 -0400, Joshua Brindle wrote:
> Eamon Walsh wrote:
> > Hello,
> > I'm working on the XSELinux code, which has just been brought up to date
> > with the current X.org code base.
> > 
> > The following patch adds the X Windows userspace object classes to
> > unconfined_t.
> > 
> 
> This patch doesn't add the types necessary to run the default XSELinux 
> installation. Do you have a module that adds those types so that we can 
> test the codebase out?

It also seems that the XSELinuxConfig in the git repository doesn't have
all the necessary entries, one for root_window_context needs to be added
to start the X server up.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH] refpolicy: add X object classes to unconfined_t

[Eamon Walsh]

[-- Attachment #1: Type: text/plain, Size: 743 bytes --]

On Fri, 2006-09-15 at 08:46 -0400, Joshua Brindle wrote:
> On Thu, 2006-09-14 at 10:10 -0400, Joshua Brindle wrote:

[snip]

> It also seems that the XSELinuxConfig in the git repository doesn't have
> all the necessary entries, one for root_window_context needs to be added
> to start the X server up.

I've been using the attached config file, however, without the
unconfined_t patch for targeted, it still won't work unless in
permissive mode.

> 
> 
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
-- 
Eamon Walsh <ewalsh@tycho.nsa.gov>
National Security Agency

[-- Attachment #2: XSELinuxConfig --]
[-- Type: text/plain, Size: 3165 bytes --]

#
# Config file for XSELinux extension
#

#
# The nonlocal_context rule defines a context to be used for all clients
# connecting to the server from a remote host.  The nonlocal context must
# be defined, and it must be a valid context according to the SELinux
# security policy.  Only one nonlocal_context rule may be defined.
#
nonlocal_context			system_u:object_r:unconfined_t
root_window_context			system_u:object_r:unconfined_t

#
# Property rules map a property name to a SELinux type.  The type must
# be valid according to the SELinux security policy.  There can be any
# number of property rules.  Additionally, a default property type can be
# defined for all properties not explicitly listed.  The default
# property type may not be omitted.  The default rule may appear in
# any position (it need not be the last property rule listed).
#
property WM_NAME			unconfined_t
property WM_CLASS			unconfined_t
property WM_ICON_NAME			unconfined_t
property WM_HINTS			unconfined_t
property WM_NORMAL_HINTS		unconfined_t
property WM_COMMAND			unconfined_t

property CUT_BUFFER0			unconfined_t
property CUT_BUFFER1			unconfined_t
property CUT_BUFFER2			unconfined_t
property CUT_BUFFER3			unconfined_t
property CUT_BUFFER4			unconfined_t
property CUT_BUFFER5			unconfined_t
property CUT_BUFFER6			unconfined_t
property CUT_BUFFER7			unconfined_t

property default			unconfined_t

#
# Extension rules map an extension name to a SELinux type.  The type must
# be valid according to the SELinux security policy.  There can be any
# number of extension rules.  Additionally, a default extension type can
# be defined for all extensions not explicitly listed.  The default
# extension type may not be omitted.  The default rule may appear in
# any position (it need not be the last extension rule listed).
#
extension BIG-REQUESTS			unconfined_t
extension DOUBLE-BUFFER			unconfined_t
extension DPMS				unconfined_t
extension Extended-Visual-Information	unconfined_t
extension FontCache			unconfined_t
extension GLX				unconfined_t
extension LBX				unconfined_t
extension MIT-SCREEN-SAVER		unconfined_t
extension MIT-SHM			unconfined_t
extension MIT-SUNDRY-NONSTANDARD	unconfined_t
extension NV-CONTROL			unconfined_t
extension NV-GLX			unconfined_t
extension NVIDIA-GLX			unconfined_t
extension RANDR				unconfined_t
extension RECORD			unconfined_t
extension RENDER			unconfined_t
extension SECURITY			unconfined_t
extension SELinux			unconfined_t
extension SHAPE				unconfined_t
extension SYNC				unconfined_t
extension TOG-CUP			unconfined_t
extension X-Resource			unconfined_t
extension XAccessControlExtension	unconfined_t
extension XACEUSR			unconfined_t
extension XC-APPGROUP			unconfined_t
extension XC-MISC			unconfined_t
extension XFree86-Bigfont		unconfined_t
extension XFree86-DGA			unconfined_t
extension XFree86-Misc			unconfined_t
extension XFree86-VidModeExtension	unconfined_t
extension XInputExtension		unconfined_t
extension XKEYBOARD			unconfined_t
extension XpExtension                   unconfined_t
extension XTEST				unconfined_t
extension XVideo			unconfined_t
extension XVideo-MotionCompensation	unconfined_t
extension default			unconfined_t

Re: [PATCH] refpolicy: add X object classes to unconfined_t

[Christopher J. PeBenito]

On Fri, 2006-09-15 at 17:19 -0400, Eamon Walsh wrote:
> On Fri, 2006-09-15 at 08:46 -0400, Joshua Brindle wrote:
> > On Thu, 2006-09-14 at 10:10 -0400, Joshua Brindle wrote:
> [snip]
> > It also seems that the XSELinuxConfig in the git repository doesn't have
> > all the necessary entries, one for root_window_context needs to be added
> > to start the X server up.
> 
> I've been using the attached config file, however, without the
> unconfined_t patch for targeted, it still won't work unless in
> permissive mode.

I'm not convinced the original patch should go in refpolicy.  What we
need to do is reestablish all the types for the X server properties,
extensions, etc.  Then the unconfined rules would use all the the above,
and then have access to all domains' windows, etc.  Its hard for me to
articulate, since I don't know how all the X object classes work.  What
I'd really like to see would be an example policy.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH] refpolicy: add X object classes to unconfined_t

[Xavier Toth]

[-- Attachment #1: Type: text/plain, Size: 969 bytes --]

I've replaced the XSELinuxConfig file with the attached version but
Xorg still fails to start. Any advice would be appreciated.

On 9/15/06, Eamon Walsh <ewalsh@tycho.nsa.gov> wrote:
> On Fri, 2006-09-15 at 08:46 -0400, Joshua Brindle wrote:
> > On Thu, 2006-09-14 at 10:10 -0400, Joshua Brindle wrote:
>
> [snip]
>
> > It also seems that the XSELinuxConfig in the git repository doesn't have
> > all the necessary entries, one for root_window_context needs to be added
> > to start the X server up.
>
> I've been using the attached config file, however, without the
> unconfined_t patch for targeted, it still won't work unless in
> permissive mode.
>
> >
> >
> > --
> > This message was distributed to subscribers of the selinux mailing list.
> > If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> > the words "unsubscribe selinux" without quotes as the message.
> --
> Eamon Walsh <ewalsh@tycho.nsa.gov>
> National Security Agency
>
>
>

[-- Attachment #2: Xorg.1.log --]
[-- Type: text/x-log, Size: 18958 bytes --]


This is a pre-release version of the X server from The X.Org Foundation.
It is not supported in any way.
Bugs may be filed in the bugzilla at http://bugs.freedesktop.org/.
Select the "xorg" product for bugs you find in this release.
Before reporting bugs in pre-release versions please check the
latest version in the X.Org Foundation CVS repository.
See http://wiki.x.org/wiki/CvsPage for CVS access instructions.

X Window System Version 7.1.99.2
Release Date: 21 December 2005
X Protocol Version 11, Revision 0, Release 7.1.99.2
Build Operating System: Linux 2.6.18-1.2798.fc6 i686 
Current Operating System: Linux localhost.localdomain 2.6.18-1.2798.fc6 #1 SMP Mon Oct 16 14:37:32 EDT 2006 i686
Build Date: 28 November 2006
	Before reporting problems, check http://wiki.x.org
	to make sure that you have the latest version.
Module Loader present
Markers: (--) probed, (**) from config file, (==) default setting,
	(++) from command line, (!!) notice, (II) informational,
	(WW) warning, (EE) error, (NI) not implemented, (??) unknown.
(==) Log file: "/home/jcdxdev/tmp/modular/var/log/Xorg.1.log", Time: Wed Nov 29 08:49:29 2006
(==) Using config file: "/etc/X11/xorg.conf"
(==) ServerLayout "single head configuration"
(**) |-->Screen "Screen0" (0)
(**) |   |-->Monitor "Monitor0"
(**) |   |-->Device "Videocard0"
(**) |-->Input Device "Keyboard0"
(==) |-->Input Device "<default pointer>"
(WW) The core pointer device wasn't specified explicitly in the layout.
	Using the default mouse configuration.
(WW) The directory "/home/jcdxdev/tmp/modular/lib/X11/fonts/OTF" does not exist.
	Entry deleted from font path.
(WW) The directory "/home/jcdxdev/tmp/modular/lib/X11/fonts/CID/" does not exist.
	Entry deleted from font path.
(==) FontPath set to:
	/home/jcdxdev/tmp/modular/lib/X11/fonts/misc/,
	/home/jcdxdev/tmp/modular/lib/X11/fonts/TTF/,
	/home/jcdxdev/tmp/modular/lib/X11/fonts/Type1/,
	/home/jcdxdev/tmp/modular/lib/X11/fonts/100dpi/,
	/home/jcdxdev/tmp/modular/lib/X11/fonts/75dpi/
(==) RgbPath set to "/home/jcdxdev/tmp/modular/share/X11/rgb"
(**) ModulePath set to "/usr/lib/xorg/modules/extensions/nvidia,/usr/lib/xorg/modules"
(**) Ignoring ABI Version
(II) Open ACPI successful (/var/run/acpid.socket)
(II) Loader magic: 0x81c6520
(II) Module ABI versions:
	X.Org ANSI C Emulation: 0.3
	X.Org Video Driver: 1.0
	X.Org XInput driver : 0.6
	X.Org Server Extension : 0.3
	X.Org Font Renderer : 0.5
(II) Loader running on linux
(II) LoadModule: "pcidata"
(II) Loading /usr/lib/xorg/modules//libpcidata.so
(II) Module pcidata: vendor="X.Org Foundation"
	compiled for 7.1.1, module version = 1.0.0
	ABI class: X.Org Video Driver, version 1.0
(--) using VT number 9

