avc's generated causes the system to freeze up

avc's generated causes the system to freeze up

[Justin Mattock]

I'm running X.Org X Server 1.7.99.2
not sure if this is fixed with the latest
but after building the latest refpolicy
and defining my allow rules, both
regularly, and with make enableaudit
I still get avc's being generated here and there,
but for some they seem to just spamm Xorg.0.log
causing my system to freeze up.
heres an example:


(--) Synaptics Touchpad: touchpad found
(**) Option "SendCoreEvents" "true"
(**) Synaptics Touchpad: always reports core events
(II) XINPUT: Adding extended input device "Synaptics Touchpad" (type: TOUCHPAD)
(**) Synaptics Touchpad: (accel) keeping acceleration scheme 1
(**) Synaptics Touchpad: (accel) acceleration profile 0
(--) Synaptics Touchpad: touchpad found
(WW) avc:  denied  { getattr } for request=X11:QueryPointer
comm=/usr/bin/pidgin resid=10001fc restype=WINDOW
scontext=justin:user_r:user_t tcontext=justin:object_r:mplayer_t
tclass=x_drawable
(WW) avc:  denied  { getattr } for request=X11:QueryPointer
comm=/usr/bin/pidgin resid=10001fc restype=WINDOW
scontext=justin:user_r:user_t tcontext=justin:object_r:mplayer_t
tclass=x_drawable
(WW) avc:  denied  { getattr } for request=X11:QueryPointer
comm=/usr/bin/pidgin resid=10001fc restype=WINDOW
scontext=justin:user_r:user_t tcontext=justin:object_r:mplayer_t
tclass=x_drawable
(WW) avc:  denied  { getattr } for request=X11:QueryPointer
comm=/usr/bin/pidgin resid=10001fc restype=WINDOW
scontext=justin:user_r:user_t tcontext=justin:object_r:mplayer_t
tclass=x_drawable
(WW) avc:  denied  { getattr } for request=X11:QueryPointer
comm=/usr/bin/pidgin resid=10001fc restype=WINDOW
scontext=justin:user_r:user_t tcontext=justin:object_r:mplayer_t
tclass=x_drawable
(WW) avc:  denied  { getattr } for request=X11:QueryPointer
comm=/usr/bin/pidgin resid=10001fc restype=WINDOW
scontext=justin:user_r:user_t tcontext=justin:object_r:mplayer_t
tclass=x_drawable
(WW) avc:  denied  { getattr } for request=X11:QueryPointer
comm=/usr/bin/pidgin resid=10001fc restype=WINDOW
scontext=justin:user_r:user_t tcontext=justin:object_r:mplayer_t
tclass=x_drawable
(WW) avc:  denied  { getattr } for request=X11:QueryPointer
comm=/usr/bin/pidgin resid=10001fc restype=WINDOW
scontext=justin:user_r:user_t tcontext=justin:object_r:mplayer_t
tclass=x_drawable
(WW) avc:  denied  { getattr } for request=X11:QueryPointer
comm=/usr/bin/pidgin resid=10001fc restype=WINDOW
scontext=justin:user_r:user_t tcontext=justin:object_r:mplayer_t
tclass=x_drawable
(WW) avc:  denied  { getattr } for request=X11:QueryPointer
comm=/usr/bin/pidgin resid=10001fc restype=WINDOW
scontext=justin:user_r:user_t tcontext=justin:object_r:mplayer_t
tclass=x_drawable


same avc's but just keeps generating.
is there an option for this like
printk_ratelimit?


