X server won't start using MLS policy

X server won't start using MLS policy

[Mark Webb]

[-- Attachment #1: Type: text/plain, Size: 323 bytes --]

I have followed the instructions at
http://fedoraproject.org/wiki/SELinux/FedoraMLSHowto on how to install the
MLS policy.  I have it working under Fedora Core 6, but when I boot to
runlevel 5, I get an error saying that the X server cannot be started.

Does anyone know how to fix this problem?

Thanks

-- 
..Cheers
Mark

[-- Attachment #2: Type: text/html, Size: 504 bytes --]

Re: X server won't start using MLS policy

[Stephen Smalley]

On Wed, 2007-04-11 at 14:36 -0400, Mark Webb wrote:
> I have followed the instructions at
> http://fedoraproject.org/wiki/SELinux/FedoraMLSHowto on how to install
> the MLS policy.  I have it working under Fedora Core 6, but when I
> boot to runlevel 5, I get an error saying that the X server cannot be
> started. 
> 
> Does anyone know how to fix this problem?

The MLS work has focused on servers to date since we need XACE/XSELinux
fully mainstreamed before we can provide proper support on the desktop.
So it isn't surprising that the MLS policy doesn't work with X at
present.

Do you get avc denials in your /var/log/audit/audit.log
or /var/log/messages?

If not, try installing enableaudit.pp and retrying to collect audit
messages.

I thiink there was also a post to fedora-selinux-list circa 28 Dec 2006
by a user with a copy of changes he found necessary to the strict policy
to get X working fully, so that might be helpful.  Not sure how many of
those were legitimate or how many found their way into the upstream
policy.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: X server won't start using MLS policy

[Mark Webb]

[-- Attachment #1: Type: text/plain, Size: 1363 bytes --]

Thanks for getting back to me.  I have attached my /var/log/messages file.
It appears that the binaries gdm-binary and Xorg do not have proper access.

-- 
..Cheers
Mark

On 4/11/07, Stephen Smalley <sds@tycho.nsa.gov> wrote:
>
> On Wed, 2007-04-11 at 14:36 -0400, Mark Webb wrote:
> > I have followed the instructions at
> > http://fedoraproject.org/wiki/SELinux/FedoraMLSHowto on how to install
> > the MLS policy.  I have it working under Fedora Core 6, but when I
> > boot to runlevel 5, I get an error saying that the X server cannot be
> > started.
> >
> > Does anyone know how to fix this problem?
>
> The MLS work has focused on servers to date since we need XACE/XSELinux
> fully mainstreamed before we can provide proper support on the desktop.
> So it isn't surprising that the MLS policy doesn't work with X at
> present.
>
> Do you get avc denials in your /var/log/audit/audit.log
> or /var/log/messages?
>
> If not, try installing enableaudit.pp and retrying to collect audit
> messages.
>
> I thiink there was also a post to fedora-selinux-list circa 28 Dec 2006
> by a user with a copy of changes he found necessary to the strict policy
> to get X working fully, so that might be helpful.  Not sure how many of
> those were legitimate or how many found their way into the upstream
> policy.
>
> --
> Stephen Smalley
> National Security Agency
>
>

[-- Attachment #2: Type: text/html, Size: 1826 bytes --]

Re: X server won't start using MLS policy

[Mark Webb]

[-- Attachment #1: Type: text/plain, Size: 748 bytes --]

Sorry about the HTML.  I sometimes forget Gmail defaults to HTML.
One question for you, will running audit2allow 'break' the MLS posture
of the machine?

Thank you.

