From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from jazzhorn.ncsc.mil (mummy.ncsc.mil [144.51.88.129]) by tarius.tycho.ncsc.mil (8.13.1/8.13.1) with SMTP id l3BIan9C007975 for ; Wed, 11 Apr 2007 14:36:49 -0400 Received: from an-out-0708.google.com (jazzhorn.ncsc.mil [144.51.5.9]) by jazzhorn.ncsc.mil (8.12.10/8.12.10) with ESMTP id l3BIajT2003125 for ; Wed, 11 Apr 2007 18:36:47 GMT Received: by an-out-0708.google.com with SMTP id d33so308887and for ; Wed, 11 Apr 2007 11:36:33 -0700 (PDT) Message-ID: <9f066ee90704111136w5e98b87bxf2463754621cf6fb@mail.gmail.com> Date: Wed, 11 Apr 2007 14:36:31 -0400 From: "Mark Webb" To: selinux@tycho.nsa.gov Subject: X server won't start using MLS policy MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_Part_14373_24310336.1176316591500" Sender: owner-selinux@tycho.nsa.gov List-Id: selinux@tycho.nsa.gov ------=_Part_14373_24310336.1176316591500 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline I have followed the instructions at http://fedoraproject.org/wiki/SELinux/FedoraMLSHowto on how to install the MLS policy. I have it working under Fedora Core 6, but when I boot to runlevel 5, I get an error saying that the X server cannot be started. Does anyone know how to fix this problem? Thanks -- ..Cheers Mark ------=_Part_14373_24310336.1176316591500 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline I have followed the instructions at http://fedoraproject.org/wiki/SELinux/FedoraMLSHowto on how to install the MLS policy.  I have it working under Fedora Core 6, but when I boot to runlevel 5, I get an error saying that the X server cannot be started.

Does anyone know how to fix this problem?

Thanks

--
..Cheers
Mark ------=_Part_14373_24310336.1176316591500-- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. From mboxrd@z Thu Jan 1 00:00:00 1970 Subject: Re: X server won't start using MLS policy From: Stephen Smalley To: Mark Webb Cc: selinux@tycho.nsa.gov In-Reply-To: <9f066ee90704111136w5e98b87bxf2463754621cf6fb@mail.gmail.com> References: <9f066ee90704111136w5e98b87bxf2463754621cf6fb@mail.gmail.com> Content-Type: text/plain Date: Wed, 11 Apr 2007 14:49:51 -0400 Message-Id: <1176317391.3986.44.camel@moss-spartans.epoch.ncsc.mil> Mime-Version: 1.0 Sender: owner-selinux@tycho.nsa.gov List-Id: selinux@tycho.nsa.gov On Wed, 2007-04-11 at 14:36 -0400, Mark Webb wrote: > I have followed the instructions at > http://fedoraproject.org/wiki/SELinux/FedoraMLSHowto on how to install > the MLS policy. I have it working under Fedora Core 6, but when I > boot to runlevel 5, I get an error saying that the X server cannot be > started. > > Does anyone know how to fix this problem? The MLS work has focused on servers to date since we need XACE/XSELinux fully mainstreamed before we can provide proper support on the desktop. So it isn't surprising that the MLS policy doesn't work with X at present. Do you get avc denials in your /var/log/audit/audit.log or /var/log/messages? If not, try installing enableaudit.pp and retrying to collect audit messages. I thiink there was also a post to fedora-selinux-list circa 28 Dec 2006 by a user with a copy of changes he found necessary to the strict policy to get X working fully, so that might be helpful. Not sure how many of those were legitimate or how many found their way into the upstream policy. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from jazzdrum.ncsc.mil (zombie.ncsc.mil [144.51.88.131]) by tarius.tycho.ncsc.mil (8.13.1/8.13.1) with SMTP id l3BJTYV2010995 for ; Wed, 11 Apr 2007 15:29:34 -0400 Received: from an-out-0708.google.com (jazzdrum.ncsc.mil [144.51.5.7]) by jazzdrum.ncsc.mil (8.12.10/8.12.10) with ESMTP id l3BJTVGQ001495 for ; Wed, 11 Apr 2007 19:29:32 GMT Received: by an-out-0708.google.com with SMTP id d33so326912and for ; Wed, 11 Apr 2007 12:29:31 -0700 (PDT) Message-ID: <9f066ee90704111229n4e876e00kd5a5722ff00141ad@mail.gmail.com> Date: Wed, 11 Apr 2007 15:29:30 -0400 From: "Mark Webb" To: "Stephen Smalley" Subject: Re: X server won't start using MLS policy Cc: selinux@tycho.nsa.gov In-Reply-To: <1176317391.3986.44.camel@moss-spartans.epoch.ncsc.mil> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_Part_15185_13815286.1176319770964" References: <9f066ee90704111136w5e98b87bxf2463754621cf6fb@mail.gmail.com> <1176317391.3986.44.camel@moss-spartans.epoch.ncsc.mil> Sender: owner-selinux@tycho.nsa.gov List-Id: selinux@tycho.nsa.gov ------=_Part_15185_13815286.1176319770964 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Thanks for getting back to me. I have attached my /var/log/messages file. It appears that the binaries gdm-binary and Xorg do not have proper access. -- ..Cheers Mark On 4/11/07, Stephen Smalley wrote: > > On Wed, 2007-04-11 at 14:36 -0400, Mark Webb wrote: > > I have followed the instructions at > > http://fedoraproject.org/wiki/SELinux/FedoraMLSHowto on how to install > > the MLS policy. I have it working under Fedora Core 6, but when I > > boot to runlevel 5, I get an error saying that the X server cannot be > > started. > > > > Does anyone know how to fix this problem? > > The MLS work has focused on servers to date since we need XACE/XSELinux > fully mainstreamed before we can provide proper support on the desktop. > So it isn't surprising that the MLS policy doesn't work with X at > present. > > Do you get avc denials in your /var/log/audit/audit.log > or /var/log/messages? > > If not, try installing enableaudit.pp and retrying to collect audit > messages. > > I thiink there was also a post to fedora-selinux-list circa 28 Dec 2006 > by a user with a copy of changes he found necessary to the strict policy > to get X working fully, so that might be helpful. Not sure how many of > those were legitimate or how many found their way into the upstream > policy. > > -- > Stephen Smalley > National Security Agency > > ------=_Part_15185_13815286.1176319770964 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline Thanks for getting back to me.  I have attached my /var/log/messages file.  It appears that the binaries gdm-binary and Xorg do not have proper access.

--
..Cheers
Mark

On 4/11/07, Stephen Smalley <sds@tycho.nsa.gov> wrote:
On Wed, 2007-04-11 at 14:36 -0400, Mark Webb wrote:
> I have followed the instructions at
> http://fedoraproject.org/wiki/SELinux/FedoraMLSHowto on how to install
> the MLS policy.  I have it working under Fedora Core 6, but when I
> boot to runlevel 5, I get an error saying that the X server cannot be
> started.
>
> Does anyone know how to fix this problem?

The MLS work has focused on servers to date since we need XACE/XSELinux
fully mainstreamed before we can provide proper support on the desktop.
So it isn't surprising that the MLS policy doesn't work with X at
present.

Do you get avc denials in your /var/log/audit/audit.log
or /var/log/messages?

If not, try installing enableaudit.pp and retrying to collect audit
messages.

I thiink there was also a post to fedora-selinux-list circa 28 Dec 2006
by a user with a copy of changes he found necessary to the strict policy
to get X working fully, so that might be helpful.  Not sure how many of
those were legitimate or how many found their way into the upstream
policy.