-- 
Justin P. Mattock

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[refpolicy] avc's generated causes the system to freeze up

[Justin Mattock]

I'm running X.Org X Server 1.7.99.2
not sure if this is fixed with the latest
but after building the latest refpolicy
and defining my allow rules, both
regularly, and with make enableaudit
I still get avc's being generated here and there,
but for some they seem to just spamm Xorg.0.log
causing my system to freeze up.
heres an example:


(--) Synaptics Touchpad: touchpad found
(**) Option "SendCoreEvents" "true"
(**) Synaptics Touchpad: always reports core events
(II) XINPUT: Adding extended input device "Synaptics Touchpad" (type: TOUCHPAD)
(**) Synaptics Touchpad: (accel) keeping acceleration scheme 1
(**) Synaptics Touchpad: (accel) acceleration profile 0
(--) Synaptics Touchpad: touchpad found
(WW) avc:  denied  { getattr } for request=X11:QueryPointer
comm=/usr/bin/pidgin resid=10001fc restype=WINDOW
scontext=justin:user_r:user_t tcontext=justin:object_r:mplayer_t
tclass=x_drawable
(WW) avc:  denied  { getattr } for request=X11:QueryPointer
comm=/usr/bin/pidgin resid=10001fc restype=WINDOW
scontext=justin:user_r:user_t tcontext=justin:object_r:mplayer_t
tclass=x_drawable
(WW) avc:  denied  { getattr } for request=X11:QueryPointer
comm=/usr/bin/pidgin resid=10001fc restype=WINDOW
scontext=justin:user_r:user_t tcontext=justin:object_r:mplayer_t
tclass=x_drawable
(WW) avc:  denied  { getattr } for request=X11:QueryPointer
comm=/usr/bin/pidgin resid=10001fc restype=WINDOW
scontext=justin:user_r:user_t tcontext=justin:object_r:mplayer_t
tclass=x_drawable
(WW) avc:  denied  { getattr } for request=X11:QueryPointer
comm=/usr/bin/pidgin resid=10001fc restype=WINDOW
scontext=justin:user_r:user_t tcontext=justin:object_r:mplayer_t
tclass=x_drawable
(WW) avc:  denied  { getattr } for request=X11:QueryPointer
comm=/usr/bin/pidgin resid=10001fc restype=WINDOW
scontext=justin:user_r:user_t tcontext=justin:object_r:mplayer_t
tclass=x_drawable
(WW) avc:  denied  { getattr } for request=X11:QueryPointer
comm=/usr/bin/pidgin resid=10001fc restype=WINDOW
scontext=justin:user_r:user_t tcontext=justin:object_r:mplayer_t
tclass=x_drawable
(WW) avc:  denied  { getattr } for request=X11:QueryPointer
comm=/usr/bin/pidgin resid=10001fc restype=WINDOW
scontext=justin:user_r:user_t tcontext=justin:object_r:mplayer_t
tclass=x_drawable
(WW) avc:  denied  { getattr } for request=X11:QueryPointer
comm=/usr/bin/pidgin resid=10001fc restype=WINDOW
scontext=justin:user_r:user_t tcontext=justin:object_r:mplayer_t
tclass=x_drawable
(WW) avc:  denied  { getattr } for request=X11:QueryPointer
comm=/usr/bin/pidgin resid=10001fc restype=WINDOW
scontext=justin:user_r:user_t tcontext=justin:object_r:mplayer_t
tclass=x_drawable


same avc's but just keeps generating.
is there an option for this like
printk_ratelimit?


-- 
Justin P. Mattock

Re: avc's generated causes the system to freeze up

[Guido Trentalancia]

Justin,

your question seems more of an audit question.

Why don't you use audit2allow to sort this out from a SELinux point of
view instead than trying to shut up audit ?

Audit2allow can generate custom rules for you from the analysis of your
audit log messages. The rules can then be compiled into a custom policy
module, that you can install with semodule.

