newrole assertion

newrole assertion

[Xavier Toth]

Using MLS enforcing in a gnome-terminal with context
user_u:user_r:user_t:s0-s15:c0.c1023 I run newrole and get these
results

newrole -l s1-s1 -- -c "gnome-terminal --disable-factory"
Password:
**
** ERROR:(terminal.c:1016):new_terminal_with_options: assertion
failed: (profile)


I think Joe straced this and has a little more info if he'd like to chime in.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: newrole assertion

[Stephen Smalley]

On Tue, 2008-07-08 at 14:02 -0500, Xavier Toth wrote:
> Using MLS enforcing in a gnome-terminal with context
> user_u:user_r:user_t:s0-s15:c0.c1023 I run newrole and get these
> results
> 
> newrole -l s1-s1 -- -c "gnome-terminal --disable-factory"
> Password:
> **
> ** ERROR:(terminal.c:1016):new_terminal_with_options: assertion
> failed: (profile)
> 
> 
> I think Joe straced this and has a little more info if he'd like to chime in.

So, I assume that this does not happen if in permissive mode?
What AVC denials occur?  Run semodule -DB and retry if there are no AVCs
by default.

What is the application trying to do at that point (look at the source
code and/or ask on the gnome lists)?  What are the possible failure
conditions there?  What external dependencies does it have?  

strace output might help if you have it.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: newrole assertion - should be gnome-terminal assertion

[Ted X Toth]

Stephen Smalley wrote:
> On Tue, 2008-07-08 at 14:02 -0500, Xavier Toth wrote:
>   
>> Using MLS enforcing in a gnome-terminal with context
>> user_u:user_r:user_t:s0-s15:c0.c1023 I run newrole and get these
>> results
>>
>> newrole -l s1-s1 -- -c "gnome-terminal --disable-factory"
>> Password:
>> **
>> ** ERROR:(terminal.c:1016):new_terminal_with_options: assertion
>> failed: (profile)
>>
>>
>> I think Joe straced this and has a little more info if he'd like to chime in.
>>     
>
> So, I assume that this does not happen if in permissive mode?
> What AVC denials occur?  Run semodule -DB and retry if there are no AVCs
> by default.
>
> What is the application trying to do at that point (look at the source
> code and/or ask on the gnome lists)?  What are the possible failure
> conditions there?  What external dependencies does it have?  
>
> strace output might help if you have it.
>
>   
Sorry to have bothered you. Looks like it has something to do with 
polyinstantiation of ~/.gnome or ~/.gnome2. We haven't seen this with 
previous versions even when polyinstantiating :(


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: newrole assertion - should be gnome-terminal assertion

[Stephen Smalley]

On Wed, 2008-07-09 at 17:17 -0500, Xavier Toth wrote:
> On Wed, Jul 9, 2008 at 1:24 PM, Ted X Toth <txtoth@gmail.com> wrote:
> > Stephen Smalley wrote:
> >>
> >> On Tue, 2008-07-08 at 14:02 -0500, Xavier Toth wrote:
> >>
> >>>
> >>> Using MLS enforcing in a gnome-terminal with context
> >>> user_u:user_r:user_t:s0-s15:c0.c1023 I run newrole and get these
> >>> results
> >>>
> >>> newrole -l s1-s1 -- -c "gnome-terminal --disable-factory"
> >>> Password:
> >>> **
> >>> ** ERROR:(terminal.c:1016):new_terminal_with_options: assertion
> >>> failed: (profile)
> >>>
> >>>
> >>> I think Joe straced this and has a little more info if he'd like to chime
> >>> in.
> >>>
> >>
> >> So, I assume that this does not happen if in permissive mode?
> >> What AVC denials occur?  Run semodule -DB and retry if there are no AVCs
> >> by default.
> >>
> >> What is the application trying to do at that point (look at the source
> >> code and/or ask on the gnome lists)?  What are the possible failure
> >> conditions there?  What external dependencies does it have?
> >> strace output might help if you have it.
> >>
> >>
> >
> > Sorry to have bothered you. Looks like it has something to do with
> > polyinstantiation of ~/.gnome or ~/.gnome2. We haven't seen this with
> > previous versions even when polyinstantiating :(
> >
> >
> 
> Hmmm this was a bit of a rush to judgment :( It actually turned out
> that if I don't polyinstantiate /tmp then I can start gnome-terminal
> as shown in permissive but it still doesn't work in enforcing. I tried
> turning off dontaudit but I'm not seeing any  AVC out of
> gnome-terminal. I've attached a strace maybe you'll see something that
> I don't.