(II) PCI: PCI scan (all values are in hex)
(II) PCI: 00:00:0: chip 8086,2578 card 103c,12bf rev 02 class 06,00,00 hdr 00
(II) PCI: 00:01:0: chip 8086,2579 card 0000,0000 rev 02 class 06,04,00 hdr 01
(II) PCI: 00:1d:0: chip 8086,24d2 card 103c,12bf rev 02 class 0c,03,00 hdr 80
(II) PCI: 00:1d:1: chip 8086,24d4 card 103c,12bf rev 02 class 0c,03,00 hdr 00
(II) PCI: 00:1d:2: chip 8086,24d7 card 103c,12bf rev 02 class 0c,03,00 hdr 00
(II) PCI: 00:1d:7: chip 8086,24dd card 103c,12bf rev 02 class 0c,03,20 hdr 00
(II) PCI: 00:1e:0: chip 8086,244e card 0000,0000 rev c2 class 06,04,00 hdr 01
(II) PCI: 00:1f:0: chip 8086,24d0 card 0000,0000 rev 02 class 06,01,00 hdr 80
(II) PCI: 00:1f:1: chip 8086,24db card 103c,12bf rev 02 class 01,01,8a hdr 00
(II) PCI: 00:1f:2: chip 8086,24d1 card 103c,12bf rev 02 class 01,01,8f hdr 00
(II) PCI: 00:1f:5: chip 8086,24d5 card 103c,12bf rev 02 class 04,01,00 hdr 00
(II) PCI: 01:00:0: chip 10de,0110 card 1043,407f rev b2 class 03,00,00 hdr 00
(II) PCI: 05:02:0: chip 14e4,1696 card 103c,12bf rev 03 class 02,00,00 hdr 00
(II) PCI: End of PCI scan
(II) Intel Bridge workaround enabled
(II) Host-to-PCI bridge:
(II) Bus 0: bridge is at (0:0:0), (0,0,5), BCTRL: 0x0008 (VGA_EN is set)
(II) Bus 0 I/O range:
	[0] -1	0	0x00000000 - 0x0000ffff (0x10000) IX[B]
(II) Bus 0 non-prefetchable memory range:
	[0] -1	0	0x00000000 - 0xffffffff (0x0) MX[B]
(II) Bus 0 prefetchable memory range:
	[0] -1	0	0x00000000 - 0xffffffff (0x0) MX[B]
(II) PCI-to-PCI bridge:
(II) Bus 1: bridge is at (0:1:0), (0,1,1), BCTRL: 0x0008 (VGA_EN is set)
(II) Bus 1 non-prefetchable memory range:
	[0] -1	0	0xf9000000 - 0xfa1fffff (0x1200000) MX[B]
(II) Bus 1 prefetchable memory range:
	[0] -1	0	0xf0000000 - 0xf81fffff (0x8200000) MX[B]
(II) Subtractive PCI-to-PCI bridge:
(II) Bus 5: bridge is at (0:30:0), (0,5,5), BCTRL: 0x0006 (VGA_EN is cleared)
(II) Bus 5 non-prefetchable memory range:
	[0] -1	0	0xf8200000 - 0xf84fffff (0x300000) MX[B]
(II) PCI-to-ISA bridge:
(II) Bus -1: bridge is at (0:31:0), (0,-1,-1), BCTRL: 0x0008 (VGA_EN is set)
(--) PCI:*(1:0:0) nVidia Corporation NV11 [GeForce2 MX/MX 400] rev 178, Mem @ 0xf9000000/24, 0xf0000000/27
(II) Addressable bus resource ranges are
	[0] -1	0	0x00000000 - 0xffffffff (0x0) MX[B]
	[1] -1	0	0x00000000 - 0x0000ffff (0x10000) IX[B]
(II) OS-reported resource ranges:
	[0] -1	0	0x00100000 - 0x3fffffff (0x3ff00000) MX[B]E(B)
	[1] -1	0	0x000f0000 - 0x000fffff (0x10000) MX[B]
	[2] -1	0	0x000c0000 - 0x000effff (0x30000) MX[B]
	[3] -1	0	0x00000000 - 0x0009ffff (0xa0000) MX[B]
	[4] -1	0	0x0000ffff - 0x0000ffff (0x1) IX[B]
	[5] -1	0	0x00000000 - 0x000000ff (0x100) IX[B]
(II) PCI Memory resource overlap reduced 0xe8000000 from 0xefffffff to 0xe7ffffff
(II) Active PCI resource ranges:
	[0] -1	0	0xf8400000 - 0xf840ffff (0x10000) MX[B]
	[1] -1	0	0xf8500600 - 0xf85006ff (0x100) MX[B]
	[2] -1	0	0xf8500400 - 0xf85005ff (0x200) MX[B]
	[3] -1	0	0x70000000 - 0x700003ff (0x400) MX[B]
	[4] -1	0	0xf8500000 - 0xf85003ff (0x400) MX[B]
	[5] -1	0	0xe8000000 - 0xe7ffffff (0x0) MX[B]O
	[6] -1	0	0xf0000000 - 0xf7ffffff (0x8000000) MX[B](B)
	[7] -1	0	0xf9000000 - 0xf9ffffff (0x1000000) MX[B](B)
	[8] -1	0	0x00001400 - 0x0000143f (0x40) IX[B]
	[9] -1	0	0x00001000 - 0x000010ff (0x100) IX[B]
	[10] -1	0	0x000014d0 - 0x000014df (0x10) IX[B]
	[11] -1	0	0x0000180c - 0x0000180f (0x4) IX[B]
	[12] -1	0	0x000014f8 - 0x000014ff (0x8) IX[B]
	[13] -1	0	0x00001808 - 0x0000180b (0x4) IX[B]
	[14] -1	0	0x000014f0 - 0x000014f7 (0x8) IX[B]
	[15] -1	0	0x000014c0 - 0x000014cf (0x10) IX[B]
	[16] -1	0	0x00001804 - 0x00001804 (0x1) IX[B]
	[17] -1	0	0x000014e8 - 0x000014e8 (0x1) IX[B]
	[18] -1	0	0x00001800 - 0x00001800 (0x1) IX[B]
	[19] -1	0	0x000014e0 - 0x000014e0 (0x1) IX[B]
	[20] -1	0	0x00001480 - 0x0000149f (0x20) IX[B]
	[21] -1	0	0x00001460 - 0x0000147f (0x20) IX[B]
	[22] -1	0	0x00001440 - 0x0000145f (0x20) IX[B]
(II) Active PCI resource ranges after removing overlaps:
	[0] -1	0	0xf8400000 - 0xf840ffff (0x10000) MX[B]
	[1] -1	0	0xf8500600 - 0xf85006ff (0x100) MX[B]
	[2] -1	0	0xf8500400 - 0xf85005ff (0x200) MX[B]
	[3] -1	0	0x70000000 - 0x700003ff (0x400) MX[B]
	[4] -1	0	0xf8500000 - 0xf85003ff (0x400) MX[B]
	[5] -1	0	0xe8000000 - 0xe7ffffff (0x0) MX[B]O
	[6] -1	0	0xf0000000 - 0xf7ffffff (0x8000000) MX[B](B)
	[7] -1	0	0xf9000000 - 0xf9ffffff (0x1000000) MX[B](B)
	[8] -1	0	0x00001400 - 0x0000143f (0x40) IX[B]
	[9] -1	0	0x00001000 - 0x000010ff (0x100) IX[B]
	[10] -1	0	0x000014d0 - 0x000014df (0x10) IX[B]
	[11] -1	0	0x0000180c - 0x0000180f (0x4) IX[B]
	[12] -1	0	0x000014f8 - 0x000014ff (0x8) IX[B]
	[13] -1	0	0x00001808 - 0x0000180b (0x4) IX[B]
	[14] -1	0	0x000014f0 - 0x000014f7 (0x8) IX[B]
	[15] -1	0	0x000014c0 - 0x000014cf (0x10) IX[B]
	[16] -1	0	0x00001804 - 0x00001804 (0x1) IX[B]
	[17] -1	0	0x000014e8 - 0x000014e8 (0x1) IX[B]
	[18] -1	0	0x00001800 - 0x00001800 (0x1) IX[B]
	[19] -1	0	0x000014e0 - 0x000014e0 (0x1) IX[B]
	[20] -1	0	0x00001480 - 0x0000149f (0x20) IX[B]
	[21] -1	0	0x00001460 - 0x0000147f (0x20) IX[B]
	[22] -1	0	0x00001440 - 0x0000145f (0x20) IX[B]
(II) OS-reported resource ranges after removing overlaps with PCI:
	[0] -1	0	0x00100000 - 0x3fffffff (0x3ff00000) MX[B]E(B)
	[1] -1	0	0x000f0000 - 0x000fffff (0x10000) MX[B]
	[2] -1	0	0x000c0000 - 0x000effff (0x30000) MX[B]
	[3] -1	0	0x00000000 - 0x0009ffff (0xa0000) MX[B]
	[4] -1	0	0x0000ffff - 0x0000ffff (0x1) IX[B]
	[5] -1	0	0x00000000 - 0x000000ff (0x100) IX[B]
(II) All system resource ranges:
	[0] -1	0	0x00100000 - 0x3fffffff (0x3ff00000) MX[B]E(B)
	[1] -1	0	0x000f0000 - 0x000fffff (0x10000) MX[B]
	[2] -1	0	0x000c0000 - 0x000effff (0x30000) MX[B]
	[3] -1	0	0x00000000 - 0x0009ffff (0xa0000) MX[B]
	[4] -1	0	0xf8400000 - 0xf840ffff (0x10000) MX[B]
	[5] -1	0	0xf8500600 - 0xf85006ff (0x100) MX[B]
	[6] -1	0	0xf8500400 - 0xf85005ff (0x200) MX[B]
	[7] -1	0	0x70000000 - 0x700003ff (0x400) MX[B]
	[8] -1	0	0xf8500000 - 0xf85003ff (0x400) MX[B]
	[9] -1	0	0xe8000000 - 0xe7ffffff (0x0) MX[B]O
	[10] -1	0	0xf0000000 - 0xf7ffffff (0x8000000) MX[B](B)
	[11] -1	0	0xf9000000 - 0xf9ffffff (0x1000000) MX[B](B)
	[12] -1	0	0x0000ffff - 0x0000ffff (0x1) IX[B]
	[13] -1	0	0x00000000 - 0x000000ff (0x100) IX[B]
	[14] -1	0	0x00001400 - 0x0000143f (0x40) IX[B]
	[15] -1	0	0x00001000 - 0x000010ff (0x100) IX[B]
	[16] -1	0	0x000014d0 - 0x000014df (0x10) IX[B]
	[17] -1	0	0x0000180c - 0x0000180f (0x4) IX[B]
	[18] -1	0	0x000014f8 - 0x000014ff (0x8) IX[B]
	[19] -1	0	0x00001808 - 0x0000180b (0x4) IX[B]
	[20] -1	0	0x000014f0 - 0x000014f7 (0x8) IX[B]
	[21] -1	0	0x000014c0 - 0x000014cf (0x10) IX[B]
	[22] -1	0	0x00001804 - 0x00001804 (0x1) IX[B]
	[23] -1	0	0x000014e8 - 0x000014e8 (0x1) IX[B]
	[24] -1	0	0x00001800 - 0x00001800 (0x1) IX[B]
	[25] -1	0	0x000014e0 - 0x000014e0 (0x1) IX[B]
	[26] -1	0	0x00001480 - 0x0000149f (0x20) IX[B]
	[27] -1	0	0x00001460 - 0x0000147f (0x20) IX[B]
	[28] -1	0	0x00001440 - 0x0000145f (0x20) IX[B]
(II) LoadModule: "glx"
(II) Loading /usr/lib/xorg/modules/extensions/nvidia//libglx.so
(II) Module glx: vendor="NVIDIA Corporation"
	compiled for 4.0.2, module version = 1.0.8776
	Module class: X.Org Server Extension
	ABI class: X.Org Server Extension, version 0.1
(II) Loading extension GLX
(II) LoadModule: "nvidia"
(II) Loading /usr/lib/xorg/modules/drivers//nvidia_drv.so
(II) Module nvidia: vendor="NVIDIA Corporation"
	compiled for 4.0.2, module version = 1.0.8776
	Module class: X.Org Video Driver
(II) LoadModule: "kbd"
(II) Loading /usr/lib/xorg/modules/input//kbd_drv.so
(II) Module kbd: vendor="X.Org Foundation"
	compiled for 7.1.1, module version = 1.1.0
	Module class: X.Org XInput Driver
	ABI class: X.Org XInput driver, version 0.6
(II) LoadModule: "mouse"
(II) Loading /usr/lib/xorg/modules/input//mouse_drv.so
(II) Module mouse: vendor="X.Org Foundation"
	compiled for 7.1.1, module version = 1.1.1
	Module class: X.Org XInput Driver
	ABI class: X.Org XInput driver, version 0.6
(II) NVIDIA dlloader X Driver  1.0-8776  Mon Oct 16 21:57:32 PDT 2006
(II) NVIDIA Unified Driver for all Supported NVIDIA GPUs
(II) Primary Device is: PCI 01:00:0
(--) Assigning device section with no busID to primary device
(--) Chipset NVIDIA GPU found
(II) Loading sub module "fb"