--
Stephen Smalley
National Security Agency


------=_Part_15185_13815286.1176319770964-- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from jazzhorn.ncsc.mil (mummy.ncsc.mil [144.51.88.129]) by tarius.tycho.ncsc.mil (8.13.1/8.13.1) with SMTP id l3BJZqPq011407 for ; Wed, 11 Apr 2007 15:35:52 -0400 Received: from an-out-0708.google.com (jazzhorn.ncsc.mil [144.51.5.9]) by jazzhorn.ncsc.mil (8.12.10/8.12.10) with ESMTP id l3BJZoT2012186 for ; Wed, 11 Apr 2007 19:35:50 GMT Received: by an-out-0708.google.com with SMTP id d33so329031and for ; Wed, 11 Apr 2007 12:35:50 -0700 (PDT) Message-ID: <9f066ee90704111235n5cadfc03s66230aacf254156d@mail.gmail.com> Date: Wed, 11 Apr 2007 15:35:48 -0400 From: "Mark Webb" To: "Stephen Smalley" Subject: Re: X server won't start using MLS policy Cc: selinux@tycho.nsa.gov In-Reply-To: <1176319951.3986.54.camel@moss-spartans.epoch.ncsc.mil> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_Part_15313_14163141.1176320148956" References: <9f066ee90704111136w5e98b87bxf2463754621cf6fb@mail.gmail.com> <1176317391.3986.44.camel@moss-spartans.epoch.ncsc.mil> <9f066ee90704111229n4e876e00kd5a5722ff00141ad@mail.gmail.com> <1176319951.3986.54.camel@moss-spartans.epoch.ncsc.mil> Sender: owner-selinux@tycho.nsa.gov List-Id: selinux@tycho.nsa.gov ------=_Part_15313_14163141.1176320148956 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Sorry about the HTML. I sometimes forget Gmail defaults to HTML. One question for you, will running audit2allow 'break' the MLS posture of the machine? Thank you. -- ..Cheers Mark On 4/11/07, Stephen Smalley wrote: > On Wed, 2007-04-11 at 15:29 -0400, Mark Webb wrote: > > Thanks for getting back to me. I have attached my /var/log/messages > > file. It appears that the binaries gdm-binary and Xorg do not have > > proper access. > > No attachment, and please disable html mail when posting to public > lists. > > You can use audit2allow to generate a local policy module to allow such > permissions until the main policy is updated; see the Fedora SELinux > FAQ. > > -- > Stephen Smalley > National Security Agency > > ------=_Part_15313_14163141.1176320148956 Content-Type: application/octet-stream; name=messages Content-Transfer-Encoding: base64 X-Attachment-Id: f_f0e6jsbj Content-Disposition: attachment; filename="messages" QXByIDExIDEyOjI0OjA1IG15bWFjaGluZSBrZXJuZWw6IGF1ZGl0KDExNzYzMDg2NDUuNDk0OjQx KTogYXZjOiAgZGVuaWVkICB7IHNldGF0dHIgfSBmb3IgIHBpZD0yNjU3IGNvbW09ImdkbS1iaW5h cnkiIG5hbWU9ImdkbSIgZGV2PWRtLTAgaW5vPTIyOTM5OCBzY29udGV4dD1zeXN0ZW1fdTpzeXN0 ZW1fcjppbml0cmNfdDpzMC1zMTU6YzAuYzEwMjMgdGNvbnRleHQ9c3lzdGVtX3U6b2JqZWN0X3I6 dmFyX3Q6czAgdGNsYXNzPWRpcgpBcHIgMTEgMTI6MjQ6MDUgbXltYWNoaW5lIGtlcm5lbDogYXVk aXQoMTE3NjMwODY0NS41MTE6NDIpOiBhdmM6ICBkZW5pZWQgIHsgY3JlYXRlIH0gZm9yICBwaWQ9 MjY1NyBjb21tPSJnZG0tYmluYXJ5IiBzY29udGV4dD1zeXN0ZW1fdTpzeXN0ZW1fcjppbml0cmNf dDpzMC1zMTU6YzAuYzEwMjMgdGNvbnRleHQ9c3lzdGVtX3U6c3lzdGVtX3I6aW5pdHJjX3Q6czAt czE1OmMwLmMxMDIzIHRjbGFzcz1uZXRsaW5rX2F1ZGl0X3NvY2tldApBcHIgMTEgMTI6MjQ6MDUg bXltYWNoaW5lIGtlcm5lbDogYXVkaXQoMTE3NjMwODY0NS41MTc6NDMpOiBhdmM6ICBkZW5pZWQg IHsgd3JpdGUgfSBmb3IgIHBpZD0yNjU3IGNvbW09ImdkbS1iaW5hcnkiIHNjb250ZXh0PXN5c3Rl bV91OnN5c3RlbV9yOmluaXRyY190OnMwLXMxNTpjMC5jMTAyMyB0Y29udGV4dD1zeXN0ZW1fdTpz eXN0ZW1fcjppbml0cmNfdDpzMC1zMTU6YzAuYzEwMjMgdGNsYXNzPW5ldGxpbmtfYXVkaXRfc29j a2V0CkFwciAxMSAxMjoyNDowNSBteW1hY2hpbmUga2VybmVsOiBhdWRpdCgxMTc2MzA4NjQ1LjUy MDo0NCk6IGF2YzogIGRlbmllZCAgeyBubG1zZ19yZWxheSB9IGZvciAgcGlkPTI2NTcgY29tbT0i Z2RtLWJpbmFyeSIgc2NvbnRleHQ9c3lzdGVtX3U6c3lzdGVtX3I6aW5pdHJjX3Q6czAtczE1OmMw LmMxMDIzIHRjb250ZXh0PXN5c3RlbV91OnN5c3RlbV9yOmluaXRyY190OnMwLXMxNTpjMC5jMTAy