-- 
..Cheers
Mark

On 4/11/07, Stephen Smalley <sds@tycho.nsa.gov> wrote:
> On Wed, 2007-04-11 at 15:29 -0400, Mark Webb wrote:
> > Thanks for getting back to me.  I have attached my /var/log/messages
> > file.  It appears that the binaries gdm-binary and Xorg do not have
> > proper access.
>
> No attachment, and please disable html mail when posting to public
> lists.
>
> You can use audit2allow to generate a local policy module to allow such
> permissions until the main policy is updated; see the Fedora SELinux
> FAQ.
>
> --
> Stephen Smalley
> National Security Agency
>
>

[-- Attachment #2: messages --]
[-- Type: application/octet-stream, Size: 14424 bytes --]

Apr 11 12:24:05 mymachine kernel: audit(1176308645.494:41): avc:  denied  { setattr } for  pid=2657 comm="gdm-binary" name="gdm" dev=dm-0 ino=229398 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:var_t:s0 tclass=dir
Apr 11 12:24:05 mymachine kernel: audit(1176308645.511:42): avc:  denied  { create } for  pid=2657 comm="gdm-binary" scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=netlink_audit_socket
Apr 11 12:24:05 mymachine kernel: audit(1176308645.517:43): avc:  denied  { write } for  pid=2657 comm="gdm-binary" scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=netlink_audit_socket
Apr 11 12:24:05 mymachine kernel: audit(1176308645.520:44): avc:  denied  { nlmsg_relay } for  pid=2657 comm="gdm-binary" scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=netlink_audit_socket
Apr 11 12:24:05 mymachine kernel: audit(1176308645.522:45): avc:  denied  { read } for  pid=2657 comm="gdm-binary" scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=netlink_audit_socket
Apr 11 12:24:05 mymachine kernel: audit(1176308645.532:46): avc:  denied  { remove_name } for  pid=2657 comm="gdm-binary" name=".gdmfifo" dev=dm-0 ino=229506 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:var_t:s0 tclass=dir
Apr 11 12:24:05 mymachine kernel: audit(1176308645.534:47): avc:  denied  { unlink } for  pid=2657 comm="gdm-binary" name=".gdmfifo" dev=dm-0 ino=229506 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:var_t:s0 tclass=fifo_file
Apr 11 12:24:05 mymachine kernel: audit(1176308645.538:48): avc:  denied  { add_name } for  pid=2657 comm="gdm-binary" name=".gdmfifo" scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:var_t:s0 tclass=dir
Apr 11 12:24:05 mymachine kernel: audit(1176308645.540:49): avc:  denied  { create } for  pid=2657 comm="gdm-binary" name=".gdmfifo" scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:var_t:s0 tclass=fifo_file
Apr 11 12:24:05 mymachine kernel: audit(1176308645.541:50): avc:  denied  { read write } for  pid=2657 comm="gdm-binary" name=".gdmfifo" dev=dm-0 ino=229506 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:var_t:s0 tclass=fifo_file
Apr 11 12:24:05 mymachine kernel: audit(1176308645.543:51): avc:  denied  { setattr } for  pid=2657 comm="gdm-binary" name=".gdmfifo" dev=dm-0 ino=229506 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:var_t:s0 tclass=fifo_file
Apr 11 12:24:05 mymachine kernel: audit(1176308645.548:52): avc:  denied  { create } for  pid=2657 comm="gdm-binary" name=".gdm_socket" scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=sock_file
Apr 11 12:24:05 mymachine kernel: audit(1176308645.552:53): avc:  denied  { setattr } for  pid=2657 comm="gdm-binary" name=".gdm_socket" dev=dm-0 ino=261126 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=sock_file
Apr 11 12:24:05 mymachine kernel: audit(1176308645.558:54): avc:  denied  { unlink } for  pid=2657 comm="gdm-binary" name=".cookie" dev=dm-0 ino=229505 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:var_t:s0 tclass=file
Apr 11 12:24:05 mymachine kernel: audit(1176308645.561:55): avc:  denied  { create } for  pid=2657 comm="gdm-binary" name=".cookie" scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:var_t:s0 tclass=file
Apr 11 12:24:05 mymachine kernel: audit(1176308645.566:56): avc:  denied  { write } for  pid=2657 comm="gdm-binary" name=".cookie" dev=dm-0 ino=229505 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:var_t:s0 tclass=file
Apr 11 12:24:05 mymachine kernel: audit(1176308645.625:57): avc:  denied  { search } for  pid=2657 comm="gdm-binary" name=".pk11ipc1" dev=dm-0 ino=261134 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s15:c0.c1023 tclass=dir
Apr 11 12:24:05 mymachine kernel: inode_doinit_with_dentry:  context_to_sid(system_u:object_r:xdm_tmp_t:s0) returned 22 for dev=dm-0 ino=261135