(II) LoadModule: "fb"
(II) Loading /usr/lib/xorg/modules//libfb.so
(II) Module fb: vendor="X.Org Foundation"
	compiled for 7.1.1, module version = 1.0.0
	ABI class: X.Org ANSI C Emulation, version 0.3
(II) Loading sub module "ramdac"
(II) LoadModule: "ramdac"
(II) Loading /usr/lib/xorg/modules//libramdac.so
(II) Module ramdac: vendor="X.Org Foundation"
	compiled for 7.1.1, module version = 0.1.0
	ABI class: X.Org Video Driver, version 1.0
(II) resource ranges after xf86ClaimFixedResources() call:
	[0] -1	0	0x00100000 - 0x3fffffff (0x3ff00000) MX[B]E(B)
	[1] -1	0	0x000f0000 - 0x000fffff (0x10000) MX[B]
	[2] -1	0	0x000c0000 - 0x000effff (0x30000) MX[B]
	[3] -1	0	0x00000000 - 0x0009ffff (0xa0000) MX[B]
	[4] -1	0	0xf8400000 - 0xf840ffff (0x10000) MX[B]
	[5] -1	0	0xf8500600 - 0xf85006ff (0x100) MX[B]
	[6] -1	0	0xf8500400 - 0xf85005ff (0x200) MX[B]
	[7] -1	0	0x70000000 - 0x700003ff (0x400) MX[B]
	[8] -1	0	0xf8500000 - 0xf85003ff (0x400) MX[B]
	[9] -1	0	0xe8000000 - 0xe7ffffff (0x0) MX[B]O
	[10] -1	0	0xf0000000 - 0xf7ffffff (0x8000000) MX[B](B)
	[11] -1	0	0xf9000000 - 0xf9ffffff (0x1000000) MX[B](B)
	[12] -1	0	0x0000ffff - 0x0000ffff (0x1) IX[B]
	[13] -1	0	0x00000000 - 0x000000ff (0x100) IX[B]
	[14] -1	0	0x00001400 - 0x0000143f (0x40) IX[B]
	[15] -1	0	0x00001000 - 0x000010ff (0x100) IX[B]
	[16] -1	0	0x000014d0 - 0x000014df (0x10) IX[B]
	[17] -1	0	0x0000180c - 0x0000180f (0x4) IX[B]
	[18] -1	0	0x000014f8 - 0x000014ff (0x8) IX[B]
	[19] -1	0	0x00001808 - 0x0000180b (0x4) IX[B]
	[20] -1	0	0x000014f0 - 0x000014f7 (0x8) IX[B]
	[21] -1	0	0x000014c0 - 0x000014cf (0x10) IX[B]
	[22] -1	0	0x00001804 - 0x00001804 (0x1) IX[B]
	[23] -1	0	0x000014e8 - 0x000014e8 (0x1) IX[B]
	[24] -1	0	0x00001800 - 0x00001800 (0x1) IX[B]
	[25] -1	0	0x000014e0 - 0x000014e0 (0x1) IX[B]
	[26] -1	0	0x00001480 - 0x0000149f (0x20) IX[B]
	[27] -1	0	0x00001460 - 0x0000147f (0x20) IX[B]
	[28] -1	0	0x00001440 - 0x0000145f (0x20) IX[B]
(II) resource ranges after probing:
	[0] -1	0	0x00100000 - 0x3fffffff (0x3ff00000) MX[B]E(B)
	[1] -1	0	0x000f0000 - 0x000fffff (0x10000) MX[B]
	[2] -1	0	0x000c0000 - 0x000effff (0x30000) MX[B]
	[3] -1	0	0x00000000 - 0x0009ffff (0xa0000) MX[B]
	[4] -1	0	0xf8400000 - 0xf840ffff (0x10000) MX[B]
	[5] -1	0	0xf8500600 - 0xf85006ff (0x100) MX[B]
	[6] -1	0	0xf8500400 - 0xf85005ff (0x200) MX[B]
	[7] -1	0	0x70000000 - 0x700003ff (0x400) MX[B]
	[8] -1	0	0xf8500000 - 0xf85003ff (0x400) MX[B]
	[9] -1	0	0xe8000000 - 0xe7ffffff (0x0) MX[B]O
	[10] -1	0	0xf0000000 - 0xf7ffffff (0x8000000) MX[B](B)
	[11] -1	0	0xf9000000 - 0xf9ffffff (0x1000000) MX[B](B)
	[12] 0	0	0x000a0000 - 0x000affff (0x10000) MS[B]
	[13] 0	0	0x000b0000 - 0x000b7fff (0x8000) MS[B]
	[14] 0	0	0x000b8000 - 0x000bffff (0x8000) MS[B]
	[15] -1	0	0x0000ffff - 0x0000ffff (0x1) IX[B]
	[16] -1	0	0x00000000 - 0x000000ff (0x100) IX[B]
	[17] -1	0	0x00001400 - 0x0000143f (0x40) IX[B]
	[18] -1	0	0x00001000 - 0x000010ff (0x100) IX[B]
	[19] -1	0	0x000014d0 - 0x000014df (0x10) IX[B]
	[20] -1	0	0x0000180c - 0x0000180f (0x4) IX[B]
	[21] -1	0	0x000014f8 - 0x000014ff (0x8) IX[B]
	[22] -1	0	0x00001808 - 0x0000180b (0x4) IX[B]
	[23] -1	0	0x000014f0 - 0x000014f7 (0x8) IX[B]
	[24] -1	0	0x000014c0 - 0x000014cf (0x10) IX[B]
	[25] -1	0	0x00001804 - 0x00001804 (0x1) IX[B]
	[26] -1	0	0x000014e8 - 0x000014e8 (0x1) IX[B]
	[27] -1	0	0x00001800 - 0x00001800 (0x1) IX[B]
	[28] -1	0	0x000014e0 - 0x000014e0 (0x1) IX[B]
	[29] -1	0	0x00001480 - 0x0000149f (0x20) IX[B]
	[30] -1	0	0x00001460 - 0x0000147f (0x20) IX[B]
	[31] -1	0	0x00001440 - 0x0000145f (0x20) IX[B]
	[32] 0	0	0x000003b0 - 0x000003bb (0xc) IS[B]
	[33] 0	0	0x000003c0 - 0x000003df (0x20) IS[B]
(II) Setting vga for screen 0.
(**) NVIDIA(0): Depth 24, (--) framebuffer bpp 32
(==) NVIDIA(0): RGB weight 888
(==) NVIDIA(0): Default visual is TrueColor
(==) NVIDIA(0): Using gamma correction (1.0, 1.0, 1.0)
(**) NVIDIA(0): Enabling RENDER acceleration
(WW) NVIDIA(0): Unable to read EDID for display device CRT-0
(II) NVIDIA(0): NVIDIA GPU GeForce2 MX/MX 400 at PCI:1:0:0
(--) NVIDIA(0): VideoRAM: 32768 kBytes
(--) NVIDIA(0): VideoBIOS: 03.11.01.48.86
(II) NVIDIA(0): Detected AGP rate: 4X
(--) NVIDIA(0): Interlaced video modes are not supported on this GPU
(--) NVIDIA(0): Connected display device(s) on GeForce2 MX/MX 400 at
(--) NVIDIA(0):     PCI:1:0:0:
(--) NVIDIA(0):     CRT-0
(--) NVIDIA(0): CRT-0: 350.0 MHz maximum pixel clock
(II) NVIDIA(0): Assigned Display Device: CRT-0
(WW) NVIDIA(0): No valid modes for "1280x800"; removing.
(II) NVIDIA(0): Validated modes:
(II) NVIDIA(0):     "1280x1024"
(II) NVIDIA(0):     "1280x960"
(II) NVIDIA(0):     "1152x864"
(II) NVIDIA(0):     "1152x768"
(II) NVIDIA(0):     "1024x768"
(II) NVIDIA(0):     "800x600"
(II) NVIDIA(0):     "640x480"
(II) NVIDIA(0): Virtual screen size determined to be 1280 x 1024
(WW) NVIDIA(0): Unable to get display device CRT-0's EDID; cannot compute DPI
(WW) NVIDIA(0):     from EDID.
(==) NVIDIA(0): DPI set to (75, 75); computed from built-in default
(--) Depth 24 pixmap format is 32 bpp
(II) do I need RAC?  No, I don't.
(II) resource ranges after preInit:
	[0] 0	0	0xf0000000 - 0xf7ffffff (0x8000000) MX[B]
	[1] 0	0	0xf9000000 - 0xf9ffffff (0x1000000) MX[B]
	[2] -1	0	0x00100000 - 0x3fffffff (0x3ff00000) MX[B]E(B)
	[3] -1	0	0x000f0000 - 0x000fffff (0x10000) MX[B]
	[4] -1	0	0x000c0000 - 0x000effff (0x30000) MX[B]
	[5] -1	0	0x00000000 - 0x0009ffff (0xa0000) MX[B]
	[6] -1	0	0xf8400000 - 0xf840ffff (0x10000) MX[B]
	[7] -1	0	0xf8500600 - 0xf85006ff (0x100) MX[B]
	[8] -1	0	0xf8500400 - 0xf85005ff (0x200) MX[B]
	[9] -1	0	0x70000000 - 0x700003ff (0x400) MX[B]
	[10] -1	0	0xf8500000 - 0xf85003ff (0x400) MX[B]
	[11] -1	0	0xe8000000 - 0xe7ffffff (0x0) MX[B]O
	[12] -1	0	0xf0000000 - 0xf7ffffff (0x8000000) MX[B](B)
	[13] -1	0	0xf9000000 - 0xf9ffffff (0x1000000) MX[B](B)
	[14] 0	0	0x000a0000 - 0x000affff (0x10000) MS[B](OprD)
	[15] 0	0	0x000b0000 - 0x000b7fff (0x8000) MS[B](OprD)
	[16] 0	0	0x000b8000 - 0x000bffff (0x8000) MS[B](OprD)
	[17] -1	0	0x0000ffff - 0x0000ffff (0x1) IX[B]
	[18] -1	0	0x00000000 - 0x000000ff (0x100) IX[B]
	[19] -1	0	0x00001400 - 0x0000143f (0x40) IX[B]
	[20] -1	0	0x00001000 - 0x000010ff (0x100) IX[B]
	[21] -1	0	0x000014d0 - 0x000014df (0x10) IX[B]
	[22] -1	0	0x0000180c - 0x0000180f (0x4) IX[B]
	[23] -1	0	0x000014f8 - 0x000014ff (0x8) IX[B]
	[24] -1	0	0x00001808 - 0x0000180b (0x4) IX[B]
	[25] -1	0	0x000014f0 - 0x000014f7 (0x8) IX[B]
	[26] -1	0	0x000014c0 - 0x000014cf (0x10) IX[B]
	[27] -1	0	0x00001804 - 0x00001804 (0x1) IX[B]
	[28] -1	0	0x000014e8 - 0x000014e8 (0x1) IX[B]
	[29] -1	0	0x00001800 - 0x00001800 (0x1) IX[B]
	[30] -1	0	0x000014e0 - 0x000014e0 (0x1) IX[B]
	[31] -1	0	0x00001480 - 0x0000149f (0x20) IX[B]
	[32] -1	0	0x00001460 - 0x0000147f (0x20) IX[B]
	[33] -1	0	0x00001440 - 0x0000145f (0x20) IX[B]
	[34] 0	0	0x000003b0 - 0x000003bb (0xc) IS[B](OprU)
	[35] 0	0	0x000003c0 - 0x000003df (0x20) IS[B](OprU)
(II) NVIDIA(0): Setting mode "1280x1024"
(II) Loading extension NV-GLX
(II) NVIDIA(0): NVIDIA 3D Acceleration Architecture Initialized
(II) NVIDIA(0): Using the NVIDIA 2D acceleration architecture
(==) NVIDIA(0): Backing store disabled
(==) NVIDIA(0): Silken mouse enabled
(**) Option "dpms"
(**) NVIDIA(0): DPMS enabled
(II) Loading extension NV-CONTROL
(==) RandR enabled
(II) Initializing built-in extension MIT-SHM
(II) Initializing built-in extension XInputExtension
(II) Initializing built-in extension XTEST
(II) Initializing built-in extension XKEYBOARD
(II) Initializing built-in extension XC-APPGROUP
(II) Initializing built-in extension XAccessControlExtension
(II) Initializing built-in extension SECURITY
(II) Initializing built-in extension SELinux
(II) Initializing built-in extension XINERAMA
(II) Initializing built-in extension XFIXES
(II) Initializing built-in extension XFree86-Bigfont
(II) Initializing built-in extension RENDER
(II) Initializing built-in extension RANDR
(II) Initializing built-in extension COMPOSITE
(II) Initializing built-in extension DAMAGE
(II) Initializing built-in extension XEVIE
(II) Initializing extension GLX
XSELinux: Line 11 of /home/jcdxdev/tmp/modular/lib/xserver/XSELinuxConfig is invalid

