[refpolicy] range_transitions not working

All of lore.kernel.org
 help / color / mirror / Atom feed

* [refpolicy] range_transitions not working
@ 2008-11-13 14:25 Xavier Toth
  2008-11-14 15:05 ` Daniel J Walsh
  0 siblings, 1 reply; 4+ messages in thread
From: Xavier Toth @ 2008-11-13 14:25 UTC (permalink / raw)
  To: refpolicy

As part of my copy/paste policy development effort I've added the
following rules to my selection
managers policy:

       type $1_securecp_rootwindow_t;
       type_transition $1_securecp_t $2_rootwindow_t:x_drawable
$1_securecp_rootwindow_t;
       range_transition $1_securecp_t
$1_securecp_rootwindow_t:x_drawable s0 - s15:c0.c1023;

However when the manager starts the first window created isn't ranged
but the the second one is, can anyone think of a reason why this would
be?

node=comms type=USER_AVC msg=audit(1226245445.138:213): user pid=3199
uid=0 auid=4294967295 ses=4294967295
subj=system_u:system_r:xdm_xserver_t:s0-s15:c0.c1023 msg='avc:  denied
 { create setattr } for request=X11:CreateWindow comm=python
resid=2800001 restype=WINDOW
scontext=user_u:user_r:user_securecp_t:s0-s15:c0.c1023
tcontext=user_u:object_r:user_securecp_rootwindow_t:s0
tclass=x_drawable : exe="/usr/bin/Xorg" (sauid=0, hostname=?, addr=?,
terminal=?)'
node=comms type=USER_AVC msg=audit(1226245445.138:214): user pid=3199
uid=0 auid=4294967295 ses=4294967295
subj=system_u:system_r:xdm_xserver_t:s0-s15:c0.c1023 msg='avc:  denied
 { blend } for request=X11:CreateWindow comm=python resid=2800001
restype=WINDOW scontext=user_u:user_r:user_securecp_t:s0-s15:c0.c1023
tcontext=user_u:object_r:user_securecp_rootwindow_t:s0
tclass=x_drawable : exe="/usr/bin/Xorg" (sauid=0, hostname=?, addr=?,
terminal=?)'
node=comms type=USER_AVC msg=audit(1226245445.140:215): user pid=3199
uid=0 auid=4294967295 ses=4294967295
subj=system_u:system_r:xdm_xserver_t:s0-s15:c0.c1023 msg='avc:  denied
 { set_property } for request=X11:ChangeProperty comm=python
resid=2800001 restype=WINDOW
scontext=user_u:user_r:user_securecp_t:s0-s15:c0.c1023
tcontext=user_u:object_r:user_securecp_rootwindow_t:s0
tclass=x_drawable : exe="/usr/bin/Xorg" (sauid=0, hostname=?, addr=?,
terminal=?)'
node=comms type=USER_AVC msg=audit(1226245445.140:216): user pid=3199
uid=0 auid=4294967295 ses=4294967295
subj=system_u:system_r:xdm_xserver_t:s0-s15:c0.c1023 msg='avc:  denied
 { receive } for  comm=python
scontext=user_u:user_r:user_securecp_t:s0-s15:c0.c1023
tcontext=user_u:object_r:user_securecp_rootwindow_t:s0
tclass=x_drawable : exe="/usr/bin/Xorg" (sauid=0, hostname=?, addr=?,
terminal=?)'
node=comms type=USER_AVC msg=audit(1226245445.142:217): user pid=3199
uid=0 auid=4294967295 ses=4294967295
subj=system_u:system_r:xdm_xserver_t:s0-s15:c0.c1023 msg='avc:  denied
 { add_child } for request=X11:CreateWindow comm=python resid=2800001
restype=WINDOW scontext=user_u:user_r:user_securecp_t:s0-s15:c0.c1023
tcontext=user_u:object_r:user_securecp_rootwindow_t:s0
tclass=x_drawable : exe="/usr/bin/Xorg" (sauid=0, hostname=?, addr=?,
terminal=?)'
node=comms type=USER_AVC msg=audit(1226245445.142:218): user pid=3199
uid=0 auid=4294967295 ses=4294967295
subj=system_u:system_r:xdm_xserver_t:s0-s15:c0.c1023 msg='avc:  denied
 { create setattr } for request=X11:CreateWindow comm=python
resid=2800002 restype=WINDOW
scontext=user_u:user_r:user_securecp_t:s0-s15:c0.c1023
tcontext=user_u:object_r:user_securecp_rootwindow_t:s0-s15:c0.c1023
tclass=x_drawable : exe="/usr/bin/Xorg" (sauid=0, hostname=?, addr=?,
terminal=?)'
node=comms type=USER_AVC msg=audit(1226245445.142:219): user pid=3199
uid=0 auid=4294967295 ses=4294967295
subj=system_u:system_r:xdm_xserver_t:s0-s15:c0.c1023 msg='avc:  denied
 { blend } for request=X11:CreateWindow comm=python resid=2800002
restype=WINDOW scontext=user_u:user_r:user_securecp_t:s0-s15:c0.c1023
tcontext=user_u:object_r:user_securecp_rootwindow_t:s0-s15:c0.c1023
tclass=x_drawable : exe="/usr/bin/Xorg" (sauid=0, hostname=?, addr=?,
terminal=?)'