MyB0Y2xhc3M9bmV0bGlua19hdWRpdF9zb2NrZXQKQXByIDExIDEyOjI0OjA1IG15bWFjaGluZSBr ZXJuZWw6IGF1ZGl0KDExNzYzMDg2NDUuNTIyOjQ1KTogYXZjOiAgZGVuaWVkICB7IHJlYWQgfSBm b3IgIHBpZD0yNjU3IGNvbW09ImdkbS1iaW5hcnkiIHNjb250ZXh0PXN5c3RlbV91OnN5c3RlbV9y OmluaXRyY190OnMwLXMxNTpjMC5jMTAyMyB0Y29udGV4dD1zeXN0ZW1fdTpzeXN0ZW1fcjppbml0 cmNfdDpzMC1zMTU6YzAuYzEwMjMgdGNsYXNzPW5ldGxpbmtfYXVkaXRfc29ja2V0CkFwciAxMSAx MjoyNDowNSBteW1hY2hpbmUga2VybmVsOiBhdWRpdCgxMTc2MzA4NjQ1LjUzMjo0Nik6IGF2Yzog IGRlbmllZCAgeyByZW1vdmVfbmFtZSB9IGZvciAgcGlkPTI2NTcgY29tbT0iZ2RtLWJpbmFyeSIg bmFtZT0iLmdkbWZpZm8iIGRldj1kbS0wIGlubz0yMjk1MDYgc2NvbnRleHQ9c3lzdGVtX3U6c3lz dGVtX3I6aW5pdHJjX3Q6czAtczE1OmMwLmMxMDIzIHRjb250ZXh0PXN5c3RlbV91Om9iamVjdF9y OnZhcl90OnMwIHRjbGFzcz1kaXIKQXByIDExIDEyOjI0OjA1IG15bWFjaGluZSBrZXJuZWw6IGF1 ZGl0KDExNzYzMDg2NDUuNTM0OjQ3KTogYXZjOiAgZGVuaWVkICB7IHVubGluayB9IGZvciAgcGlk PTI2NTcgY29tbT0iZ2RtLWJpbmFyeSIgbmFtZT0iLmdkbWZpZm8iIGRldj1kbS0wIGlubz0yMjk1 MDYgc2NvbnRleHQ9c3lzdGVtX3U6c3lzdGVtX3I6aW5pdHJjX3Q6czAtczE1OmMwLmMxMDIzIHRj b250ZXh0PXN5c3RlbV91Om9iamVjdF9yOnZhcl90OnMwIHRjbGFzcz1maWZvX2ZpbGUKQXByIDEx IDEyOjI0OjA1IG15bWFjaGluZSBrZXJuZWw6IGF1ZGl0KDExNzYzMDg2NDUuNTM4OjQ4KTogYXZj OiAgZGVuaWVkICB7IGFkZF9uYW1lIH0gZm9yICBwaWQ9MjY1NyBjb21tPSJnZG0tYmluYXJ5IiBu YW1lPSIuZ2RtZmlmbyIgc2NvbnRleHQ9c3lzdGVtX3U6c3lzdGVtX3I6aW5pdHJjX3Q6czAtczE1 OmMwLmMxMDIzIHRjb250ZXh0PXN5c3RlbV91Om9iamVjdF9yOnZhcl90OnMwIHRjbGFzcz1kaXIK QXByIDExIDEyOjI0OjA1IG15bWFjaGluZSBrZXJuZWw6IGF1ZGl0KDExNzYzMDg2NDUuNTQwOjQ5 KTogYXZjOiAgZGVuaWVkICB7IGNyZWF0ZSB9IGZvciAgcGlkPTI2NTcgY29tbT0iZ2RtLWJpbmFy eSIgbmFtZT0iLmdkbWZpZm8iIHNjb250ZXh0PXN5c3RlbV91OnN5c3RlbV9yOmluaXRyY190OnMw LXMxNTpjMC5jMTAyMyB0Y29udGV4dD1zeXN0ZW1fdTpvYmplY3Rfcjp2YXJfdDpzMCB0Y2xhc3M9 Zmlmb19maWxlCkFwciAxMSAxMjoyNDowNSBteW1hY2hpbmUga2VybmVsOiBhdWRpdCgxMTc2MzA4 NjQ1LjU0MTo1MCk6IGF2YzogIGRlbmllZCAgeyByZWFkIHdyaXRlIH0gZm9yICBwaWQ9MjY1NyBj b21tPSJnZG0tYmluYXJ5IiBuYW1lPSIuZ2RtZmlmbyIgZGV2PWRtLTAgaW5vPTIyOTUwNiBzY29u dGV4dD1zeXN0ZW1fdTpzeXN0ZW1fcjppbml0cmNfdDpzMC1zMTU6YzAuYzEwMjMgdGNvbnRleHQ9 c3lzdGVtX3U6b2JqZWN0X3I6dmFyX3Q6czAgdGNsYXNzPWZpZm9fZmlsZQpBcHIgMTEgMTI6MjQ6 MDUgbXltYWNoaW5lIGtlcm5lbDogYXVkaXQoMTE3NjMwODY0NS41NDM6NTEpOiBhdmM6ICBkZW5p ZWQgIHsgc2V0YXR0ciB9IGZvciAgcGlkPTI2NTcgY29tbT0iZ2RtLWJpbmFyeSIgbmFtZT0iLmdk bWZpZm8iIGRldj1kbS0wIGlubz0yMjk1MDYgc2NvbnRleHQ9c3lzdGVtX3U6c3lzdGVtX3I6aW5p dHJjX3Q6czAtczE1OmMwLmMxMDIzIHRjb250ZXh0PXN5c3RlbV91Om9iamVjdF9yOnZhcl90OnMw IHRjbGFzcz1maWZvX2ZpbGUKQXByIDExIDEyOjI0OjA1IG15bWFjaGluZSBrZXJuZWw6IGF1ZGl0 KDExNzYzMDg2NDUuNTQ4OjUyKTogYXZjOiAgZGVuaWVkICB7IGNyZWF0ZSB9IGZvciAgcGlkPTI2 NTcgY29tbT0iZ2RtLWJpbmFyeSIgbmFtZT0iLmdkbV9zb2NrZXQiIHNjb250ZXh0PXN5c3RlbV91 OnN5c3RlbV9yOmluaXRyY190OnMwLXMxNTpjMC5jMTAyMyB0Y29udGV4dD1zeXN0ZW1fdTpvYmpl Y3Rfcjp0bXBfdDpzMCB0Y2xhc3M9c29ja19maWxlCkFwciAxMSAxMjoyNDowNSBteW1hY2hpbmUg a2VybmVsOiBhdWRpdCgxMTc2MzA4NjQ1LjU1Mjo1Myk6IGF2YzogIGRlbmllZCAgeyBzZXRhdHRy IH0gZm9yICBwaWQ9MjY1NyBjb21tPSJnZG0tYmluYXJ5IiBuYW1lPSIuZ2RtX3NvY2tldCIgZGV2 PWRtLTAgaW5vPTI2MTEyNiBzY29udGV4dD1zeXN0ZW1fdTpzeXN0ZW1fcjppbml0cmNfdDpzMC1z MTU6YzAuYzEwMjMgdGNvbnRleHQ9c3lzdGVtX3U6b2JqZWN0X3I6dG1wX3Q6czAgdGNsYXNzPXNv Y2tfZmlsZQpBcHIgMTEgMTI6MjQ6MDUgbXltYWNoaW5lIGtlcm5lbDogYXVkaXQoMTE3NjMwODY0 NS41NTg6NTQpOiBhdmM6ICBkZW5pZWQgIHsgdW5saW5rIH0gZm9yICBwaWQ9MjY1NyBjb21tPSJn ZG0tYmluYXJ5IiBuYW1lPSIuY29va2llIiBkZXY9ZG0tMCBpbm89MjI5NTA1IHNjb250ZXh0PXN5 c3RlbV91OnN5c3RlbV9yOmluaXRyY190OnMwLXMxNTpjMC5jMTAyMyB0Y29udGV4dD1zeXN0ZW1f dTpvYmplY3Rfcjp2YXJfdDpzMCB0Y2xhc3M9ZmlsZQpBcHIgMTEgMTI6MjQ6MDUgbXltYWNoaW5l IGtlcm5lbDogYXVkaXQoMTE3NjMwODY0NS41NjE6NTUpOiBhdmM6ICBkZW5pZWQgIHsgY3JlYXRl IH0gZm9yICBwaWQ9MjY1NyBjb21tPSJnZG0tYmluYXJ5IiBuYW1lPSIuY29va2llIiBzY29udGV4 