Fatal server error:
XSELinux: Failed to load security policy

Re: [PATCH] refpolicy: add X object classes to unconfined_t

[Eamon Walsh]

On Wed, 2006-11-29 at 09:12 -0600, Xavier Toth wrote:
> I've replaced the XSELinuxConfig file with the attached version but
> Xorg still fails to start. Any advice would be appreciated.
> 

Are you running with targeted policy?  In your message to the X list you
indicated you were running MLS policy.  

What's in your Xorg log file?

-- 
Eamon Walsh <ewalsh@tycho.nsa.gov>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH] refpolicy: add X object classes to unconfined_t

[Xavier Toth]

[-- Attachment #1: Type: text/plain, Size: 1175 bytes --]

Humm I attached the log to my last post anyway I attached it again. I
have been able to run Xorg under the targeted policy (permissive mode)
after I chcon'd it to the same context as the Xorg in /usr/bin. Now
I'm trying to get it working under the MLS permissive policy which
doesn't have the unconfined_t type. Under MLS Xorg gets labeled as
type bin_t so I chcon'd my Xorg to match and edited XSELinuxConfig
replacing unconfined_t with bin_t. However the result of my simplistic
approach is that Xorg fails to start complaining:
XSELinux: Line 11 of
/home/jcdxdev/tmp/modular/lib/xserver/XSELinuxConfig is invalid

Fatal server error:
XSELinux: Failed to load security policy

Any suggestions?

On 11/29/06, Eamon Walsh <ewalsh@tycho.nsa.gov> wrote:
> On Wed, 2006-11-29 at 09:12 -0600, Xavier Toth wrote:
> > I've replaced the XSELinuxConfig file with the attached version but
> > Xorg still fails to start. Any advice would be appreciated.
> >
>
> Are you running with targeted policy?  In your message to the X list you
> indicated you were running MLS policy.
>
> What's in your Xorg log file?
>
> --
> Eamon Walsh <ewalsh@tycho.nsa.gov>
> National Security Agency
>
>

[-- Attachment #2: Xorg.0.log --]
[-- Type: text/x-log, Size: 18958 bytes --]


This is a pre-release version of the X server from The X.Org Foundation.
It is not supported in any way.
Bugs may be filed in the bugzilla at http://bugs.freedesktop.org/.
Select the "xorg" product for bugs you find in this release.
Before reporting bugs in pre-release versions please check the
latest version in the X.Org Foundation CVS repository.
See http://wiki.x.org/wiki/CvsPage for CVS access instructions.

X Window System Version 7.1.99.2
Release Date: 21 December 2005
X Protocol Version 11, Revision 0, Release 7.1.99.2
Build Operating System: Linux 2.6.18-1.2798.fc6 i686 
Current Operating System: Linux localhost.localdomain 2.6.18-1.2798.fc6 #1 SMP Mon Oct 16 14:37:32 EDT 2006 i686
Build Date: 28 November 2006
	Before reporting problems, check http://wiki.x.org
	to make sure that you have the latest version.
Module Loader present
Markers: (--) probed, (**) from config file, (==) default setting,
	(++) from command line, (!!) notice, (II) informational,
	(WW) warning, (EE) error, (NI) not implemented, (??) unknown.
(==) Log file: "/home/jcdxdev/tmp/modular/var/log/Xorg.0.log", Time: Wed Nov 29 13:49:28 2006
(==) Using config file: "/etc/X11/xorg.conf"
(==) ServerLayout "single head configuration"
(**) |-->Screen "Screen0" (0)
(**) |   |-->Monitor "Monitor0"
(**) |   |-->Device "Videocard0"
(**) |-->Input Device "Keyboard0"
(==) |-->Input Device "<default pointer>"
(WW) The core pointer device wasn't specified explicitly in the layout.
	Using the default mouse configuration.
(WW) The directory "/home/jcdxdev/tmp/modular/lib/X11/fonts/OTF" does not exist.
	Entry deleted from font path.
(WW) The directory "/home/jcdxdev/tmp/modular/lib/X11/fonts/CID/" does not exist.
	Entry deleted from font path.
(==) FontPath set to:
	/home/jcdxdev/tmp/modular/lib/X11/fonts/misc/,
	/home/jcdxdev/tmp/modular/lib/X11/fonts/TTF/,
	/home/jcdxdev/tmp/modular/lib/X11/fonts/Type1/,
	/home/jcdxdev/tmp/modular/lib/X11/fonts/100dpi/,
	/home/jcdxdev/tmp/modular/lib/X11/fonts/75dpi/
(==) RgbPath set to "/home/jcdxdev/tmp/modular/share/X11/rgb"
(**) ModulePath set to "/usr/lib/xorg/modules/extensions/nvidia,/usr/lib/xorg/modules"
(**) Ignoring ABI Version
(II) Open ACPI successful (/var/run/acpid.socket)
(II) Loader magic: 0x81c6520
(II) Module ABI versions:
	X.Org ANSI C Emulation: 0.3
	X.Org Video Driver: 1.0
	X.Org XInput driver : 0.6
	X.Org Server Extension : 0.3
	X.Org Font Renderer : 0.5
(II) Loader running on linux
(II) LoadModule: "pcidata"
(II) Loading /usr/lib/xorg/modules//libpcidata.so
(II) Module pcidata: vendor="X.Org Foundation"
	compiled for 7.1.1, module version = 1.0.0
	ABI class: X.Org Video Driver, version 1.0
(--) using VT number 7