Look for any avcs at all - they might be occurring during the
polyinstantiation, or from dbus, or from the X server.

Also, run the strace while permissive and diff the two strace outputs to
see how they differ (imperfect, there will be noise, but helpful
nonetheless).

I see quite a few ENOENTs in there, e.g. on the .gnome2 files, not sure
how many of those are expected/harmless.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: newrole assertion - should be gnome-terminal assertion

[Xavier Toth]

On Thu, Jul 10, 2008 at 7:09 AM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
>
> On Wed, 2008-07-09 at 17:17 -0500, Xavier Toth wrote:
>> On Wed, Jul 9, 2008 at 1:24 PM, Ted X Toth <txtoth@gmail.com> wrote:
>> > Stephen Smalley wrote:
>> >>
>> >> On Tue, 2008-07-08 at 14:02 -0500, Xavier Toth wrote:
>> >>
>> >>>
>> >>> Using MLS enforcing in a gnome-terminal with context
>> >>> user_u:user_r:user_t:s0-s15:c0.c1023 I run newrole and get these
>> >>> results
>> >>>
>> >>> newrole -l s1-s1 -- -c "gnome-terminal --disable-factory"
>> >>> Password:
>> >>> **
>> >>> ** ERROR:(terminal.c:1016):new_terminal_with_options: assertion
>> >>> failed: (profile)
>> >>>
>> >>>
>> >>> I think Joe straced this and has a little more info if he'd like to chime
>> >>> in.
>> >>>
>> >>
>> >> So, I assume that this does not happen if in permissive mode?
>> >> What AVC denials occur?  Run semodule -DB and retry if there are no AVCs
>> >> by default.
>> >>
>> >> What is the application trying to do at that point (look at the source
>> >> code and/or ask on the gnome lists)?  What are the possible failure
>> >> conditions there?  What external dependencies does it have?
>> >> strace output might help if you have it.
>> >>
>> >>
>> >
>> > Sorry to have bothered you. Looks like it has something to do with
>> > polyinstantiation of ~/.gnome or ~/.gnome2. We haven't seen this with
>> > previous versions even when polyinstantiating :(
>> >
>> >
>>
>> Hmmm this was a bit of a rush to judgment :( It actually turned out
>> that if I don't polyinstantiate /tmp then I can start gnome-terminal
>> as shown in permissive but it still doesn't work in enforcing. I tried
>> turning off dontaudit but I'm not seeing any  AVC out of
>> gnome-terminal. I've attached a strace maybe you'll see something that
>> I don't.
>
> Look for any avcs at all - they might be occurring during the
> polyinstantiation, or from dbus, or from the X server.
>
> Also, run the strace while permissive and diff the two strace outputs to
> see how they differ (imperfect, there will be noise, but helpful
> nonetheless).
>
> I see quite a few ENOENTs in there, e.g. on the .gnome2 files, not sure
> how many of those are expected/harmless.
>
> --
> Stephen Smalley
> National Security Agency
>
>

Any idea how to capture strace output in enforcing? I've tried using
the -o option but strace can't write to tmp or the users home dir in
enforcing.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: newrole assertion - should be gnome-terminal assertion

[Stephen Smalley]