I also have :

       type $1_securecp_clipboard_xproperty_t;
       type_transition $1_securecp_t clipboard_xproperty_t:x_property
$1_securecp_clipboard_xproperty_t;
       range_transition $1_securecp_t
$1_securecp_clipboard_xproperty_t:x_property s0 - s15:c0.c1023;

in policy but these properties don't get labeled with the range.

node=comms type=USER_AVC msg=audit(1226249010.717:255): user pid=3198
uid=0 auid=4294967295 ses=4294967295
subj=system_u:system_r:xdm_xserver_t:s0-s15:c0.c1023 msg='avc:  denied
 { write create } for request=X11:ChangeProperty comm=python
property=GDK_SELECTION
scontext=user_u:user_r:user_securecp_t:s0-s15:c0.c1023
tcontext=user_u:object_r:user_securecp_clipboard_xproperty_t:s0
tclass=x_property : exe="/usr/bin/Xorg" (sauid=0, hostname=?, addr=?,
terminal=?)'

Ted

^ permalink raw reply	[flat|nested] 4+ messages in thread

* [refpolicy] range_transitions not working
  2008-11-13 14:25 [refpolicy] range_transitions not working Xavier Toth
@ 2008-11-14 15:05 ` Daniel J Walsh
  2008-11-14 20:25   ` Eamon Walsh
  0 siblings, 1 reply; 4+ messages in thread
From: Daniel J Walsh @ 2008-11-14 15:05 UTC (permalink / raw)
  To: refpolicy