(II) PCI: PCI scan (all values are in hex)
(II) PCI: 00:00:0: chip 8086,2578 card 103c,12bf rev 02 class 06,00,00 hdr 00
(II) PCI: 00:01:0: chip 8086,2579 card 0000,0000 rev 02 class 06,04,00 hdr 01
(II) PCI: 00:1d:0: chip 8086,24d2 card 103c,12bf rev 02 class 0c,03,00 hdr 80
(II) PCI: 00:1d:1: chip 8086,24d4 card 103c,12bf rev 02 class 0c,03,00 hdr 00
(II) PCI: 00:1d:2: chip 8086,24d7 card 103c,12bf rev 02 class 0c,03,00 hdr 00
(II) PCI: 00:1d:7: chip 8086,24dd card 103c,12bf rev 02 class 0c,03,20 hdr 00
(II) PCI: 00:1e:0: chip 8086,244e card 0000,0000 rev c2 class 06,04,00 hdr 01
(II) PCI: 00:1f:0: chip 8086,24d0 card 0000,0000 rev 02 class 06,01,00 hdr 80
(II) PCI: 00:1f:1: chip 8086,24db card 103c,12bf rev 02 class 01,01,8a hdr 00
(II) PCI: 00:1f:2: chip 8086,24d1 card 103c,12bf rev 02 class 01,01,8f hdr 00
(II) PCI: 00:1f:5: chip 8086,24d5 card 103c,12bf rev 02 class 04,01,00 hdr 00
(II) PCI: 01:00:0: chip 10de,0110 card 1043,407f rev b2 class 03,00,00 hdr 00
(II) PCI: 05:02:0: chip 14e4,1696 card 103c,12bf rev 03 class 02,00,00 hdr 00
(II) PCI: End of PCI scan
(II) Intel Bridge workaround enabled
(II) Host-to-PCI bridge:
(II) Bus 0: bridge is at (0:0:0), (0,0,5), BCTRL: 0x0008 (VGA_EN is set)
(II) Bus 0 I/O range:
	[0] -1	0	0x00000000 - 0x0000ffff (0x10000) IX[B]
(II) Bus 0 non-prefetchable memory range:
	[0] -1	0	0x00000000 - 0xffffffff (0x0) MX[B]
(II) Bus 0 prefetchable memory range:
	[0] -1	0	0x00000000 - 0xffffffff (0x0) MX[B]
(II) PCI-to-PCI bridge:
(II) Bus 1: bridge is at (0:1:0), (0,1,1), BCTRL: 0x0008 (VGA_EN is set)
(II) Bus 1 non-prefetchable memory range:
	[0] -1	0	0xf9000000 - 0xfa1fffff (0x1200000) MX[B]
(II) Bus 1 prefetchable memory range:
	[0] -1	0	0xf0000000 - 0xf81fffff (0x8200000) MX[B]
(II) Subtractive PCI-to-PCI bridge:
(II) Bus 5: bridge is at (0:30:0), (0,5,5), BCTRL: 0x0006 (VGA_EN is cleared)
(II) Bus 5 non-prefetchable memory range:
	[0] -1	0	0xf8200000 - 0xf84fffff (0x300000) MX[B]
(II) PCI-to-ISA bridge:
(II) Bus -1: bridge is at (0:31:0), (0,-1,-1), BCTRL: 0x0008 (VGA_EN is set)
(--) PCI:*(1:0:0) nVidia Corporation NV11 [GeForce2 MX/MX 400] rev 178, Mem @ 0xf9000000/24, 0xf0000000/27
(II) Addressable bus resource ranges are
	[0] -1	0	0x00000000 - 0xffffffff (0x0) MX[B]
	[1] -1	0	0x00000000 - 0x0000ffff (0x10000) IX[B]
(II) OS-reported resource ranges:
	[0] -1	0	0x00100000 - 0x3fffffff (0x3ff00000) MX[B]E(B)
	[1] -1	0	0x000f0000 - 0x000fffff (0x10000) MX[B]
	[2] -1	0	0x000c0000 - 0x000effff (0x30000) MX[B]
	[3] -1	0	0x00000000 - 0x0009ffff (0xa0000) MX[B]
	[4] -1	0	0x0000ffff - 0x0000ffff (0x1) IX[B]
	[5] -1	0	0x00000000 - 0x000000ff (0x100) IX[B]
(II) PCI Memory resource overlap reduced 0xe8000000 from 0xefffffff to 0xe7ffffff
(II) Active PCI resource ranges:
	[0] -1	0	0xf8400000 - 0xf840ffff (0x10000) MX[B]
	[1] -1	0	0xf8500600 - 0xf85006ff (0x100) MX[B]
	[2] -1	0	0xf8500400 - 0xf85005ff (0x200) MX[B]
	[3] -1	0	0x70000000 - 0x700003ff (0x400) MX[B]
	[4] -1	0	0xf8500000 - 0xf85003ff (0x400) MX[B]
	[5] -1	0	0xe8000000 - 0xe7ffffff (0x0) MX[B]O
	[6] -1	0	0xf0000000 - 0xf7ffffff (0x8000000) MX[B](B)
	[7] -1	0	0xf9000000 - 0xf9ffffff (0x1000000) MX[B](B)
	[8] -1	0	0x00001400 - 0x0000143f (0x40) IX[B]
	[9] -1	0	0x00001000 - 0x000010ff (0x100) IX[B]
	[10] -1	0	0x000014d0 - 0x000014df (0x10) IX[B]
	[11] -1	0	0x0000180c - 0x0000180f (0x4) IX[B]
	[12] -1	0	0x000014f8 - 0x000014ff (0x8) IX[B]
	[13] -1	0	0x00001808 - 0x0000180b (0x4) IX[B]
	[14] -1	0	0x000014f0 - 0x000014f7 (0x8) IX[B]
	[15] -1	0	0x000014c0 - 0x000014cf (0x10) IX[B]
	[16] -1	0	0x00001804 - 0x00001804 (0x1) IX[B]
	[17] -1	0	0x000014e8 - 0x000014e8 (0x1) IX[B]
	[18] -1	0	0x00001800 - 0x00001800 (0x1) IX[B]
	[19] -1	0	0x000014e0 - 0x000014e0 (0x1) IX[B]
	[20] -1	0	0x00001480 - 0x0000149f (0x20) IX[B]
	[21] -1	0	0x00001460 - 0x0000147f (0x20) IX[B]
	[22] -1	0	0x00001440 - 0x0000145f (0x20) IX[B]
(II) Active PCI resource ranges after removing overlaps:
	[0] -1	0	0xf8400000 - 0xf840ffff (0x10000) MX[B]
	[1] -1	0	0xf8500600 - 0xf85006ff (0x100) MX[B]
	[2] -1	0	0xf8500400 - 0xf85005ff (0x200) MX[B]
	[3] -1	0	0x70000000 - 0x700003ff (0x400) MX[B]
	[4] -1	0	0xf8500000 - 0xf85003ff (0x400) MX[B]
	[5] -1	0	0xe8000000 - 0xe7ffffff (0x0) MX[B]O
	[6] -1	0	0xf0000000 - 0xf7ffffff (0x8000000) MX[B](B)
	[7] -1	0	0xf9000000 - 0xf9ffffff (0x1000000) MX[B](B)
	[8] -1	0	0x00001400 - 0x0000143f (0x40) IX[B]
	[9] -1	0	0x00001000 - 0x000010ff (0x100) IX[B]
	[10] -1	0	0x000014d0 - 0x000014df (0x10) IX[B]
	[11] -1	0	0x0000180c - 0x0000180f (0x4) IX[B]
	[12] -1	0	0x000014f8 - 0x000014ff (0x8) IX[B]
	[13] -1	0	0x00001808 - 0x0000180b (0x4) IX[B]
	[14] -1	0	0x000014f0 - 0x000014f7 (0x8) IX[B]
	[15] -1	0	0x000014c0 - 0x000014cf (0x10) IX[B]
	[16] -1	0	0x00001804 - 0x00001804 (0x1) IX[B]
	[17] -1	0	0x000014e8 - 0x000014e8 (0x1) IX[B]
	[18] -1	0	0x00001800 - 0x00001800 (0x1) IX[B]
	[19] -1	0	0x000014e0 - 0x000014e0 (0x1) IX[B]
	[20] -1	0	0x00001480 - 0x0000149f (0x20) IX[B]
	[21] -1	0	0x00001460 - 0x0000147f (0x20) IX[B]
	[22] -1	0	0x00001440 - 0x0000145f (0x20) IX[B]
(II) OS-reported resource ranges after removing overlaps with PCI:
	[0] -1	0	0x00100000 - 0x3fffffff (0x3ff00000) MX[B]E(B)
	[1] -1	0	0x000f0000 - 0x000fffff (0x10000) MX[B]
	[2] -1	0	0x000c0000 - 0x000effff (0x30000) MX[B]
	[3] -1	0	0x00000000 - 0x0009ffff (0xa0000) MX[B]
	[4] -1	0	0x0000ffff - 0x0000ffff (0x1) IX[B]
	[5] -1	0	0x00000000 - 0x000000ff (0x100) IX[B]