On Thu, 2008-07-10 at 09:33 -0500, Xavier Toth wrote:
> On Thu, Jul 10, 2008 at 7:09 AM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
> >
> > On Wed, 2008-07-09 at 17:17 -0500, Xavier Toth wrote:
> >> On Wed, Jul 9, 2008 at 1:24 PM, Ted X Toth <txtoth@gmail.com> wrote:
> >> > Stephen Smalley wrote:
> >> >>
> >> >> On Tue, 2008-07-08 at 14:02 -0500, Xavier Toth wrote:
> >> >>
> >> >>>
> >> >>> Using MLS enforcing in a gnome-terminal with context
> >> >>> user_u:user_r:user_t:s0-s15:c0.c1023 I run newrole and get these
> >> >>> results
> >> >>>
> >> >>> newrole -l s1-s1 -- -c "gnome-terminal --disable-factory"
> >> >>> Password:
> >> >>> **
> >> >>> ** ERROR:(terminal.c:1016):new_terminal_with_options: assertion
> >> >>> failed: (profile)
> >> >>>
> >> >>>
> >> >>> I think Joe straced this and has a little more info if he'd like to chime
> >> >>> in.
> >> >>>
> >> >>
> >> >> So, I assume that this does not happen if in permissive mode?
> >> >> What AVC denials occur?  Run semodule -DB and retry if there are no AVCs
> >> >> by default.
> >> >>
> >> >> What is the application trying to do at that point (look at the source
> >> >> code and/or ask on the gnome lists)?  What are the possible failure
> >> >> conditions there?  What external dependencies does it have?
> >> >> strace output might help if you have it.
> >> >>
> >> >>
> >> >
> >> > Sorry to have bothered you. Looks like it has something to do with
> >> > polyinstantiation of ~/.gnome or ~/.gnome2. We haven't seen this with
> >> > previous versions even when polyinstantiating :(
> >> >
> >> >
> >>
> >> Hmmm this was a bit of a rush to judgment :( It actually turned out
> >> that if I don't polyinstantiate /tmp then I can start gnome-terminal
> >> as shown in permissive but it still doesn't work in enforcing. I tried
> >> turning off dontaudit but I'm not seeing any  AVC out of
> >> gnome-terminal. I've attached a strace maybe you'll see something that
> >> I don't.
> >
> > Look for any avcs at all - they might be occurring during the
> > polyinstantiation, or from dbus, or from the X server.
> >
> > Also, run the strace while permissive and diff the two strace outputs to
> > see how they differ (imperfect, there will be noise, but helpful
> > nonetheless).
> >
> > I see quite a few ENOENTs in there, e.g. on the .gnome2 files, not sure
> > how many of those are expected/harmless.
> >
> > --
> > Stephen Smalley
> > National Security Agency
> >
> >
> 
> Any idea how to capture strace output in enforcing? I've tried using
> the -o option but strace can't write to tmp or the users home dir in
> enforcing.

Not sure I follow - why can't it write to its polyinstantiated /tmp
directory?

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Fwd: newrole assertion - should be gnome-terminal assertion

[Xavier Toth]

---------- Forwarded message ----------
From: Xavier Toth <txtoth@gmail.com>
Date: Thu, Jul 10, 2008 at 10:06 AM
Subject: Re: newrole assertion - should be gnome-terminal assertion
To: Stephen Smalley <sds@tycho.nsa.gov>


On Thu, Jul 10, 2008 at 9:38 AM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
>
> On Thu, 2008-07-10 at 09:33 -0500, Xavier Toth wrote:
>> On Thu, Jul 10, 2008 at 7:09 AM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
>> >
>> > On Wed, 2008-07-09 at 17:17 -0500, Xavier Toth wrote:
>> >> On Wed, Jul 9, 2008 at 1:24 PM, Ted X Toth <txtoth@gmail.com> wrote:
>> >> > Stephen Smalley wrote:
>> >> >>
>> >> >> On Tue, 2008-07-08 at 14:02 -0500, Xavier Toth wrote:
>> >> >>
>> >> >>>
>> >> >>> Using MLS enforcing in a gnome-terminal with context
>> >> >>> user_u:user_r:user_t:s0-s15:c0.c1023 I run newrole and get these
>> >> >>> results
>> >> >>>
>> >> >>> newrole -l s1-s1 -- -c "gnome-terminal --disable-factory"
>> >> >>> Password:
>> >> >>> **
>> >> >>> ** ERROR:(terminal.c:1016):new_terminal_with_options: assertion
>> >> >>> failed: (profile)
>> >> >>>
>> >> >>>
>> >> >>> I think Joe straced this and has a little more info if he'd like to chime
>> >> >>> in.
>> >> >>>
>> >> >>
>> >> >> So, I assume that this does not happen if in permissive mode?
>> >> >> What AVC denials occur?  Run semodule -DB and retry if there are no AVCs
>> >> >> by default.
>> >> >>
>> >> >> What is the application trying to do at that point (look at the source
>> >> >> code and/or ask on the gnome lists)?  What are the possible failure
>> >> >> conditions there?  What external dependencies does it have?
>> >> >> strace output might help if you have it.
>> >> >>
>> >> >>
>> >> >
>> >> > Sorry to have bothered you. Looks like it has something to do with
>> >> > polyinstantiation of ~/.gnome or ~/.gnome2. We haven't seen this with
>> >> > previous versions even when polyinstantiating :(
>> >> >
>> >> >
>> >>
>> >> Hmmm this was a bit of a rush to judgment :( It actually turned out
>> >> that if I don't polyinstantiate /tmp then I can start gnome-terminal
>> >> as shown in permissive but it still doesn't work in enforcing. I tried
>> >> turning off dontaudit but I'm not seeing any  AVC out of
>> >> gnome-terminal. I've attached a strace maybe you'll see something that
>> >> I don't.
>> >
>> > Look for any avcs at all - they might be occurring during the
>> > polyinstantiation, or from dbus, or from the X server.
>> >
>> > Also, run the strace while permissive and diff the two strace outputs to
>> > see how they differ (imperfect, there will be noise, but helpful
>> > nonetheless).
>> >
>> > I see quite a few ENOENTs in there, e.g. on the .gnome2 files, not sure
>> > how many of those are expected/harmless.
>> >
>> > --
>> > Stephen Smalley
>> > National Security Agency
>> >
>> >
>>
>> Any idea how to capture strace output in enforcing? I've tried using
>> the -o option but strace can't write to tmp or the users home dir in
>> enforcing.
>
> Not sure I follow - why can't it write to its polyinstantiated /tmp
> directory?
>
> --
> Stephen Smalley
> National Security Agency
>
>