dD1zeXN0ZW1fdTpzeXN0ZW1fcjppbml0cmNfdDpzMC1zMTU6YzAuYzEwMjMgdGNvbnRleHQ9c3lz dGVtX3U6b2JqZWN0X3I6dmFyX3Q6czAgdGNsYXNzPWZpbGUKQXByIDExIDEyOjI0OjA1IG15bWFj aGluZSBrZXJuZWw6IGF1ZGl0KDExNzYzMDg2NDUuNTY2OjU2KTogYXZjOiAgZGVuaWVkICB7IHdy aXRlIH0gZm9yICBwaWQ9MjY1NyBjb21tPSJnZG0tYmluYXJ5IiBuYW1lPSIuY29va2llIiBkZXY9 ZG0tMCBpbm89MjI5NTA1IHNjb250ZXh0PXN5c3RlbV91OnN5c3RlbV9yOmluaXRyY190OnMwLXMx NTpjMC5jMTAyMyB0Y29udGV4dD1zeXN0ZW1fdTpvYmplY3Rfcjp2YXJfdDpzMCB0Y2xhc3M9Zmls ZQpBcHIgMTEgMTI6MjQ6MDUgbXltYWNoaW5lIGtlcm5lbDogYXVkaXQoMTE3NjMwODY0NS42MjU6 NTcpOiBhdmM6ICBkZW5pZWQgIHsgc2VhcmNoIH0gZm9yICBwaWQ9MjY1NyBjb21tPSJnZG0tYmlu YXJ5IiBuYW1lPSIucGsxMWlwYzEiIGRldj1kbS0wIGlubz0yNjExMzQgc2NvbnRleHQ9c3lzdGVt X3U6c3lzdGVtX3I6aW5pdHJjX3Q6czAtczE1OmMwLmMxMDIzIHRjb250ZXh0PXN5c3RlbV91Om9i amVjdF9yOnVubGFiZWxlZF90OnMxNTpjMC5jMTAyMyB0Y2xhc3M9ZGlyCkFwciAxMSAxMjoyNDow NSBteW1hY2hpbmUga2VybmVsOiBpbm9kZV9kb2luaXRfd2l0aF9kZW50cnk6ICBjb250ZXh0X3Rv X3NpZChzeXN0ZW1fdTpvYmplY3Rfcjp4ZG1fdG1wX3Q6czApIHJldHVybmVkIDIyIGZvciBkZXY9 ZG0tMCBpbm89MjYxMTM1CkFwciAxMSAxMjoyNDowNSBteW1hY2hpbmUga2VybmVsOiBhdWRpdCgx MTc2MzA4NjQ1LjYzMjo1OCk6IGF2YzogIGRlbmllZCAgeyByZWFkIHdyaXRlIH0gZm9yICBwaWQ9 MjY1NyBjb21tPSJnZG0tYmluYXJ5IiBuYW1lPTYzNkY2RjZDNkI2NTc5NzA2QjMxMzE3MzQ1MkQ0 NzYxNzQ2NTIwMzAyMDMwMkQzMCBkZXY9ZG0tMCBpbm89MjYxMTM1IHNjb250ZXh0PXN5c3RlbV91 OnN5c3RlbV9yOmluaXRyY190OnMwLXMxNTpjMC5jMTAyMyB0Y29udGV4dD1zeXN0ZW1fdTpvYmpl Y3Rfcjp1bmxhYmVsZWRfdDpzMTU6YzAuYzEwMjMgdGNsYXNzPWZpbGUKQXByIDExIDEyOjI0OjA1 IG15bWFjaGluZSBwY3NjZDogd2luc2NhcmQuYzoyMTk6U0NhcmRDb25uZWN0KCkgUmVhZGVyIEUt R2F0ZSAwIDAgTm90IEZvdW5kCkFwciAxMSAxMjoyNDowNSBteW1hY2hpbmUgbGFzdCBtZXNzYWdl IHJlcGVhdGVkIDMgdGltZXMKQXByIDExIDEyOjI0OjA1IG15bWFjaGluZSBrZXJuZWw6IGF1ZGl0 KDExNzYzMDg2NDUuNjU4OjU5KTogYXZjOiAgZGVuaWVkICB7IHVubGluayB9IGZvciAgcGlkPTI2 ODYgY29tbT0iZ2RtLWJpbmFyeSIgbmFtZT0iOjAuWGF1dGgiIGRldj1kbS0wIGlubz0yMjk1Mjcg c2NvbnRleHQ9c3lzdGVtX3U6c3lzdGVtX3I6aW5pdHJjX3Q6czAtczE1OmMwLmMxMDIzIHRjb250 ZXh0PXN5c3RlbV91Om9iamVjdF9yOnZhcl90OnMwIHRjbGFzcz1maWxlCkFwciAxMSAxMjoyNDow NSBteW1hY2hpbmUga2VybmVsOiBhdWRpdCgxMTc2MzA4NjQ1LjY2MDo2MCk6IGF2YzogIGRlbmll ZCAgeyBjcmVhdGUgfSBmb3IgIHBpZD0yNjg2IGNvbW09ImdkbS1iaW5hcnkiIG5hbWU9IjowLlhh dXRoIiBzY29udGV4dD1zeXN0ZW1fdTpzeXN0ZW1fcjppbml0cmNfdDpzMC1zMTU6YzAuYzEwMjMg dGNvbnRleHQ9c3lzdGVtX3U6b2JqZWN0X3I6dmFyX3Q6czAgdGNsYXNzPWZpbGUKQXByIDExIDEy OjI0OjA1IG15bWFjaGluZSBrZXJuZWw6IGF1ZGl0KDExNzYzMDg2NDUuNjYyOjYxKTogYXZjOiAg ZGVuaWVkICB7IHdyaXRlIH0gZm9yICBwaWQ9MjY4NiBjb21tPSJnZG0tYmluYXJ5IiBuYW1lPSI6 MC5YYXV0aCIgZGV2PWRtLTAgaW5vPTIyOTUyNyBzY29udGV4dD1zeXN0ZW1fdTpzeXN0ZW1fcjpp bml0cmNfdDpzMC1zMTU6YzAuYzEwMjMgdGNvbnRleHQ9c3lzdGVtX3U6b2JqZWN0X3I6dmFyX3Q6 czAgdGNsYXNzPWZpbGUKQXByIDExIDEyOjI0OjA1IG15bWFjaGluZSBrZXJuZWw6IGF1ZGl0KDEx NzYzMDg2NDUuNzA5OjYyKTogYXZjOiAgZGVuaWVkICB7IGNyZWF0ZSB9IGZvciAgcGlkPTI2OTMg Y29tbT0iWG9yZyIgbmFtZT0iWDAiIHNjb250ZXh0PXN5c3RlbV91OnN5c3RlbV9yOmluaXRyY190 OnMwLXMxNTpjMC5jMTAyMyB0Y29udGV4dD1zeXN0ZW1fdTpvYmplY3Rfcjppbml0cmNfdG1wX3Q6 czAgdGNsYXNzPXNvY2tfZmlsZQpBcHIgMTEgMTI6MjQ6MDUgbXltYWNoaW5lIGtlcm5lbDogYXVk aXQoMTE3NjMwODY0NS43NDI6NjMpOiBhdmM6ICBkZW5pZWQgIHsgd3JpdGUgfSBmb3IgIHBpZD0y Njg2IGNvbW09ImdkbS1iaW5hcnkiIG5hbWU9IlgwIiBkZXY9ZG0tMCBpbm89MjYxMTI5IHNjb250 ZXh0PXN5c3RlbV91OnN5c3RlbV9yOmluaXRyY190OnMwLXMxNTpjMC5jMTAyMyB0Y29udGV4dD1z eXN0ZW1fdTpvYmplY3Rfcjppbml0cmNfdG1wX3Q6czAgdGNsYXNzPXNvY2tfZmlsZQpBcHIgMTEg MTI6MjQ6MDUgbXltYWNoaW5lIGtlcm5lbDogYXVkaXQoMTE3NjMwODY0NS43NDc6NjQpOiBhdmM6 ICBkZW5pZWQgIHsgd3JpdGUgfSBmb3IgIHBpZD0yNjkzIGNvbW09IlhvcmciIG5hbWU9ImFjcGlk LnNvY2tldCIgZGV2PWRtLTAgaW5vPTIyOTQ2NSBzY29udGV4dD1zeXN0ZW1fdTpzeXN0ZW1fcjpp bml0cmNfdDpzMC1zMTU6YzAuYzEwMjMgdGNvbnRleHQ9c3lzdGVtX3U6b2JqZWN0X3I6YXBtZF92 