On Fri, 2009-12-11 at 13:44 -0800, Justin Mattock wrote:
> I'm running X.Org X Server 1.7.99.2
> not sure if this is fixed with the latest
> but after building the latest refpolicy
> and defining my allow rules, both
> regularly, and with make enableaudit
> I still get avc's being generated here and there,
> but for some they seem to just spamm Xorg.0.log
> causing my system to freeze up.
> heres an example:
> 
> 
> (--) Synaptics Touchpad: touchpad found
> (**) Option "SendCoreEvents" "true"
> (**) Synaptics Touchpad: always reports core events
> (II) XINPUT: Adding extended input device "Synaptics Touchpad" (type: TOUCHPAD)
> (**) Synaptics Touchpad: (accel) keeping acceleration scheme 1
> (**) Synaptics Touchpad: (accel) acceleration profile 0
> (--) Synaptics Touchpad: touchpad found
> (WW) avc:  denied  { getattr } for request=X11:QueryPointer
> comm=/usr/bin/pidgin resid=10001fc restype=WINDOW
> scontext=justin:user_r:user_t tcontext=justin:object_r:mplayer_t
> tclass=x_drawable
> (WW) avc:  denied  { getattr } for request=X11:QueryPointer
> comm=/usr/bin/pidgin resid=10001fc restype=WINDOW
> scontext=justin:user_r:user_t tcontext=justin:object_r:mplayer_t
> tclass=x_drawable
> (WW) avc:  denied  { getattr } for request=X11:QueryPointer
> comm=/usr/bin/pidgin resid=10001fc restype=WINDOW
> scontext=justin:user_r:user_t tcontext=justin:object_r:mplayer_t
> tclass=x_drawable
> (WW) avc:  denied  { getattr } for request=X11:QueryPointer
> comm=/usr/bin/pidgin resid=10001fc restype=WINDOW
> scontext=justin:user_r:user_t tcontext=justin:object_r:mplayer_t
> tclass=x_drawable
> (WW) avc:  denied  { getattr } for request=X11:QueryPointer
> comm=/usr/bin/pidgin resid=10001fc restype=WINDOW
> scontext=justin:user_r:user_t tcontext=justin:object_r:mplayer_t
> tclass=x_drawable
> (WW) avc:  denied  { getattr } for request=X11:QueryPointer
> comm=/usr/bin/pidgin resid=10001fc restype=WINDOW
> scontext=justin:user_r:user_t tcontext=justin:object_r:mplayer_t
> tclass=x_drawable
> (WW) avc:  denied  { getattr } for request=X11:QueryPointer
> comm=/usr/bin/pidgin resid=10001fc restype=WINDOW
> scontext=justin:user_r:user_t tcontext=justin:object_r:mplayer_t
> tclass=x_drawable
> (WW) avc:  denied  { getattr } for request=X11:QueryPointer
> comm=/usr/bin/pidgin resid=10001fc restype=WINDOW
> scontext=justin:user_r:user_t tcontext=justin:object_r:mplayer_t
> tclass=x_drawable
> (WW) avc:  denied  { getattr } for request=X11:QueryPointer
> comm=/usr/bin/pidgin resid=10001fc restype=WINDOW
> scontext=justin:user_r:user_t tcontext=justin:object_r:mplayer_t
> tclass=x_drawable
> (WW) avc:  denied  { getattr } for request=X11:QueryPointer
> comm=/usr/bin/pidgin resid=10001fc restype=WINDOW
> scontext=justin:user_r:user_t tcontext=justin:object_r:mplayer_t
> tclass=x_drawable
> 
> 
> same avc's but just keeps generating.
> is there an option for this like
> printk_ratelimit?
> 
> 



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: avc's generated causes the system to freeze up

[Justin P. Mattock]

On 12/13/09 08:42, Guido Trentalancia wrote:
> Justin,
>
> your question seems more of an audit question.
>
> Why don't you use audit2allow to sort this out from a SELinux point of
> view instead than trying to shut up audit ?
>
> Audit2allow can generate custom rules for you from the analysis of your
> audit log messages. The rules can then be compiled into a custom policy
> module, that you can install with semodule.
>
>

I can easily create an allow rule with audit2allow.