You're right that does work a long as you've got an instance directory
at the right level ;) which I didn't previously. The assertion points
to a problem of not having a 'profile' so I've looked through the
strace output but don't see anything that is related to loading
'profiles'.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: newrole assertion - should be gnome-terminal assertion

[Xavier Toth]

On Thu, Jul 10, 2008 at 7:09 AM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
>
> On Wed, 2008-07-09 at 17:17 -0500, Xavier Toth wrote:
>> On Wed, Jul 9, 2008 at 1:24 PM, Ted X Toth <txtoth@gmail.com> wrote:
>> > Stephen Smalley wrote:
>> >>
>> >> On Tue, 2008-07-08 at 14:02 -0500, Xavier Toth wrote:
>> >>
>> >>>
>> >>> Using MLS enforcing in a gnome-terminal with context
>> >>> user_u:user_r:user_t:s0-s15:c0.c1023 I run newrole and get these
>> >>> results
>> >>>
>> >>> newrole -l s1-s1 -- -c "gnome-terminal --disable-factory"
>> >>> Password:
>> >>> **
>> >>> ** ERROR:(terminal.c:1016):new_terminal_with_options: assertion
>> >>> failed: (profile)
>> >>>
>> >>>
>> >>> I think Joe straced this and has a little more info if he'd like to chime
>> >>> in.
>> >>>
>> >>
>> >> So, I assume that this does not happen if in permissive mode?
>> >> What AVC denials occur?  Run semodule -DB and retry if there are no AVCs
>> >> by default.
>> >>
>> >> What is the application trying to do at that point (look at the source
>> >> code and/or ask on the gnome lists)?  What are the possible failure
>> >> conditions there?  What external dependencies does it have?
>> >> strace output might help if you have it.
>> >>
>> >>
>> >
>> > Sorry to have bothered you. Looks like it has something to do with
>> > polyinstantiation of ~/.gnome or ~/.gnome2. We haven't seen this with
>> > previous versions even when polyinstantiating :(
>> >
>> >
>>
>> Hmmm this was a bit of a rush to judgment :( It actually turned out
>> that if I don't polyinstantiate /tmp then I can start gnome-terminal
>> as shown in permissive but it still doesn't work in enforcing. I tried
>> turning off dontaudit but I'm not seeing any  AVC out of
>> gnome-terminal. I've attached a strace maybe you'll see something that
>> I don't.
>
> Look for any avcs at all - they might be occurring during the
> polyinstantiation, or from dbus, or from the X server.
>
> Also, run the strace while permissive and diff the two strace outputs to
> see how they differ (imperfect, there will be noise, but helpful
> nonetheless).
>
> I see quite a few ENOENTs in there, e.g. on the .gnome2 files, not sure
> how many of those are expected/harmless.
>
> --
> Stephen Smalley
> National Security Agency
>
>

Comparing straces when gnome-ternimal fails to start there is a
problem with it talking to dbus (~line 1062 of the trace I attached
previously).

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.