YXJfcnVuX3Q6czAgdGNsYXNzPXNvY2tfZmlsZQpBcHIgMTEgMTI6MjQ6MDUgbXltYWNoaW5lIGtl cm5lbDogYXVkaXQoMTE3NjMwODY0NS43NDc6NjUpOiBhdmM6ICBkZW5pZWQgIHsgY29ubmVjdHRv IH0gZm9yICBwaWQ9MjY5MyBjb21tPSJYb3JnIiBuYW1lPSJhY3BpZC5zb2NrZXQiIHNjb250ZXh0 PXN5c3RlbV91OnN5c3RlbV9yOmluaXRyY190OnMwLXMxNTpjMC5jMTAyMyB0Y29udGV4dD1zeXN0 ZW1fdTpzeXN0ZW1fcjphcG1kX3Q6czAtczE1OmMwLmMxMDIzIHRjbGFzcz11bml4X3N0cmVhbV9z b2NrZXQKQXByIDExIDEyOjI0OjA1IG15bWFjaGluZSBrZXJuZWw6IGF1ZGl0KDExNzYzMDg2NDUu Nzk5OjY2KTogYXZjOiAgZGVuaWVkICB7IHdyaXRlIH0gZm9yICBwaWQ9MjY5MyBjb21tPSJYb3Jn IiBuYW1lPSIwZi4wIiBkZXY9cHJvYyBpbm89LTI2ODQzNTAzNSBzY29udGV4dD1zeXN0ZW1fdTpz eXN0ZW1fcjppbml0cmNfdDpzMC1zMTU6YzAuYzEwMjMgdGNvbnRleHQ9c3lzdGVtX3U6b2JqZWN0 X3I6cHJvY190OnMwIHRjbGFzcz1maWxlCkFwciAxMSAxMjoyNDowNSBteW1hY2hpbmUga2VybmVs OiBhdWRpdCgxMTc2MzA4NjQ1Ljg4Mjo2Nyk6IGF2YzogIGRlbmllZCAgeyB3cml0ZSB9IGZvciAg cGlkPTI2OTMgY29tbT0iWG9yZyIgbmFtZT0ibXRyciIgZGV2PXByb2MgaW5vPS0yNjg0MzUxNzMg c2NvbnRleHQ9c3lzdGVtX3U6c3lzdGVtX3I6aW5pdHJjX3Q6czAtczE1OmMwLmMxMDIzIHRjb250 ZXh0PXN5c3RlbV91Om9iamVjdF9yOm10cnJfZGV2aWNlX3Q6czAgdGNsYXNzPWZpbGUKQXByIDEx IDEyOjI0OjA1IG15bWFjaGluZSBrZXJuZWw6IGF1ZGl0KDExNzYzMDg2NDUuODg3OjY4KTogYXZj OiAgZGVuaWVkICB7IGlvY3RsIH0gZm9yICBwaWQ9MjY5MyBjb21tPSJYb3JnIiBuYW1lPSJtdHJy IiBkZXY9cHJvYyBpbm89LTI2ODQzNTE3MyBzY29udGV4dD1zeXN0ZW1fdTpzeXN0ZW1fcjppbml0 cmNfdDpzMC1zMTU6YzAuYzEwMjMgdGNvbnRleHQ9c3lzdGVtX3U6b2JqZWN0X3I6bXRycl9kZXZp Y2VfdDpzMCB0Y2xhc3M9ZmlsZQpBcHIgMTEgMTI6MjQ6MDYgbXltYWNoaW5lIGtlcm5lbDogbXRy cjogeW91ciBwcm9jZXNzb3IgZG9lc24ndCBzdXBwb3J0IHdyaXRlLWNvbWJpbmluZwpBcHIgMTEg MTI6MjQ6MDYgbXltYWNoaW5lIGtlcm5lbDogYXVkaXQoMTE3NjMwODY0Ni4yMjg6NjkpOiBhdmM6 ICBkZW5pZWQgIHsgcmVhZCB3cml0ZSB9IGZvciAgcGlkPTI2OTMgY29tbT0iWG9yZyIgbmFtZT0i bWljZSIgZGV2PXRtcGZzIGlubz0zNDc2IHNjb250ZXh0PXN5c3RlbV91OnN5c3RlbV9yOmluaXRy Y190OnMwLXMxNTpjMC5jMTAyMyB0Y29udGV4dD1zeXN0ZW1fdTpvYmplY3Rfcjptb3VzZV9kZXZp Y2VfdDpzMCB0Y2xhc3M9Y2hyX2ZpbGUKQXByIDExIDEyOjI0OjA2IG15bWFjaGluZSBrZXJuZWw6 IGF1ZGl0KDExNzYzMDg2NDYuMjM4OjcwKTogYXZjOiAgZGVuaWVkICB7IGlvY3RsIH0gZm9yICBw aWQ9MjY5MyBjb21tPSJYb3JnIiBuYW1lPSJtaWNlIiBkZXY9dG1wZnMgaW5vPTM0NzYgc2NvbnRl eHQ9c3lzdGVtX3U6c3lzdGVtX3I6aW5pdHJjX3Q6czAtczE1OmMwLmMxMDIzIHRjb250ZXh0PXN5 c3RlbV91Om9iamVjdF9yOm1vdXNlX2RldmljZV90OnMwIHRjbGFzcz1jaHJfZmlsZQpBcHIgMTEg MTI6MjQ6MDggbXltYWNoaW5lIGtlcm5lbDogYXVkaXQoMTE3NjMwODY0OC45NzA6NzEpOiBhdmM6 ICBkZW5pZWQgIHsgZ2V0YXR0ciB9IGZvciAgcGlkPTI2OTMgY29tbT0iWG9yZyIgbmFtZT0ibWlj ZSIgZGV2PXRtcGZzIGlubz0zNDc2IHNjb250ZXh0PXN5c3RlbV91OnN5c3RlbV9yOmluaXRyY190 OnMwLXMxNTpjMC5jMTAyMyB0Y29udGV4dD1zeXN0ZW1fdTpvYmplY3Rfcjptb3VzZV9kZXZpY2Vf dDpzMCB0Y2xhc3M9Y2hyX2ZpbGUKQXByIDExIDEyOjI0OjE0IG15bWFjaGluZSBrZXJuZWw6IGF1 ZGl0KDExNzYzMDg2NTQuMTE2OjcyKTogYXZjOiAgZGVuaWVkICB7IHJlYWQgfSBmb3IgIHBpZD0y NjkzIGNvbW09IlhvcmciIG5hbWU9IjowLlhhdXRoIiBkZXY9ZG0tMCBpbm89MjI5NTI3IHNjb250 ZXh0PXN5c3RlbV91OnN5c3RlbV9yOmluaXRyY190OnMwLXMxNTpjMC5jMTAyMyB0Y29udGV4dD1z eXN0ZW1fdTpvYmplY3Rfcjp2YXJfdDpzMCB0Y2xhc3M9ZmlsZQpBcHIgMTEgMTI6MjQ6MTQgbXlt YWNoaW5lIGtlcm5lbDogYXVkaXQoMTE3NjMwODY1NC4zMjI6NzMpOiBhdmM6ICBkZW5pZWQgIHsg d3JpdGUgfSBmb3IgIHBpZD0yNzEyIGNvbW09ImdkbWdyZWV0ZXIiIG5hbWU9Ii5nZG1fc29ja2V0 IiBkZXY9ZG0tMCBpbm89MjYxMTI2IHNjb250ZXh0PXN5c3RlbV91OnN5c3RlbV9yOmluaXRyY190 OnMwLXMxNTpjMC5jMTAyMyB0Y29udGV4dD1zeXN0ZW1fdTpvYmplY3Rfcjp0bXBfdDpzMCB0Y2xh c3M9c29ja19maWxlCkFwciAxMSAxMjoyNDoxNCBteW1hY2hpbmUga2VybmVsOiBhdWRpdCgxMTc2 MzA4NjU0LjM3NTo3NCk6IGF2YzogIGRlbmllZCAgeyByZWFkIH0gZm9yICBwaWQ9MjcxMiBjb21t PSJnZG1ncmVldGVyIiBuYW1lPSIwMjUxYTVhZmE2YWM3MjdhMWUzMmI3ZDRkNGFhN2NmMC14ODYu Y2FjaGUtMiIgZGV2PWRtLTAgaW5vPTIyOTQ1NiBzY29udGV4dD1zeXN0ZW1fdTpzeXN0ZW1fcjpp bml0cmNfdDpzMC1zMTU6YzAuYzEwMjMgdGNvbnRleHQ9cm9vdDpvYmplY3Rfcjp2YXJfdDpzMCB0 