(II) All system resource ranges:
	[0] -1	0	0x00100000 - 0x3fffffff (0x3ff00000) MX[B]E(B)
	[1] -1	0	0x000f0000 - 0x000fffff (0x10000) MX[B]
	[2] -1	0	0x000c0000 - 0x000effff (0x30000) MX[B]
	[3] -1	0	0x00000000 - 0x0009ffff (0xa0000) MX[B]
	[4] -1	0	0xf8400000 - 0xf840ffff (0x10000) MX[B]
	[5] -1	0	0xf8500600 - 0xf85006ff (0x100) MX[B]
	[6] -1	0	0xf8500400 - 0xf85005ff (0x200) MX[B]
	[7] -1	0	0x70000000 - 0x700003ff (0x400) MX[B]
	[8] -1	0	0xf8500000 - 0xf85003ff (0x400) MX[B]
	[9] -1	0	0xe8000000 - 0xe7ffffff (0x0) MX[B]O
	[10] -1	0	0xf0000000 - 0xf7ffffff (0x8000000) MX[B](B)
	[11] -1	0	0xf9000000 - 0xf9ffffff (0x1000000) MX[B](B)
	[12] -1	0	0x0000ffff - 0x0000ffff (0x1) IX[B]
	[13] -1	0	0x00000000 - 0x000000ff (0x100) IX[B]
	[14] -1	0	0x00001400 - 0x0000143f (0x40) IX[B]
	[15] -1	0	0x00001000 - 0x000010ff (0x100) IX[B]
	[16] -1	0	0x000014d0 - 0x000014df (0x10) IX[B]
	[17] -1	0	0x0000180c - 0x0000180f (0x4) IX[B]
	[18] -1	0	0x000014f8 - 0x000014ff (0x8) IX[B]
	[19] -1	0	0x00001808 - 0x0000180b (0x4) IX[B]
	[20] -1	0	0x000014f0 - 0x000014f7 (0x8) IX[B]
	[21] -1	0	0x000014c0 - 0x000014cf (0x10) IX[B]
	[22] -1	0	0x00001804 - 0x00001804 (0x1) IX[B]
	[23] -1	0	0x000014e8 - 0x000014e8 (0x1) IX[B]
	[24] -1	0	0x00001800 - 0x00001800 (0x1) IX[B]
	[25] -1	0	0x000014e0 - 0x000014e0 (0x1) IX[B]
	[26] -1	0	0x00001480 - 0x0000149f (0x20) IX[B]
	[27] -1	0	0x00001460 - 0x0000147f (0x20) IX[B]
	[28] -1	0	0x00001440 - 0x0000145f (0x20) IX[B]
(II) LoadModule: "glx"
(II) Loading /usr/lib/xorg/modules/extensions/nvidia//libglx.so
(II) Module glx: vendor="NVIDIA Corporation"
	compiled for 4.0.2, module version = 1.0.8776
	Module class: X.Org Server Extension
	ABI class: X.Org Server Extension, version 0.1
(II) Loading extension GLX
(II) LoadModule: "nvidia"
(II) Loading /usr/lib/xorg/modules/drivers//nvidia_drv.so
(II) Module nvidia: vendor="NVIDIA Corporation"
	compiled for 4.0.2, module version = 1.0.8776
	Module class: X.Org Video Driver
(II) LoadModule: "kbd"
(II) Loading /usr/lib/xorg/modules/input//kbd_drv.so
(II) Module kbd: vendor="X.Org Foundation"
	compiled for 7.1.1, module version = 1.1.0
	Module class: X.Org XInput Driver
	ABI class: X.Org XInput driver, version 0.6
(II) LoadModule: "mouse"
(II) Loading /usr/lib/xorg/modules/input//mouse_drv.so
(II) Module mouse: vendor="X.Org Foundation"
	compiled for 7.1.1, module version = 1.1.1
	Module class: X.Org XInput Driver
	ABI class: X.Org XInput driver, version 0.6
(II) NVIDIA dlloader X Driver  1.0-8776  Mon Oct 16 21:57:32 PDT 2006
(II) NVIDIA Unified Driver for all Supported NVIDIA GPUs
(II) Primary Device is: PCI 01:00:0
(--) Assigning device section with no busID to primary device
(--) Chipset NVIDIA GPU found
(II) Loading sub module "fb"
(II) LoadModule: "fb"
(II) Loading /usr/lib/xorg/modules//libfb.so
(II) Module fb: vendor="X.Org Foundation"
	compiled for 7.1.1, module version = 1.0.0
	ABI class: X.Org ANSI C Emulation, version 0.3
(II) Loading sub module "ramdac"
(II) LoadModule: "ramdac"
(II) Loading /usr/lib/xorg/modules//libramdac.so
(II) Module ramdac: vendor="X.Org Foundation"
	compiled for 7.1.1, module version = 0.1.0
	ABI class: X.Org Video Driver, version 1.0
(II) resource ranges after xf86ClaimFixedResources() call:
	[0] -1	0	0x00100000 - 0x3fffffff (0x3ff00000) MX[B]E(B)
	[1] -1	0	0x000f0000 - 0x000fffff (0x10000) MX[B]
	[2] -1	0	0x000c0000 - 0x000effff (0x30000) MX[B]
	[3] -1	0	0x00000000 - 0x0009ffff (0xa0000) MX[B]
	[4] -1	0	0xf8400000 - 0xf840ffff (0x10000) MX[B]
	[5] -1	0	0xf8500600 - 0xf85006ff (0x100) MX[B]
	[6] -1	0	0xf8500400 - 0xf85005ff (0x200) MX[B]
	[7] -1	0	0x70000000 - 0x700003ff (0x400) MX[B]
	[8] -1	0	0xf8500000 - 0xf85003ff (0x400) MX[B]
	[9] -1	0	0xe8000000 - 0xe7ffffff (0x0) MX[B]O
	[10] -1	0	0xf0000000 - 0xf7ffffff (0x8000000) MX[B](B)
	[11] -1	0	0xf9000000 - 0xf9ffffff (0x1000000) MX[B](B)
	[12] -1	0	0x0000ffff - 0x0000ffff (0x1) IX[B]
	[13] -1	0	0x00000000 - 0x000000ff (0x100) IX[B]
	[14] -1	0	0x00001400 - 0x0000143f (0x40) IX[B]
	[15] -1	0	0x00001000 - 0x000010ff (0x100) IX[B]
	[16] -1	0	0x000014d0 - 0x000014df (0x10) IX[B]
	[17] -1	0	0x0000180c - 0x0000180f (0x4) IX[B]
	[18] -1	0	0x000014f8 - 0x000014ff (0x8) IX[B]
	[19] -1	0	0x00001808 - 0x0000180b (0x4) IX[B]
	[20] -1	0	0x000014f0 - 0x000014f7 (0x8) IX[B]
	[21] -1	0	0x000014c0 - 0x000014cf (0x10) IX[B]
	[22] -1	0	0x00001804 - 0x00001804 (0x1) IX[B]
	[23] -1	0	0x000014e8 - 0x000014e8 (0x1) IX[B]
	[24] -1	0	0x00001800 - 0x00001800 (0x1) IX[B]
	[25] -1	0	0x000014e0 - 0x000014e0 (0x1) IX[B]
	[26] -1	0	0x00001480 - 0x0000149f (0x20) IX[B]
	[27] -1	0	0x00001460 - 0x0000147f (0x20) IX[B]
	[28] -1	0	0x00001440 - 0x0000145f (0x20) IX[B]
(II) resource ranges after probing:
	[0] -1	0	0x00100000 - 0x3fffffff (0x3ff00000) MX[B]E(B)
	[1] -1	0	0x000f0000 - 0x000fffff (0x10000) MX[B]
	[2] -1	0	0x000c0000 - 0x000effff (0x30000) MX[B]
	[3] -1	0	0x00000000 - 0x0009ffff (0xa0000) MX[B]
	[4] -1	0	0xf8400000 - 0xf840ffff (0x10000) MX[B]
	[5] -1	0	0xf8500600 - 0xf85006ff (0x100) MX[B]
	[6] -1	0	0xf8500400 - 0xf85005ff (0x200) MX[B]
	[7] -1	0	0x70000000 - 0x700003ff (0x400) MX[B]
	[8] -1	0	0xf8500000 - 0xf85003ff (0x400) MX[B]
	[9] -1	0	0xe8000000 - 0xe7ffffff (0x0) MX[B]O
	[10] -1	0	0xf0000000 - 0xf7ffffff (0x8000000) MX[B](B)
	[11] -1	0	0xf9000000 - 0xf9ffffff (0x1000000) MX[B](B)
	[12] 0	0	0x000a0000 - 0x000affff (0x10000) MS[B]
	[13] 0	0	0x000b0000 - 0x000b7fff (0x8000) MS[B]
	[14] 0	0	0x000b8000 - 0x000bffff (0x8000) MS[B]