Apr 11 12:24:05 mymachine kernel: audit(1176308645.632:58): avc:  denied  { read write } for  pid=2657 comm="gdm-binary" name=636F6F6C6B6579706B313173452D47617465203020302D30 dev=dm-0 ino=261135 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s15:c0.c1023 tclass=file
Apr 11 12:24:05 mymachine pcscd: winscard.c:219:SCardConnect() Reader E-Gate 0 0 Not Found
Apr 11 12:24:05 mymachine last message repeated 3 times
Apr 11 12:24:05 mymachine kernel: audit(1176308645.658:59): avc:  denied  { unlink } for  pid=2686 comm="gdm-binary" name=":0.Xauth" dev=dm-0 ino=229527 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:var_t:s0 tclass=file
Apr 11 12:24:05 mymachine kernel: audit(1176308645.660:60): avc:  denied  { create } for  pid=2686 comm="gdm-binary" name=":0.Xauth" scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:var_t:s0 tclass=file
Apr 11 12:24:05 mymachine kernel: audit(1176308645.662:61): avc:  denied  { write } for  pid=2686 comm="gdm-binary" name=":0.Xauth" dev=dm-0 ino=229527 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:var_t:s0 tclass=file
Apr 11 12:24:05 mymachine kernel: audit(1176308645.709:62): avc:  denied  { create } for  pid=2693 comm="Xorg" name="X0" scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=sock_file
Apr 11 12:24:05 mymachine kernel: audit(1176308645.742:63): avc:  denied  { write } for  pid=2686 comm="gdm-binary" name="X0" dev=dm-0 ino=261129 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=sock_file
Apr 11 12:24:05 mymachine kernel: audit(1176308645.747:64): avc:  denied  { write } for  pid=2693 comm="Xorg" name="acpid.socket" dev=dm-0 ino=229465 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:apmd_var_run_t:s0 tclass=sock_file
Apr 11 12:24:05 mymachine kernel: audit(1176308645.747:65): avc:  denied  { connectto } for  pid=2693 comm="Xorg" name="acpid.socket" scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:system_r:apmd_t:s0-s15:c0.c1023 tclass=unix_stream_socket
Apr 11 12:24:05 mymachine kernel: audit(1176308645.799:66): avc:  denied  { write } for  pid=2693 comm="Xorg" name="0f.0" dev=proc ino=-268435035 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=file
Apr 11 12:24:05 mymachine kernel: audit(1176308645.882:67): avc:  denied  { write } for  pid=2693 comm="Xorg" name="mtrr" dev=proc ino=-268435173 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:mtrr_device_t:s0 tclass=file
Apr 11 12:24:05 mymachine kernel: audit(1176308645.887:68): avc:  denied  { ioctl } for  pid=2693 comm="Xorg" name="mtrr" dev=proc ino=-268435173 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:mtrr_device_t:s0 tclass=file
Apr 11 12:24:06 mymachine kernel: mtrr: your processor doesn't support write-combining
Apr 11 12:24:06 mymachine kernel: audit(1176308646.228:69): avc:  denied  { read write } for  pid=2693 comm="Xorg" name="mice" dev=tmpfs ino=3476 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:mouse_device_t:s0 tclass=chr_file
Apr 11 12:24:06 mymachine kernel: audit(1176308646.238:70): avc:  denied  { ioctl } for  pid=2693 comm="Xorg" name="mice" dev=tmpfs ino=3476 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:mouse_device_t:s0 tclass=chr_file
Apr 11 12:24:08 mymachine kernel: audit(1176308648.970:71): avc:  denied  { getattr } for  pid=2693 comm="Xorg" name="mice" dev=tmpfs ino=3476 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:mouse_device_t:s0 tclass=chr_file
Apr 11 12:24:14 mymachine kernel: audit(1176308654.116:72): avc:  denied  { read } for  pid=2693 comm="Xorg" name=":0.Xauth" dev=dm-0 ino=229527 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:var_t:s0 tclass=file
Apr 11 12:24:14 mymachine kernel: audit(1176308654.322:73): avc:  denied  { write } for  pid=2712 comm="gdmgreeter" name=".gdm_socket" dev=dm-0 ino=261126 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=sock_file
Apr 11 12:24:14 mymachine kernel: audit(1176308654.375:74): avc:  denied  { read } for  pid=2712 comm="gdmgreeter" name="0251a5afa6ac727a1e32b7d4d4aa7cf0-x86.cache-2" dev=dm-0 ino=229456 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=root:object_r:var_t:s0 tclass=file
Apr 11 12:24:14 mymachine kernel: audit(1176308654.995:75): avc:  denied  { create } for  pid=2712 comm="gdmgreeter" key=0 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=shm
Apr 11 12:24:15 mymachine kernel: audit(1176308654.999:76): avc:  denied  { unix_read unix_write } for  pid=2712 comm="gdmgreeter" key=0 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=shm