The issue is not creating an allow rule,
but having Xorg.0.log spammed with a denial
causing the system to freeze up, until
the avc is done doing with whatever it's doing
(in this case logging many denials of the same one).

hence the reason for wondering if theres a mechanism that could
be put in place like prinkt_ratelimit for
Xorg.0.log this way I don't get spammed with a denial.

Justin P. Mattock





--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: avc's generated causes the system to freeze up

[Guido Trentalancia]

Have you tried tuning auditd and its dispatcher which could be audispd ?

So for example, try feeding audispd with the following options:

q_depth: increase it from its default value (which is 80 on Redhat's
recent auditd)
priority_boost = 0

Finally, if things don't improve, you could also try:

overflow_action = suspend

Other than this I don't know how to help. Good luck.

On Sun, 2009-12-13 at 10:11 -0800, Justin P. Mattock wrote:
> On 12/13/09 08:42, Guido Trentalancia wrote:
> > Justin,
> >
> > your question seems more of an audit question.
> >
> > Why don't you use audit2allow to sort this out from a SELinux point of
> > view instead than trying to shut up audit ?
> >
> > Audit2allow can generate custom rules for you from the analysis of your
> > audit log messages. The rules can then be compiled into a custom policy
> > module, that you can install with semodule.
> >
> >
> 
> I can easily create an allow rule with audit2allow.
> 
> The issue is not creating an allow rule,
> but having Xorg.0.log spammed with a denial
> causing the system to freeze up, until
> the avc is done doing with whatever it's doing
> (in this case logging many denials of the same one).
> 
> hence the reason for wondering if theres a mechanism that could
> be put in place like prinkt_ratelimit for
> Xorg.0.log this way I don't get spammed with a denial.
> 
> Justin P. Mattock
> 
> 
> 
> 



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: avc's generated causes the system to freeze up

[Justin P. Mattock]

On 12/13/09 11:40, Guido Trentalancia wrote:
> Have you tried tuning auditd and its dispatcher which could be audispd ?
>
> So for example, try feeding audispd with the following options:
>
> q_depth: increase it from its default value (which is 80 on Redhat's
> recent auditd)
> priority_boost = 0
>
> Finally, if things don't improve, you could also try:
>
> overflow_action = suspend
>
> Other than this I don't know how to help. Good luck.
>
>

well right now I dont really use auditd i.g.
the libraries are there but the daemon is off.
(I am not using fedora/redhat).

In any case it's not a worry because I can go ahead and add the
allow rules,  moreover the main issue is the spamming
of log message which might/could result in some buffer thing
reason for wanting info if there is a mechanism
like printk_ratelimit etc.. for Xorg.0.log

Justin P. Mattock




--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: avc's generated causes the system to freeze up

[Guido Trentalancia]

Have you tried the "-r" option of auditctl ? This would be something
similar to the kernel printk_ratelimit(). The default is 0, you should
increase it to a positive value representing a messages/second limit.

Guido

On Sun, 2009-12-13 at 12:23 -0800, Justin P. Mattock wrote:
> On 12/13/09 11:40, Guido Trentalancia wrote:
> > Have you tried tuning auditd and its dispatcher which could be audispd ?
> >
> > So for example, try feeding audispd with the following options:
> >
> > q_depth: increase it from its default value (which is 80 on Redhat's
> > recent auditd)
> > priority_boost = 0
> >
> > Finally, if things don't improve, you could also try:
> >
> > overflow_action = suspend
> >
> > Other than this I don't know how to help. Good luck.
> >
> >
> 
> well right now I dont really use auditd i.g.
> the libraries are there but the daemon is off.
> (I am not using fedora/redhat).
> 
> In any case it's not a worry because I can go ahead and add the
> allow rules,  moreover the main issue is the spamming
> of log message which might/could result in some buffer thing
> reason for wanting info if there is a mechanism
> like printk_ratelimit etc.. for Xorg.0.log
> 
> Justin P. Mattock
> 
> 
> 
> 
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
> 



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: avc's generated causes the system to freeze up

[Justin P. Mattock]

On 12/14/09 01:56, Guido Trentalancia wrote:
> Have you tried the "-r" option of auditctl ? This would be something
> similar to the kernel printk_ratelimit(). The default is 0, you should
> increase it to a positive value representing a messages/second limit.
>
> Guido
>
>

yeah but remember I have auditd off.