Y2xhc3M9ZmlsZQpBcHIgMTEgMTI6MjQ6MTQgbXltYWNoaW5lIGtlcm5lbDogYXVkaXQoMTE3NjMw ODY1NC45OTU6NzUpOiBhdmM6ICBkZW5pZWQgIHsgY3JlYXRlIH0gZm9yICBwaWQ9MjcxMiBjb21t PSJnZG1ncmVldGVyIiBrZXk9MCBzY29udGV4dD1zeXN0ZW1fdTpzeXN0ZW1fcjppbml0cmNfdDpz MC1zMTU6YzAuYzEwMjMgdGNvbnRleHQ9c3lzdGVtX3U6c3lzdGVtX3I6aW5pdHJjX3Q6czAtczE1 OmMwLmMxMDIzIHRjbGFzcz1zaG0KQXByIDExIDEyOjI0OjE1IG15bWFjaGluZSBrZXJuZWw6IGF1 ZGl0KDExNzYzMDg2NTQuOTk5Ojc2KTogYXZjOiAgZGVuaWVkICB7IHVuaXhfcmVhZCB1bml4X3dy aXRlIH0gZm9yICBwaWQ9MjcxMiBjb21tPSJnZG1ncmVldGVyIiBrZXk9MCBzY29udGV4dD1zeXN0 ZW1fdTpzeXN0ZW1fcjppbml0cmNfdDpzMC1zMTU6YzAuYzEwMjMgdGNvbnRleHQ9c3lzdGVtX3U6 c3lzdGVtX3I6aW5pdHJjX3Q6czAtczE1OmMwLmMxMDIzIHRjbGFzcz1zaG0KQXByIDExIDEyOjI0 OjE1IG15bWFjaGluZSBrZXJuZWw6IGF1ZGl0KDExNzYzMDg2NTQuOTk5Ojc3KTogYXZjOiAgZGVu aWVkICB7IHJlYWQgd3JpdGUgfSBmb3IgIHBpZD0yNzEyIGNvbW09ImdkbWdyZWV0ZXIiIGtleT0w IHNjb250ZXh0PXN5c3RlbV91OnN5c3RlbV9yOmluaXRyY190OnMwLXMxNTpjMC5jMTAyMyB0Y29u dGV4dD1zeXN0ZW1fdTpzeXN0ZW1fcjppbml0cmNfdDpzMC1zMTU6YzAuYzEwMjMgdGNsYXNzPXNo bQpBcHIgMTEgMTI6MjQ6MTUgbXltYWNoaW5lIGtlcm5lbDogYXVkaXQoMTE3NjMwODY1NC45OTk6 NzgpOiBhdmM6ICBkZW5pZWQgIHsgcmVhZCB3cml0ZSB9IGZvciAgcGlkPTI3MTIgY29tbT0iZ2Rt Z3JlZXRlciIgbmFtZT0iU1lTVjAwMDAwMDAwIiBkZXY9dG1wZnMgaW5vPTAgc2NvbnRleHQ9c3lz dGVtX3U6c3lzdGVtX3I6aW5pdHJjX3Q6czAtczE1OmMwLmMxMDIzIHRjb250ZXh0PXN5c3RlbV91 Om9iamVjdF9yOnRtcGZzX3Q6czAgdGNsYXNzPWZpbGUKQXByIDExIDEyOjI0OjE1IG15bWFjaGlu ZSBrZXJuZWw6IGF1ZGl0KDExNzYzMDg2NTUuMDAwOjc5KTogYXZjOiAgZGVuaWVkICB7IGdldGF0 dHIgYXNzb2NpYXRlIH0gZm9yICBwaWQ9MjY5MyBjb21tPSJYb3JnIiBrZXk9MCBzY29udGV4dD1z eXN0ZW1fdTpzeXN0ZW1fcjppbml0cmNfdDpzMC1zMTU6YzAuYzEwMjMgdGNvbnRleHQ9c3lzdGVt X3U6c3lzdGVtX3I6aW5pdHJjX3Q6czAtczE1OmMwLmMxMDIzIHRjbGFzcz1zaG0KQXByIDExIDEy OjI0OjE1IG15bWFjaGluZSBrZXJuZWw6IGF1ZGl0KDExNzYzMDg2NTUuMDAxOjgwKTogYXZjOiAg ZGVuaWVkICB7IGRlc3Ryb3kgfSBmb3IgIHBpZD0yNzEyIGNvbW09ImdkbWdyZWV0ZXIiIGtleT0w IHNjb250ZXh0PXN5c3RlbV91OnN5c3RlbV9yOmluaXRyY190OnMwLXMxNTpjMC5jMTAyMyB0Y29u dGV4dD1zeXN0ZW1fdTpzeXN0ZW1fcjppbml0cmNfdDpzMC1zMTU6YzAuYzEwMjMgdGNsYXNzPXNo bQpBcHIgMTEgMTI6MjQ6MzcgbXltYWNoaW5lIGtlcm5lbDogYXVkaXQoMTE3NjMwODY3Ny41NDc6 ODEpOiBhdmM6ICBkZW5pZWQgIHsgcmVtb3ZlX25hbWUgfSBmb3IgIHBpZD0yNjg2IGNvbW09Imdk bS1iaW5hcnkiIG5hbWU9IjowLlhhdXRoIiBkZXY9ZG0tMCBpbm89MjI5NTI3IHNjb250ZXh0PXN5 c3RlbV91OnN5c3RlbV9yOmluaXRyY190OnMwLXMxNTpjMC5jMTAyMyB0Y29udGV4dD1zeXN0ZW1f dTpvYmplY3Rfcjp2YXJfdDpzMCB0Y2xhc3M9ZGlyCkFwciAxMSAxMjoyNDozOCBteW1hY2hpbmUg a3VkenVbMjc2MV06IG9ic29sZXRlIGt1ZHp1IGRkY1Byb2JlIGNhbGxlZApBcHIgMTEgMTI6MjQ6 MzkgbXltYWNoaW5lIGtlcm5lbDogaXA2X3RhYmxlczogKEMpIDIwMDAtMjAwNiBOZXRmaWx0ZXIg Q29yZSBUZWFtCkFwciAxMSAxMjoyNDozOSBteW1hY2hpbmUga2VybmVsOiBTRUxpbnV4OiBpbml0 aWFsaXplZCAoZGV2IHJwY19waXBlZnMsIHR5cGUgcnBjX3BpcGVmcyksIHVzZXMgZ2VuZnNfY29u dGV4dHMKQXByIDExIDEyOjI0OjM5IG15bWFjaGluZSBocGlvZDogMS42LjEyIGFjY2VwdGluZyBj b25uZWN0aW9ucyBhdCAyMjA4Li4uIApBcHIgMTEgMTI6MjY6MjYgbXltYWNoaW5lIGtlcm5lbDog YXVkaXQoMTE3NjMwODc4Ni4xMzE6ODIpOiBlbmZvcmNpbmc9MSBvbGRfZW5mb3JjaW5nPTAgYXVp ZD00Mjk0OTY3Mjk1CkFwciAxMSAxMjoyNjoyNiBteW1hY2hpbmUgZGJ1czogQ2FuJ3Qgc2VuZCB0 byBhdWRpdCBzeXN0ZW06IFVTRVJfQVZDIGF2YzogIHJlY2VpdmVkIHNldGVuZm9yY2Ugbm90aWNl IChlbmZvcmNpbmc9MSkgOiBleGU9Ij8iIChzYXVpZD04MSwgaG9zdG5hbWU9PywgYWRkcj0/LCB0 ZXJtaW5hbD0/KQpBcHIgMTEgMTI6MjY6MzMgbXltYWNoaW5lIGtlcm5lbDogYXVkaXQoMTE3NjMw ODc5My45NTM6ODMpOiBhdmM6ICBkZW5pZWQgIHsgc2V0YXR0ciB9IGZvciAgcGlkPTMxODMgY29t bT0iZ2RtLWJpbmFyeSIgbmFtZT0iZ2RtIiBkZXY9ZG0tMCBpbm89MjI5Mzk4IHNjb250ZXh0PXN5 c3RlbV91OnN5c3RlbV9yOmluaXRyY190OnMwLXMxNTpjMC5jMTAyMyB0Y29udGV4dD1zeXN0ZW1f dTpvYmplY3Rfcjp2YXJfdDpzMCB0Y2xhc3M9ZGlyCkFwciAxMSAxMjoyNjozMyBteW1hY2hpbmUg a2VybmVsOiBhdWRpdCgxMTc2MzA4NzkzLjk1NDo4NCk6IGF2YzogIGRlbmllZCAgeyBzZXRhdHRy IH0gZm9yICBwaWQ9MzE4MyBjb21tPSJnZG0tYmluYXJ5IiBuYW1lPSJnZG0iIGRldj1kbS0wIGlu