Apr 11 12:24:15 mymachine kernel: audit(1176308654.999:77): avc:  denied  { read write } for  pid=2712 comm="gdmgreeter" key=0 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=shm
Apr 11 12:24:15 mymachine kernel: audit(1176308654.999:78): avc:  denied  { read write } for  pid=2712 comm="gdmgreeter" name="SYSV00000000" dev=tmpfs ino=0 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file
Apr 11 12:24:15 mymachine kernel: audit(1176308655.000:79): avc:  denied  { getattr associate } for  pid=2693 comm="Xorg" key=0 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=shm
Apr 11 12:24:15 mymachine kernel: audit(1176308655.001:80): avc:  denied  { destroy } for  pid=2712 comm="gdmgreeter" key=0 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=shm
Apr 11 12:24:37 mymachine kernel: audit(1176308677.547:81): avc:  denied  { remove_name } for  pid=2686 comm="gdm-binary" name=":0.Xauth" dev=dm-0 ino=229527 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:var_t:s0 tclass=dir
Apr 11 12:24:38 mymachine kudzu[2761]: obsolete kudzu ddcProbe called
Apr 11 12:24:39 mymachine kernel: ip6_tables: (C) 2000-2006 Netfilter Core Team
Apr 11 12:24:39 mymachine kernel: SELinux: initialized (dev rpc_pipefs, type rpc_pipefs), uses genfs_contexts
Apr 11 12:24:39 mymachine hpiod: 1.6.12 accepting connections at 2208... 
Apr 11 12:26:26 mymachine kernel: audit(1176308786.131:82): enforcing=1 old_enforcing=0 auid=4294967295
Apr 11 12:26:26 mymachine dbus: Can't send to audit system: USER_AVC avc:  received setenforce notice (enforcing=1) : exe="?" (sauid=81, hostname=?, addr=?, terminal=?)
Apr 11 12:26:33 mymachine kernel: audit(1176308793.953:83): avc:  denied  { setattr } for  pid=3183 comm="gdm-binary" name="gdm" dev=dm-0 ino=229398 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:var_t:s0 tclass=dir
Apr 11 12:26:33 mymachine kernel: audit(1176308793.954:84): avc:  denied  { setattr } for  pid=3183 comm="gdm-binary" name="gdm" dev=dm-0 ino=229398 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:var_t:s0 tclass=dir
Apr 11 12:26:34 mymachine kernel: audit(1176308794.067:85): avc:  denied  { create } for  pid=3183 comm="gdm-binary" scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=netlink_audit_socket
Apr 11 12:26:34 mymachine kernel: audit(1176308794.082:86): avc:  denied  { add_name } for  pid=3183 comm="gdm-binary" name=".gdmfifo" scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:var_t:s0 tclass=dir
Apr 11 12:26:34 mymachine gdm[3183]: gdm_connection_open_fifo: Could not make FIFO
Apr 11 12:26:34 mymachine kernel: audit(1176308794.087:87): avc:  denied  { create } for  pid=3183 comm="gdm-binary" name=".gdm_socket" scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=sock_file
Apr 11 12:26:34 mymachine gdm[3183]: gdm_connection_open_unix: Could not bind socket
Apr 11 12:26:34 mymachine kernel: audit(1176308794.198:88): avc:  denied  { remove_name } for  pid=3183 comm="gdm-binary" name=".cookie" dev=dm-0 ino=229505 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:var_t:s0 tclass=dir
Apr 11 12:26:34 mymachine kernel: audit(1176308794.199:89): avc:  denied  { remove_name } for  pid=3183 comm="gdm-binary" name=".cookie" dev=dm-0 ino=229505 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:var_t:s0 tclass=dir
Apr 11 12:26:34 mymachine gdm[3183]: Can't open /var/gdm/.cookie for writing
Apr 11 12:26:34 mymachine kernel: audit(1176308794.223:90): avc:  denied  { search } for  pid=3183 comm="gdm-binary" name=".pk11ipc1" dev=dm-0 ino=261134 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s15:c0.c1023 tclass=dir
Apr 11 12:26:34 mymachine kernel: audit(1176308794.223:91): avc:  denied  { search } for  pid=3183 comm="gdm-binary" name=".pk11ipc1" dev=dm-0 ino=261134 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s15:c0.c1023 tclass=dir
Apr 11 12:26:34 mymachine pcscd: winscard.c:219:SCardConnect() Reader E-Gate 0 0 Not Found
Apr 11 12:26:34 mymachine last message repeated 3 times
Apr 11 12:26:34 mymachine kernel: audit(1176308794.332:92): avc:  denied  { add_name } for  pid=3212 comm="gdm-binary" name=":0.Xauth" scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:var_t:s0 tclass=dir
Apr 11 12:26:34 mymachine gdm[3212]: gdm_auth_secure_display: Cannot safely open /var/gdm/:0.Xauth
Apr 11 12:26:35 mymachine gdm[3183]: gdm_child_action: Aborting display :0