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Xavier Toth wrote:
> As part of my copy/paste policy development effort I've added the
> following rules to my selection
> managers policy:
> 
>        type $1_securecp_rootwindow_t;
>        type_transition $1_securecp_t $2_rootwindow_t:x_drawable
> $1_securecp_rootwindow_t;
>        range_transition $1_securecp_t
> $1_securecp_rootwindow_t:x_drawable s0 - s15:c0.c1023;
> 
> However when the manager starts the first window created isn't ranged
> but the the second one is, can anyone think of a reason why this would
> be?
> 
> node=comms type=USER_AVC msg=audit(1226245445.138:213): user pid=3199
> uid=0 auid=4294967295 ses=4294967295
> subj=system_u:system_r:xdm_xserver_t:s0-s15:c0.c1023 msg='avc:  denied
>  { create setattr } for request=X11:CreateWindow comm=python
> resid=2800001 restype=WINDOW
> scontext=user_u:user_r:user_securecp_t:s0-s15:c0.c1023
> tcontext=user_u:object_r:user_securecp_rootwindow_t:s0
> tclass=x_drawable : exe="/usr/bin/Xorg" (sauid=0, hostname=?, addr=?,
> terminal=?)'
> node=comms type=USER_AVC msg=audit(1226245445.138:214): user pid=3199
> uid=0 auid=4294967295 ses=4294967295
> subj=system_u:system_r:xdm_xserver_t:s0-s15:c0.c1023 msg='avc:  denied
>  { blend } for request=X11:CreateWindow comm=python resid=2800001
> restype=WINDOW scontext=user_u:user_r:user_securecp_t:s0-s15:c0.c1023
> tcontext=user_u:object_r:user_securecp_rootwindow_t:s0
> tclass=x_drawable : exe="/usr/bin/Xorg" (sauid=0, hostname=?, addr=?,
> terminal=?)'
> node=comms type=USER_AVC msg=audit(1226245445.140:215): user pid=3199
> uid=0 auid=4294967295 ses=4294967295
> subj=system_u:system_r:xdm_xserver_t:s0-s15:c0.c1023 msg='avc:  denied
>  { set_property } for request=X11:ChangeProperty comm=python
> resid=2800001 restype=WINDOW
> scontext=user_u:user_r:user_securecp_t:s0-s15:c0.c1023
> tcontext=user_u:object_r:user_securecp_rootwindow_t:s0
> tclass=x_drawable : exe="/usr/bin/Xorg" (sauid=0, hostname=?, addr=?,
> terminal=?)'
> node=comms type=USER_AVC msg=audit(1226245445.140:216): user pid=3199
> uid=0 auid=4294967295 ses=4294967295
> subj=system_u:system_r:xdm_xserver_t:s0-s15:c0.c1023 msg='avc:  denied
>  { receive } for  comm=python
> scontext=user_u:user_r:user_securecp_t:s0-s15:c0.c1023
> tcontext=user_u:object_r:user_securecp_rootwindow_t:s0
> tclass=x_drawable : exe="/usr/bin/Xorg" (sauid=0, hostname=?, addr=?,
> terminal=?)'
> node=comms type=USER_AVC msg=audit(1226245445.142:217): user pid=3199
> uid=0 auid=4294967295 ses=4294967295
> subj=system_u:system_r:xdm_xserver_t:s0-s15:c0.c1023 msg='avc:  denied
>  { add_child } for request=X11:CreateWindow comm=python resid=2800001
> restype=WINDOW scontext=user_u:user_r:user_securecp_t:s0-s15:c0.c1023
> tcontext=user_u:object_r:user_securecp_rootwindow_t:s0
> tclass=x_drawable : exe="/usr/bin/Xorg" (sauid=0, hostname=?, addr=?,
> terminal=?)'
> node=comms type=USER_AVC msg=audit(1226245445.142:218): user pid=3199
> uid=0 auid=4294967295 ses=4294967295
> subj=system_u:system_r:xdm_xserver_t:s0-s15:c0.c1023 msg='avc:  denied
>  { create setattr } for request=X11:CreateWindow comm=python
> resid=2800002 restype=WINDOW
> scontext=user_u:user_r:user_securecp_t:s0-s15:c0.c1023
> tcontext=user_u:object_r:user_securecp_rootwindow_t:s0-s15:c0.c1023
> tclass=x_drawable : exe="/usr/bin/Xorg" (sauid=0, hostname=?, addr=?,
> terminal=?)'
> node=comms type=USER_AVC msg=audit(1226245445.142:219): user pid=3199
> uid=0 auid=4294967295 ses=4294967295
> subj=system_u:system_r:xdm_xserver_t:s0-s15:c0.c1023 msg='avc:  denied
>  { blend } for request=X11:CreateWindow comm=python resid=2800002
> restype=WINDOW scontext=user_u:user_r:user_securecp_t:s0-s15:c0.c1023
> tcontext=user_u:object_r:user_securecp_rootwindow_t:s0-s15:c0.c1023
> tclass=x_drawable : exe="/usr/bin/Xorg" (sauid=0, hostname=?, addr=?,
> terminal=?)'
> 
> I also have :
> 
>        type $1_securecp_clipboard_xproperty_t;
>        type_transition $1_securecp_t clipboard_xproperty_t:x_property
> $1_securecp_clipboard_xproperty_t;
>        range_transition $1_securecp_t
> $1_securecp_clipboard_xproperty_t:x_property s0 - s15:c0.c1023;
> 
> in policy but these properties don't get labeled with the range.
> 
> node=comms type=USER_AVC msg=audit(1226249010.717:255): user pid=3198
> uid=0 auid=4294967295 ses=4294967295
> subj=system_u:system_r:xdm_xserver_t:s0-s15:c0.c1023 msg='avc:  denied
>  { write create } for request=X11:ChangeProperty comm=python
> property=GDK_SELECTION
> scontext=user_u:user_r:user_securecp_t:s0-s15:c0.c1023
> tcontext=user_u:object_r:user_securecp_clipboard_xproperty_t:s0
> tclass=x_property : exe="/usr/bin/Xorg" (sauid=0, hostname=?, addr=?,
> terminal=?)'
> 
> Ted
I would guess this is a bug in the xserver?  Ask Eamon?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkkdk6UACgkQrlYvE4MpobNpZgCfc3kLRRj5e7lBMEHtmXK2mwEO
gEwAmgPGQq/rmwg3VpHAZ+c+G0aiFj5S
=3HvT
-----END PGP SIGNATURE-----