I can try and see...

Justin P. Mattock

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: avc's generated causes the system to freeze up

[Guido Trentalancia]

Auditctl should operate at kernel-level. But this topics are all
off-theme from SELinux. You shouldn't post audit questions to a SELinux
mailing list.

On Mon, 2009-12-14 at 08:11 -0800, Justin P. Mattock wrote:
> On 12/14/09 01:56, Guido Trentalancia wrote:
> > Have you tried the "-r" option of auditctl ? This would be something
> > similar to the kernel printk_ratelimit(). The default is 0, you should
> > increase it to a positive value representing a messages/second limit.
> >
> > Guido
> >
> >
> 
> yeah but remember I have auditd off.
> 
> I can try and see...
> 
> Justin P. Mattock
> 



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: avc's generated causes the system to freeze up

[Justin P. Mattock]

On 12/14/09 08:15, Guido Trentalancia wrote:
> Auditctl should operate at kernel-level. But this topics are all
> off-theme from SELinux. You shouldn't post audit questions to a SELinux
> mailing list.
>
>


Probably should be refpolicy, and Xorg
because this pertains to
XACE, but you took these cc's off the e-mail!

Anyways, as for auditd keep in mind this has todo with
Xorg.0.log, nothing todo with anything
in /var/log/messages, or any other log message
that auditd reads(and remember I don't have auditd turned on).

So lets try again:

I'm running X.Org X Server 1.7.99.2
after building the latest refpolicy
and defining my allow rules(all of them as possible),
I seem to have some of them show up later in time.
(which is normal).

The problem that I have is on some occasions these
denials that show up long after I have defined as many
allow rules as possible, seem to be spamming my
Xorg.0.log, until I define them into the policy
with audit2allow.

my question is, is there a mechanism similar to printk_ratelimit
for Xorg.0.log so when this happens my Xorg.0.log
does not become spammed with one avc denial
causing my system to freeze up, until the avc denial has
done registering all of it's denials or I allow it into the policy?


Justin P. mattock

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[refpolicy] avc's generated causes the system to freeze up

[Justin P. Mattock]

On 12/14/09 08:15, Guido Trentalancia wrote:
> Auditctl should operate at kernel-level. But this topics are all
> off-theme from SELinux. You shouldn't post audit questions to a SELinux
> mailing list.
>
>


Probably should be refpolicy, and Xorg
because this pertains to
XACE, but you took these cc's off the e-mail!

Anyways, as for auditd keep in mind this has todo with
Xorg.0.log, nothing todo with anything
in /var/log/messages, or any other log message
that auditd reads(and remember I don't have auditd turned on).

So lets try again:

I'm running X.Org X Server 1.7.99.2
after building the latest refpolicy
and defining my allow rules(all of them as possible),
I seem to have some of them show up later in time.
(which is normal).

The problem that I have is on some occasions these
denials that show up long after I have defined as many
allow rules as possible, seem to be spamming my
Xorg.0.log, until I define them into the policy
with audit2allow.

my question is, is there a mechanism similar to printk_ratelimit
for Xorg.0.log so when this happens my Xorg.0.log
does not become spammed with one avc denial
causing my system to freeze up, until the avc denial has
done registering all of it's denials or I allow it into the policy?