Re: X server won't start using MLS policy

[Stephen Smalley]

On Wed, 2007-04-11 at 15:35 -0400, Mark Webb wrote:
> Sorry about the HTML.  I sometimes forget Gmail defaults to HTML.
> One question for you, will running audit2allow 'break' the MLS posture
> of the machine?

Hmmm...per your messages file, gdm-binary is running in initrc_t,
whereas it would normally be running in xdm_t.  Looks like the -mls
policy in Fedora doesn't even include the definitions for the X-related
domains (unlike the -strict policy).  So I think you need to build your
own policy from upstream refpolicy if you want X support.

Running audit2allow won't affect the MLS constraints, but the real
question is whether you can actually use X in a MLS environment without
XACE/XSELinux; you'd be limited to single-level-at-a-time desktop.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: X server won't start using MLS policy

[Daniel J Walsh]

Stephen Smalley wrote:
> On Wed, 2007-04-11 at 15:35 -0400, Mark Webb wrote:
>   
>> Sorry about the HTML.  I sometimes forget Gmail defaults to HTML.
>> One question for you, will running audit2allow 'break' the MLS posture
>> of the machine?
>>     
>
> Hmmm...per your messages file, gdm-binary is running in initrc_t,
> whereas it would normally be running in xdm_t.  Looks like the -mls
> policy in Fedora doesn't even include the definitions for the X-related
> domains (unlike the -strict policy).  So I think you need to build your
> own policy from upstream refpolicy if you want X support.
>
> Running audit2allow won't affect the MLS constraints, but the real
> question is whether you can actually use X in a MLS environment without
> XACE/XSELinux; you'd be limited to single-level-at-a-time desktop.
>
>   
MLS Policy does not include any of the X-Windows or Desktop Client 
modules.  So X is not supported on a MLS/LSPP machine.  Getting a 
Desktop Client to work would require work on XACE/XSELinux as well as 
changes to many other apps like gconf/orbits etc.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.