bz0yMjkzOTggc2NvbnRleHQ9c3lzdGVtX3U6c3lzdGVtX3I6aW5pdHJjX3Q6czAtczE1OmMwLmMx MDIzIHRjb250ZXh0PXN5c3RlbV91Om9iamVjdF9yOnZhcl90OnMwIHRjbGFzcz1kaXIKQXByIDEx IDEyOjI2OjM0IG15bWFjaGluZSBrZXJuZWw6IGF1ZGl0KDExNzYzMDg3OTQuMDY3Ojg1KTogYXZj OiAgZGVuaWVkICB7IGNyZWF0ZSB9IGZvciAgcGlkPTMxODMgY29tbT0iZ2RtLWJpbmFyeSIgc2Nv bnRleHQ9c3lzdGVtX3U6c3lzdGVtX3I6aW5pdHJjX3Q6czAtczE1OmMwLmMxMDIzIHRjb250ZXh0 PXN5c3RlbV91OnN5c3RlbV9yOmluaXRyY190OnMwLXMxNTpjMC5jMTAyMyB0Y2xhc3M9bmV0bGlu a19hdWRpdF9zb2NrZXQKQXByIDExIDEyOjI2OjM0IG15bWFjaGluZSBrZXJuZWw6IGF1ZGl0KDEx NzYzMDg3OTQuMDgyOjg2KTogYXZjOiAgZGVuaWVkICB7IGFkZF9uYW1lIH0gZm9yICBwaWQ9MzE4 MyBjb21tPSJnZG0tYmluYXJ5IiBuYW1lPSIuZ2RtZmlmbyIgc2NvbnRleHQ9c3lzdGVtX3U6c3lz dGVtX3I6aW5pdHJjX3Q6czAtczE1OmMwLmMxMDIzIHRjb250ZXh0PXN5c3RlbV91Om9iamVjdF9y OnZhcl90OnMwIHRjbGFzcz1kaXIKQXByIDExIDEyOjI2OjM0IG15bWFjaGluZSBnZG1bMzE4M106 IGdkbV9jb25uZWN0aW9uX29wZW5fZmlmbzogQ291bGQgbm90IG1ha2UgRklGTwpBcHIgMTEgMTI6 MjY6MzQgbXltYWNoaW5lIGtlcm5lbDogYXVkaXQoMTE3NjMwODc5NC4wODc6ODcpOiBhdmM6ICBk ZW5pZWQgIHsgY3JlYXRlIH0gZm9yICBwaWQ9MzE4MyBjb21tPSJnZG0tYmluYXJ5IiBuYW1lPSIu Z2RtX3NvY2tldCIgc2NvbnRleHQ9c3lzdGVtX3U6c3lzdGVtX3I6aW5pdHJjX3Q6czAtczE1OmMw LmMxMDIzIHRjb250ZXh0PXN5c3RlbV91Om9iamVjdF9yOnRtcF90OnMwIHRjbGFzcz1zb2NrX2Zp bGUKQXByIDExIDEyOjI2OjM0IG15bWFjaGluZSBnZG1bMzE4M106IGdkbV9jb25uZWN0aW9uX29w ZW5fdW5peDogQ291bGQgbm90IGJpbmQgc29ja2V0CkFwciAxMSAxMjoyNjozNCBteW1hY2hpbmUg a2VybmVsOiBhdWRpdCgxMTc2MzA4Nzk0LjE5ODo4OCk6IGF2YzogIGRlbmllZCAgeyByZW1vdmVf bmFtZSB9IGZvciAgcGlkPTMxODMgY29tbT0iZ2RtLWJpbmFyeSIgbmFtZT0iLmNvb2tpZSIgZGV2 PWRtLTAgaW5vPTIyOTUwNSBzY29udGV4dD1zeXN0ZW1fdTpzeXN0ZW1fcjppbml0cmNfdDpzMC1z MTU6YzAuYzEwMjMgdGNvbnRleHQ9c3lzdGVtX3U6b2JqZWN0X3I6dmFyX3Q6czAgdGNsYXNzPWRp cgpBcHIgMTEgMTI6MjY6MzQgbXltYWNoaW5lIGtlcm5lbDogYXVkaXQoMTE3NjMwODc5NC4xOTk6 ODkpOiBhdmM6ICBkZW5pZWQgIHsgcmVtb3ZlX25hbWUgfSBmb3IgIHBpZD0zMTgzIGNvbW09Imdk bS1iaW5hcnkiIG5hbWU9Ii5jb29raWUiIGRldj1kbS0wIGlubz0yMjk1MDUgc2NvbnRleHQ9c3lz dGVtX3U6c3lzdGVtX3I6aW5pdHJjX3Q6czAtczE1OmMwLmMxMDIzIHRjb250ZXh0PXN5c3RlbV91 Om9iamVjdF9yOnZhcl90OnMwIHRjbGFzcz1kaXIKQXByIDExIDEyOjI2OjM0IG15bWFjaGluZSBn ZG1bMzE4M106IENhbid0IG9wZW4gL3Zhci9nZG0vLmNvb2tpZSBmb3Igd3JpdGluZwpBcHIgMTEg MTI6MjY6MzQgbXltYWNoaW5lIGtlcm5lbDogYXVkaXQoMTE3NjMwODc5NC4yMjM6OTApOiBhdmM6 ICBkZW5pZWQgIHsgc2VhcmNoIH0gZm9yICBwaWQ9MzE4MyBjb21tPSJnZG0tYmluYXJ5IiBuYW1l PSIucGsxMWlwYzEiIGRldj1kbS0wIGlubz0yNjExMzQgc2NvbnRleHQ9c3lzdGVtX3U6c3lzdGVt X3I6aW5pdHJjX3Q6czAtczE1OmMwLmMxMDIzIHRjb250ZXh0PXN5c3RlbV91Om9iamVjdF9yOnVu bGFiZWxlZF90OnMxNTpjMC5jMTAyMyB0Y2xhc3M9ZGlyCkFwciAxMSAxMjoyNjozNCBteW1hY2hp bmUga2VybmVsOiBhdWRpdCgxMTc2MzA4Nzk0LjIyMzo5MSk6IGF2YzogIGRlbmllZCAgeyBzZWFy Y2ggfSBmb3IgIHBpZD0zMTgzIGNvbW09ImdkbS1iaW5hcnkiIG5hbWU9Ii5wazExaXBjMSIgZGV2 PWRtLTAgaW5vPTI2MTEzNCBzY29udGV4dD1zeXN0ZW1fdTpzeXN0ZW1fcjppbml0cmNfdDpzMC1z MTU6YzAuYzEwMjMgdGNvbnRleHQ9c3lzdGVtX3U6b2JqZWN0X3I6dW5sYWJlbGVkX3Q6czE1OmMw LmMxMDIzIHRjbGFzcz1kaXIKQXByIDExIDEyOjI2OjM0IG15bWFjaGluZSBwY3NjZDogd2luc2Nh cmQuYzoyMTk6U0NhcmRDb25uZWN0KCkgUmVhZGVyIEUtR2F0ZSAwIDAgTm90IEZvdW5kCkFwciAx MSAxMjoyNjozNCBteW1hY2hpbmUgbGFzdCBtZXNzYWdlIHJlcGVhdGVkIDMgdGltZXMKQXByIDEx IDEyOjI2OjM0IG15bWFjaGluZSBrZXJuZWw6IGF1ZGl0KDExNzYzMDg3OTQuMzMyOjkyKTogYXZj OiAgZGVuaWVkICB7IGFkZF9uYW1lIH0gZm9yICBwaWQ9MzIxMiBjb21tPSJnZG0tYmluYXJ5IiBu YW1lPSI6MC5YYXV0aCIgc2NvbnRleHQ9c3lzdGVtX3U6c3lzdGVtX3I6aW5pdHJjX3Q6czAtczE1 OmMwLmMxMDIzIHRjb250ZXh0PXN5c3RlbV91Om9iamVjdF9yOnZhcl90OnMwIHRjbGFzcz1kaXIK QXByIDExIDEyOjI2OjM0IG15bWFjaGluZSBnZG1bMzIxMl06IGdkbV9hdXRoX3NlY3VyZV9kaXNw bGF5OiBDYW5ub3Qgc2FmZWx5IG9wZW4gL3Zhci9nZG0vOjAuWGF1dGgKQXByIDExIDEyOjI2OjM1 IG15bWFjaGluZSBnZG1bMzE4M106IGdkbV9jaGlsZF9hY3Rpb246IEFib3J0aW5nIGRpc3BsYXkg