Justin P. mattock

Re: avc's generated causes the system to freeze up

[Eamon Walsh]

On 12/11/2009 04:44 PM, Justin Mattock wrote:
> I'm running X.Org X Server 1.7.99.2
> not sure if this is fixed with the latest
> but after building the latest refpolicy
> and defining my allow rules, both
> regularly, and with make enableaudit
> I still get avc's being generated here and there,
> but for some they seem to just spamm Xorg.0.log
> causing my system to freeze up.
> heres an example:
>   


If the denials are not causing a problem other than log spam, just use a
dontaudit rule to silence them.



>
> (--) Synaptics Touchpad: touchpad found
> (**) Option "SendCoreEvents" "true"
> (**) Synaptics Touchpad: always reports core events
> (II) XINPUT: Adding extended input device "Synaptics Touchpad" (type: TOUCHPAD)
> (**) Synaptics Touchpad: (accel) keeping acceleration scheme 1
> (**) Synaptics Touchpad: (accel) acceleration profile 0
> (--) Synaptics Touchpad: touchpad found
> (WW) avc:  denied  { getattr } for request=X11:QueryPointer
> comm=/usr/bin/pidgin resid=10001fc restype=WINDOW
> scontext=justin:user_r:user_t tcontext=justin:object_r:mplayer_t
> tclass=x_drawable
> (WW) avc:  denied  { getattr } for request=X11:QueryPointer
> comm=/usr/bin/pidgin resid=10001fc restype=WINDOW
> scontext=justin:user_r:user_t tcontext=justin:object_r:mplayer_t
> tclass=x_drawable
> (WW) avc:  denied  { getattr } for request=X11:QueryPointer
> comm=/usr/bin/pidgin resid=10001fc restype=WINDOW
> scontext=justin:user_r:user_t tcontext=justin:object_r:mplayer_t
> tclass=x_drawable
> (WW) avc:  denied  { getattr } for request=X11:QueryPointer
> comm=/usr/bin/pidgin resid=10001fc restype=WINDOW
> scontext=justin:user_r:user_t tcontext=justin:object_r:mplayer_t
> tclass=x_drawable
> (WW) avc:  denied  { getattr } for request=X11:QueryPointer
> comm=/usr/bin/pidgin resid=10001fc restype=WINDOW
> scontext=justin:user_r:user_t tcontext=justin:object_r:mplayer_t
> tclass=x_drawable
> (WW) avc:  denied  { getattr } for request=X11:QueryPointer
> comm=/usr/bin/pidgin resid=10001fc restype=WINDOW
> scontext=justin:user_r:user_t tcontext=justin:object_r:mplayer_t
> tclass=x_drawable
> (WW) avc:  denied  { getattr } for request=X11:QueryPointer
> comm=/usr/bin/pidgin resid=10001fc restype=WINDOW
> scontext=justin:user_r:user_t tcontext=justin:object_r:mplayer_t
> tclass=x_drawable
> (WW) avc:  denied  { getattr } for request=X11:QueryPointer
> comm=/usr/bin/pidgin resid=10001fc restype=WINDOW
> scontext=justin:user_r:user_t tcontext=justin:object_r:mplayer_t
> tclass=x_drawable
> (WW) avc:  denied  { getattr } for request=X11:QueryPointer
> comm=/usr/bin/pidgin resid=10001fc restype=WINDOW
> scontext=justin:user_r:user_t tcontext=justin:object_r:mplayer_t
> tclass=x_drawable
> (WW) avc:  denied  { getattr } for request=X11:QueryPointer
> comm=/usr/bin/pidgin resid=10001fc restype=WINDOW
> scontext=justin:user_r:user_t tcontext=justin:object_r:mplayer_t
> tclass=x_drawable
>
>
> same avc's but just keeps generating.
> is there an option for this like
> printk_ratelimit?
>
>
>   


-- 

Eamon Walsh 
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[refpolicy] avc's generated causes the system to freeze up

[Eamon Walsh]

On 12/11/2009 04:44 PM, Justin Mattock wrote:
> I'm running X.Org X Server 1.7.99.2
> not sure if this is fixed with the latest
> but after building the latest refpolicy
> and defining my allow rules, both
> regularly, and with make enableaudit
> I still get avc's being generated here and there,
> but for some they seem to just spamm Xorg.0.log
> causing my system to freeze up.
> heres an example:
>   


If the denials are not causing a problem other than log spam, just use a
dontaudit rule to silence them.