	[15] -1	0	0x0000ffff - 0x0000ffff (0x1) IX[B]
	[16] -1	0	0x00000000 - 0x000000ff (0x100) IX[B]
	[17] -1	0	0x00001400 - 0x0000143f (0x40) IX[B]
	[18] -1	0	0x00001000 - 0x000010ff (0x100) IX[B]
	[19] -1	0	0x000014d0 - 0x000014df (0x10) IX[B]
	[20] -1	0	0x0000180c - 0x0000180f (0x4) IX[B]
	[21] -1	0	0x000014f8 - 0x000014ff (0x8) IX[B]
	[22] -1	0	0x00001808 - 0x0000180b (0x4) IX[B]
	[23] -1	0	0x000014f0 - 0x000014f7 (0x8) IX[B]
	[24] -1	0	0x000014c0 - 0x000014cf (0x10) IX[B]
	[25] -1	0	0x00001804 - 0x00001804 (0x1) IX[B]
	[26] -1	0	0x000014e8 - 0x000014e8 (0x1) IX[B]
	[27] -1	0	0x00001800 - 0x00001800 (0x1) IX[B]
	[28] -1	0	0x000014e0 - 0x000014e0 (0x1) IX[B]
	[29] -1	0	0x00001480 - 0x0000149f (0x20) IX[B]
	[30] -1	0	0x00001460 - 0x0000147f (0x20) IX[B]
	[31] -1	0	0x00001440 - 0x0000145f (0x20) IX[B]
	[32] 0	0	0x000003b0 - 0x000003bb (0xc) IS[B]
	[33] 0	0	0x000003c0 - 0x000003df (0x20) IS[B]
(II) Setting vga for screen 0.
(**) NVIDIA(0): Depth 24, (--) framebuffer bpp 32
(==) NVIDIA(0): RGB weight 888
(==) NVIDIA(0): Default visual is TrueColor
(==) NVIDIA(0): Using gamma correction (1.0, 1.0, 1.0)
(**) NVIDIA(0): Enabling RENDER acceleration
(WW) NVIDIA(0): Unable to read EDID for display device CRT-0
(II) NVIDIA(0): NVIDIA GPU GeForce2 MX/MX 400 at PCI:1:0:0
(--) NVIDIA(0): VideoRAM: 32768 kBytes
(--) NVIDIA(0): VideoBIOS: 03.11.01.48.86
(II) NVIDIA(0): Detected AGP rate: 4X
(--) NVIDIA(0): Interlaced video modes are not supported on this GPU
(--) NVIDIA(0): Connected display device(s) on GeForce2 MX/MX 400 at
(--) NVIDIA(0):     PCI:1:0:0:
(--) NVIDIA(0):     CRT-0
(--) NVIDIA(0): CRT-0: 350.0 MHz maximum pixel clock
(II) NVIDIA(0): Assigned Display Device: CRT-0
(WW) NVIDIA(0): No valid modes for "1280x800"; removing.
(II) NVIDIA(0): Validated modes:
(II) NVIDIA(0):     "1280x1024"
(II) NVIDIA(0):     "1280x960"
(II) NVIDIA(0):     "1152x864"
(II) NVIDIA(0):     "1152x768"
(II) NVIDIA(0):     "1024x768"
(II) NVIDIA(0):     "800x600"
(II) NVIDIA(0):     "640x480"
(II) NVIDIA(0): Virtual screen size determined to be 1280 x 1024
(WW) NVIDIA(0): Unable to get display device CRT-0's EDID; cannot compute DPI
(WW) NVIDIA(0):     from EDID.
(==) NVIDIA(0): DPI set to (75, 75); computed from built-in default
(--) Depth 24 pixmap format is 32 bpp
(II) do I need RAC?  No, I don't.
(II) resource ranges after preInit:
	[0] 0	0	0xf0000000 - 0xf7ffffff (0x8000000) MX[B]
	[1] 0	0	0xf9000000 - 0xf9ffffff (0x1000000) MX[B]
	[2] -1	0	0x00100000 - 0x3fffffff (0x3ff00000) MX[B]E(B)
	[3] -1	0	0x000f0000 - 0x000fffff (0x10000) MX[B]
	[4] -1	0	0x000c0000 - 0x000effff (0x30000) MX[B]
	[5] -1	0	0x00000000 - 0x0009ffff (0xa0000) MX[B]
	[6] -1	0	0xf8400000 - 0xf840ffff (0x10000) MX[B]
	[7] -1	0	0xf8500600 - 0xf85006ff (0x100) MX[B]
	[8] -1	0	0xf8500400 - 0xf85005ff (0x200) MX[B]
	[9] -1	0	0x70000000 - 0x700003ff (0x400) MX[B]
	[10] -1	0	0xf8500000 - 0xf85003ff (0x400) MX[B]
	[11] -1	0	0xe8000000 - 0xe7ffffff (0x0) MX[B]O
	[12] -1	0	0xf0000000 - 0xf7ffffff (0x8000000) MX[B](B)
	[13] -1	0	0xf9000000 - 0xf9ffffff (0x1000000) MX[B](B)
	[14] 0	0	0x000a0000 - 0x000affff (0x10000) MS[B](OprD)
	[15] 0	0	0x000b0000 - 0x000b7fff (0x8000) MS[B](OprD)
	[16] 0	0	0x000b8000 - 0x000bffff (0x8000) MS[B](OprD)
	[17] -1	0	0x0000ffff - 0x0000ffff (0x1) IX[B]
	[18] -1	0	0x00000000 - 0x000000ff (0x100) IX[B]
	[19] -1	0	0x00001400 - 0x0000143f (0x40) IX[B]
	[20] -1	0	0x00001000 - 0x000010ff (0x100) IX[B]
	[21] -1	0	0x000014d0 - 0x000014df (0x10) IX[B]
	[22] -1	0	0x0000180c - 0x0000180f (0x4) IX[B]
	[23] -1	0	0x000014f8 - 0x000014ff (0x8) IX[B]
	[24] -1	0	0x00001808 - 0x0000180b (0x4) IX[B]
	[25] -1	0	0x000014f0 - 0x000014f7 (0x8) IX[B]
	[26] -1	0	0x000014c0 - 0x000014cf (0x10) IX[B]
	[27] -1	0	0x00001804 - 0x00001804 (0x1) IX[B]
	[28] -1	0	0x000014e8 - 0x000014e8 (0x1) IX[B]
	[29] -1	0	0x00001800 - 0x00001800 (0x1) IX[B]
	[30] -1	0	0x000014e0 - 0x000014e0 (0x1) IX[B]
	[31] -1	0	0x00001480 - 0x0000149f (0x20) IX[B]
	[32] -1	0	0x00001460 - 0x0000147f (0x20) IX[B]
	[33] -1	0	0x00001440 - 0x0000145f (0x20) IX[B]
	[34] 0	0	0x000003b0 - 0x000003bb (0xc) IS[B](OprU)
	[35] 0	0	0x000003c0 - 0x000003df (0x20) IS[B](OprU)
(II) NVIDIA(0): Setting mode "1280x1024"
(II) Loading extension NV-GLX
(II) NVIDIA(0): NVIDIA 3D Acceleration Architecture Initialized
(II) NVIDIA(0): Using the NVIDIA 2D acceleration architecture
(==) NVIDIA(0): Backing store disabled
(==) NVIDIA(0): Silken mouse enabled
(**) Option "dpms"
(**) NVIDIA(0): DPMS enabled
(II) Loading extension NV-CONTROL
(==) RandR enabled
(II) Initializing built-in extension MIT-SHM
(II) Initializing built-in extension XInputExtension
(II) Initializing built-in extension XTEST
(II) Initializing built-in extension XKEYBOARD
(II) Initializing built-in extension XC-APPGROUP
(II) Initializing built-in extension XAccessControlExtension
(II) Initializing built-in extension SECURITY
(II) Initializing built-in extension SELinux
(II) Initializing built-in extension XINERAMA
(II) Initializing built-in extension XFIXES
(II) Initializing built-in extension XFree86-Bigfont
(II) Initializing built-in extension RENDER
(II) Initializing built-in extension RANDR
(II) Initializing built-in extension COMPOSITE
(II) Initializing built-in extension DAMAGE
(II) Initializing built-in extension XEVIE
(II) Initializing extension GLX
XSELinux: Line 11 of /home/jcdxdev/tmp/modular/lib/xserver/XSELinuxConfig is invalid