^ permalink raw reply	[flat|nested] 4+ messages in thread

* [refpolicy] range_transitions not working
  2008-11-14 15:05 ` Daniel J Walsh
@ 2008-11-14 20:25   ` Eamon Walsh
  2008-11-17 13:58     ` Christopher J. PeBenito
  0 siblings, 1 reply; 4+ messages in thread
From: Eamon Walsh @ 2008-11-14 20:25 UTC (permalink / raw)
  To: refpolicy

I found the problem, it's a bad range_transition rule.  The rule takes
the "related object" context not the result of the type transition,
attached patch fixes it for me.

Index: xserver.te
===================================================================
--- xserver.te	(revision 2877)
+++ xserver.te	(working copy)
@@ -743,7 +743,7 @@
 
 ifdef(`enable_mls',`
 	range_transition xserver_t xserver_tmp_t:sock_file s0 - mls_systemhigh;
-	range_transition xserver_t rootwindow_t:x_drawable s0 - mls_systemhigh;
+	range_transition xserver_t xserver_t:x_drawable s0 - mls_systemhigh;
 ')
 
 tunable_policy(`!xserver_object_manager',`


-- 
Eamon Walsh <ewalsh@tycho.nsa.gov>
National Security Agency

^ permalink raw reply	[flat|nested] 4+ messages in thread

* [refpolicy] range_transitions not working
  2008-11-14 20:25   ` Eamon Walsh
@ 2008-11-17 13:58     ` Christopher J. PeBenito
  0 siblings, 0 replies; 4+ messages in thread
From: Christopher J. PeBenito @ 2008-11-17 13:58 UTC (permalink / raw)
  To: refpolicy

On Fri, 2008-11-14 at 15:25 -0500, Eamon Walsh wrote:
> I found the problem, it's a bad range_transition rule.  The rule takes
> the "related object" context not the result of the type transition,
> attached patch fixes it for me.

Merged.

> Index: xserver.te
> ===================================================================
> --- xserver.te	(revision 2877)
> +++ xserver.te	(working copy)
> @@ -743,7 +743,7 @@
>  
>  ifdef(`enable_mls',`
>  	range_transition xserver_t xserver_tmp_t:sock_file s0 - mls_systemhigh;
> -	range_transition xserver_t rootwindow_t:x_drawable s0 - mls_systemhigh;
> +	range_transition xserver_t xserver_t:x_drawable s0 - mls_systemhigh;
>  ')
>  
>  tunable_policy(`!xserver_object_manager',`
> 
> 
-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2008-11-17 13:58 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2008-11-13 14:25 [refpolicy] range_transitions not working Xavier Toth
2008-11-14 15:05 ` Daniel J Walsh
2008-11-14 20:25   ` Eamon Walsh
2008-11-17 13:58     ` Christopher J. PeBenito

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.