>
> (--) Synaptics Touchpad: touchpad found
> (**) Option "SendCoreEvents" "true"
> (**) Synaptics Touchpad: always reports core events
> (II) XINPUT: Adding extended input device "Synaptics Touchpad" (type: TOUCHPAD)
> (**) Synaptics Touchpad: (accel) keeping acceleration scheme 1
> (**) Synaptics Touchpad: (accel) acceleration profile 0
> (--) Synaptics Touchpad: touchpad found
> (WW) avc:  denied  { getattr } for request=X11:QueryPointer
> comm=/usr/bin/pidgin resid=10001fc restype=WINDOW
> scontext=justin:user_r:user_t tcontext=justin:object_r:mplayer_t
> tclass=x_drawable
> (WW) avc:  denied  { getattr } for request=X11:QueryPointer
> comm=/usr/bin/pidgin resid=10001fc restype=WINDOW
> scontext=justin:user_r:user_t tcontext=justin:object_r:mplayer_t
> tclass=x_drawable
> (WW) avc:  denied  { getattr } for request=X11:QueryPointer
> comm=/usr/bin/pidgin resid=10001fc restype=WINDOW
> scontext=justin:user_r:user_t tcontext=justin:object_r:mplayer_t
> tclass=x_drawable
> (WW) avc:  denied  { getattr } for request=X11:QueryPointer
> comm=/usr/bin/pidgin resid=10001fc restype=WINDOW
> scontext=justin:user_r:user_t tcontext=justin:object_r:mplayer_t
> tclass=x_drawable
> (WW) avc:  denied  { getattr } for request=X11:QueryPointer
> comm=/usr/bin/pidgin resid=10001fc restype=WINDOW
> scontext=justin:user_r:user_t tcontext=justin:object_r:mplayer_t
> tclass=x_drawable
> (WW) avc:  denied  { getattr } for request=X11:QueryPointer
> comm=/usr/bin/pidgin resid=10001fc restype=WINDOW
> scontext=justin:user_r:user_t tcontext=justin:object_r:mplayer_t
> tclass=x_drawable
> (WW) avc:  denied  { getattr } for request=X11:QueryPointer
> comm=/usr/bin/pidgin resid=10001fc restype=WINDOW
> scontext=justin:user_r:user_t tcontext=justin:object_r:mplayer_t
> tclass=x_drawable
> (WW) avc:  denied  { getattr } for request=X11:QueryPointer
> comm=/usr/bin/pidgin resid=10001fc restype=WINDOW
> scontext=justin:user_r:user_t tcontext=justin:object_r:mplayer_t
> tclass=x_drawable
> (WW) avc:  denied  { getattr } for request=X11:QueryPointer
> comm=/usr/bin/pidgin resid=10001fc restype=WINDOW
> scontext=justin:user_r:user_t tcontext=justin:object_r:mplayer_t
> tclass=x_drawable
> (WW) avc:  denied  { getattr } for request=X11:QueryPointer
> comm=/usr/bin/pidgin resid=10001fc restype=WINDOW
> scontext=justin:user_r:user_t tcontext=justin:object_r:mplayer_t
> tclass=x_drawable
>
>
> same avc's but just keeps generating.
> is there an option for this like
> printk_ratelimit?
>
>
>   


-- 

Eamon Walsh 
National Security Agency

Re: avc's generated causes the system to freeze up

[Justin P. Mattock]

