From: Daniel J Walsh <dwalsh@redhat.com>
To: Eamon Walsh <ewalsh@tycho.nsa.gov>, SE Linux <selinux@tycho.nsa.gov>
Subject: Tonights rawhide contains a fix to stop xspy.
Date: Wed, 27 Feb 2008 23:06:43 -0500 [thread overview]
Message-ID: <47C63353.9040008@redhat.com> (raw)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Basically if you turn on xserver_object_manager boolean, no applications
will be allowed to read the x_device. This stops xspy as you said dead
in its tracks, but some other applications start to get AVC's around
querypointer, and eventually I hung the server. You mentioned in
another email, that you were going to change the querypointer to a
getattr rather then a read, I think this is necessary, to make this work.
#============= mono_t ==============
allow mono_t xdm_xserver_t:x_device read;
#============= unconfined_t ==============
allow unconfined_t xdm_xserver_t:x_device read;
#============= xdm_t ==============
allow xdm_t xdm_xserver_t:x_device read;
type=USER_AVC msg=audit(1204170576.402:774): user pid=2729 uid=0
auid=4294967295 subj=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023
msg='avc: denied { read } for request=X11:QueryPointer comm=mono
xdevice="Virtual core pointer"
scontext=unconfined_u:unconfined_r:mono_t:s0
tcontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 tclass=x_device
: exe="/usr/bin/Xorg" (sauid=0, hostname=?, addr=?, terminal=?)'
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkfGM1IACgkQrlYvE4MpobNFCACgswhn3LUm6w7TN1WQTJMjkQEr
Y4IAoI88/8sGgw8ZU3ibGp1cpzwUkDk5
=Q+pt
-----END PGP SIGNATURE-----
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next reply other threads:[~2008-02-28 4:06 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-02-28 4:06 Daniel J Walsh [this message]
2008-02-28 7:38 ` Tonights rawhide contains a fix to stop xspy Eamon Walsh
2008-02-28 14:13 ` Daniel J Walsh
2008-02-29 4:09 ` Eamon Walsh
2008-02-29 13:51 ` Daniel J Walsh
2008-03-03 22:04 ` Eamon Walsh
2008-02-29 14:48 ` Tom London
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=47C63353.9040008@redhat.com \
--to=dwalsh@redhat.com \
--cc=ewalsh@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.