Fatal server error:
XSELinux: Failed to load security policy

Re: [PATCH] refpolicy: add X object classes to unconfined_t

[Eamon Walsh]

[-- Attachment #1: Type: text/plain, Size: 1647 bytes --]

On Wed, 2006-11-29 at 16:34 -0600, Xavier Toth wrote:
> Humm I attached the log to my last post anyway I attached it again. I
> have been able to run Xorg under the targeted policy (permissive mode)
> after I chcon'd it to the same context as the Xorg in /usr/bin. Now
> I'm trying to get it working under the MLS permissive policy which
> doesn't have the unconfined_t type. Under MLS Xorg gets labeled as
> type bin_t so I chcon'd my Xorg to match and edited XSELinuxConfig
> replacing unconfined_t with bin_t. However the result of my simplistic
> approach is that Xorg fails to start complaining:
> XSELinux: Line 11 of
> /home/jcdxdev/tmp/modular/lib/xserver/XSELinuxConfig is invalid
> 
> Fatal server error:
> XSELinux: Failed to load security policy
> 
> Any suggestions?

The type of the Xorg executable itself is not what goes in the
XSELinuxConfig file.  The types in the file are for internal X objects
such as windows that are managed by the SELinux control code in the X
server.

Try the the attached .te file.  It works for me with MLS policy in
permissive mode.  Use the instructions mentioned earlier to build it and
load it into your policy (URL below).

You also need to add the following line to XSELinuxConfig:
root_window_context       system_u:object_r:root_window_t:s1
I just fixed this in git.

Again, this is going to create loads of denial messages in the Xorg log
file.  The next step is to flesh out the .te file with appropriate allow
rules; something I haven't gotten around to yet.

http://fedora.redhat.com/docs/selinux-faq-fc5/#faq-entry-local.te


-- 
Eamon Walsh <ewalsh@tycho.nsa.gov>
National Security Agency

[-- Attachment #2: local.te --]
[-- Type: text/plain, Size: 874 bytes --]

policy_module(local, 1.0)

require {
	class drawable all_drawable_perms;
	class window all_window_perms;
	class gc all_gc_perms;
	class font all_font_perms;
	class colormap all_colormap_perms;
	class property all_property_perms;
	class cursor all_cursor_perms;  
	class xclient all_xclient_perms;
	class xserver all_xserver_perms;
	class xinput all_xinput_perms;
	class xextension all_xextension_perms;
}

# Type for remotely connected X clients
type remote_xclient_t;

# Type for the root window
type root_window_t;

# Types for properties 
type wm_property_t;
type cut_buffer_property_t;
type unknown_property_t;

# Types for extensions
type std_ext_t;
type screensaver_ext_t;
type font_ext_t;
type shmem_ext_t;
type accelgraphics_ext_t;
type debug_ext_t;
type sync_ext_t;
type windowmgr_ext_t;
type video_ext_t;
type input_ext_t;
type security_ext_t;
type unknown_ext_t;

XACE and MLS

[Ted X Toth]

We are interested in using X and an associated desktop/window manager 
(most likely GNOME/Metacity) in an MLS environment and I'm trying to 
figure out what all needs to be addressed to get there. A couple of 
areas that I've thought about so far are window labeling and cut and 
paste. For window labeling the window manager ought to be able to use 
the context of it X server connection to decorate the window with the 
level but what happens if for example a user does a newrole and changes 
their level? For cut and paste dominance checks are needed would it be 
reasonable to do these as an extension of the XACE and if so where can I 
find out more about how to do this and if not where then?

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: XACE and MLS

[Eamon Walsh]

Ted X Toth wrote:
> We are interested in using X and an associated desktop/window manager 
> (most likely GNOME/Metacity) in an MLS environment and I'm trying to 
> figure out what all needs to be addressed to get there. A couple of 
> areas that I've thought about so far are window labeling and cut and 
> paste. For window labeling the window manager ought to be able to use 
> the context of it X server connection to decorate the window with the 
> level but what happens if for example a user does a newrole and changes 
> their level? 

The XSELinux extension provides window properties that can be used by 
the window manager in the same manner as the usual WM_NAME, WM_COMMAND, 
etc.  The one currently available is _SELINUX_CLIENT_CONTEXT which 
contains the domain of the connected process.  Others will be introduced 
in the future in particular _SELINUX_CONTEXT which will contain the 
context of the window itself.

Here's a screen shot of a hacked twm that displays this property in 
place of the usual window title:
http://people.freedesktop.org/~ewalsh/twm-demo.png

Note that what's really needed for proper labeling however is a 
server-controlled, secure area of the screen that clients can't draw 
into.  There could be spoofing attacks otherwise.

> For cut and paste dominance checks are needed would it be 
> reasonable to do these as an extension of the XACE and if so where can I 
> find out more about how to do this and if not where then?

It depends on which cut & paste.  The X server provides two methods: cut 
buffers, which are implemented as properties on the root window, and 
selections, which are implemented using a convoluted method of setting 
properties on client windows and sending notification events.  I believe 
that both of these methods should be securable using the XSELinux 
extension although ths work has not been done just yet.

Other cut & paste functionality may be provided by higher-level layers 
such as toolkits (GTK+) or desktop systems (GNOME, etc).  I have no 
knowledge of these areas.

A good reference for X cut & paste is the xlib.PS document in the 
xorg-docs package.  The basic SELinux X classes and permissions are 
described in the "Securing the X Window System with SELinux" paper on 
www.nsa.gov/selinux.

-- 
Eamon Walsh <ewalsh@tycho.nsa.gov>
National Security Agency

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.