OjAK ------=_Part_15313_14163141.1176320148956-- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. From mboxrd@z Thu Jan 1 00:00:00 1970 Subject: Re: X server won't start using MLS policy From: Stephen Smalley To: Mark Webb Cc: selinux@tycho.nsa.gov, Daniel J Walsh In-Reply-To: <9f066ee90704111235n5cadfc03s66230aacf254156d@mail.gmail.com> References: <9f066ee90704111136w5e98b87bxf2463754621cf6fb@mail.gmail.com> <1176317391.3986.44.camel@moss-spartans.epoch.ncsc.mil> <9f066ee90704111229n4e876e00kd5a5722ff00141ad@mail.gmail.com> <1176319951.3986.54.camel@moss-spartans.epoch.ncsc.mil> <9f066ee90704111235n5cadfc03s66230aacf254156d@mail.gmail.com> Content-Type: text/plain Date: Wed, 11 Apr 2007 15:45:16 -0400 Message-Id: <1176320716.3986.62.camel@moss-spartans.epoch.ncsc.mil> Mime-Version: 1.0 Sender: owner-selinux@tycho.nsa.gov List-Id: selinux@tycho.nsa.gov On Wed, 2007-04-11 at 15:35 -0400, Mark Webb wrote: > Sorry about the HTML. I sometimes forget Gmail defaults to HTML. > One question for you, will running audit2allow 'break' the MLS posture > of the machine? Hmmm...per your messages file, gdm-binary is running in initrc_t, whereas it would normally be running in xdm_t. Looks like the -mls policy in Fedora doesn't even include the definitions for the X-related domains (unlike the -strict policy). So I think you need to build your own policy from upstream refpolicy if you want X support. Running audit2allow won't affect the MLS constraints, but the real question is whether you can actually use X in a MLS environment without XACE/XSELinux; you'd be limited to single-level-at-a-time desktop. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. From mboxrd@z Thu Jan 1 00:00:00 1970 Message-ID: <461D4548.6070306@redhat.com> Date: Wed, 11 Apr 2007 16:30:00 -0400 From: Daniel J Walsh MIME-Version: 1.0 To: Stephen Smalley CC: Mark Webb , selinux@tycho.nsa.gov Subject: Re: X server won't start using MLS policy References: <9f066ee90704111136w5e98b87bxf2463754621cf6fb@mail.gmail.com> <1176317391.3986.44.camel@moss-spartans.epoch.ncsc.mil> <9f066ee90704111229n4e876e00kd5a5722ff00141ad@mail.gmail.com> <1176319951.3986.54.camel@moss-spartans.epoch.ncsc.mil> <9f066ee90704111235n5cadfc03s66230aacf254156d@mail.gmail.com> <1176320716.3986.62.camel@moss-spartans.epoch.ncsc.mil> In-Reply-To: <1176320716.3986.62.camel@moss-spartans.epoch.ncsc.mil> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Sender: owner-selinux@tycho.nsa.gov List-Id: selinux@tycho.nsa.gov Stephen Smalley wrote: > On Wed, 2007-04-11 at 15:35 -0400, Mark Webb wrote: > >> Sorry about the HTML. I sometimes forget Gmail defaults to HTML. >> One question for you, will running audit2allow 'break' the MLS posture >> of the machine? >> > > Hmmm...per your messages file, gdm-binary is running in initrc_t, > whereas it would normally be running in xdm_t. Looks like the -mls > policy in Fedora doesn't even include the definitions for the X-related > domains (unlike the -strict policy). So I think you need to build your > own policy from upstream refpolicy if you want X support. > > Running audit2allow won't affect the MLS constraints, but the real > question is whether you can actually use X in a MLS environment without > XACE/XSELinux; you'd be limited to single-level-at-a-time desktop. > > MLS Policy does not include any of the X-Windows or Desktop Client modules. So X is not supported on a MLS/LSPP machine. Getting a Desktop Client to work would require work on XACE/XSELinux as well as changes to many other apps like gconf/orbits etc. -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.