On 12/14/09 09:37, Eamon Walsh wrote:
> On 12/11/2009 04:44 PM, Justin Mattock wrote:
>> I'm running X.Org X Server 1.7.99.2
>> not sure if this is fixed with the latest
>> but after building the latest refpolicy
>> and defining my allow rules, both
>> regularly, and with make enableaudit
>> I still get avc's being generated here and there,
>> but for some they seem to just spamm Xorg.0.log
>> causing my system to freeze up.
>> heres an example:
>>
>
>
> If the denials are not causing a problem other than log spam, just use a
> dontaudit rule to silence them.
>
>

  ahh.. didn't even think of that.

as for xace and everything, pretty good.
I'll just donaudit(like you had mentioned)
those few avc denials that find themselves
showing up long after making the policy
and putting her into enforcing mode.

Justin P. Mattock




--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[refpolicy] avc's generated causes the system to freeze up

[Justin P. Mattock]

On 12/14/09 09:37, Eamon Walsh wrote:
> On 12/11/2009 04:44 PM, Justin Mattock wrote:
>> I'm running X.Org X Server 1.7.99.2
>> not sure if this is fixed with the latest
>> but after building the latest refpolicy
>> and defining my allow rules, both
>> regularly, and with make enableaudit
>> I still get avc's being generated here and there,
>> but for some they seem to just spamm Xorg.0.log
>> causing my system to freeze up.
>> heres an example:
>>
>
>
> If the denials are not causing a problem other than log spam, just use a
> dontaudit rule to silence them.
>
>

  ahh.. didn't even think of that.

as for xace and everything, pretty good.
I'll just donaudit(like you had mentioned)
those few avc denials that find themselves
showing up long after making the policy
and putting her into enforcing mode.

Justin P. Mattock

Re: avc's generated causes the system to freeze up

[Xavier Toth]

On Mon, Dec 14, 2009 at 11:37 AM, Eamon Walsh <ewalsh@tycho.nsa.gov> wrote:
> On 12/11/2009 04:44 PM, Justin Mattock wrote:
>> I'm running X.Org X Server 1.7.99.2
>> not sure if this is fixed with the latest
>> but after building the latest refpolicy
>> and defining my allow rules, both
>> regularly, and with make enableaudit
>> I still get avc's being generated here and there,
>> but for some they seem to just spamm Xorg.0.log
>> causing my system to freeze up.
>> heres an example:
>>
>
>
> If the denials are not causing a problem other than log spam, just use a
> dontaudit rule to silence them.
>
>
>
>>
>> (--) Synaptics Touchpad: touchpad found
>> (**) Option "SendCoreEvents" "true"
>> (**) Synaptics Touchpad: always reports core events
>> (II) XINPUT: Adding extended input device "Synaptics Touchpad" (type: TOUCHPAD)
>> (**) Synaptics Touchpad: (accel) keeping acceleration scheme 1
>> (**) Synaptics Touchpad: (accel) acceleration profile 0
>> (--) Synaptics Touchpad: touchpad found
>> (WW) avc:  denied  { getattr } for request=X11:QueryPointer
>> comm=/usr/bin/pidgin resid=10001fc restype=WINDOW
>> scontext=justin:user_r:user_t tcontext=justin:object_r:mplayer_t
>> tclass=x_drawable
>> (WW) avc:  denied  { getattr } for request=X11:QueryPointer
>> comm=/usr/bin/pidgin resid=10001fc restype=WINDOW
>> scontext=justin:user_r:user_t tcontext=justin:object_r:mplayer_t
>> tclass=x_drawable
>> (WW) avc:  denied  { getattr } for request=X11:QueryPointer
>> comm=/usr/bin/pidgin resid=10001fc restype=WINDOW
>> scontext=justin:user_r:user_t tcontext=justin:object_r:mplayer_t
>> tclass=x_drawable
>> (WW) avc:  denied  { getattr } for request=X11:QueryPointer
>> comm=/usr/bin/pidgin resid=10001fc restype=WINDOW
>> scontext=justin:user_r:user_t tcontext=justin:object_r:mplayer_t
>> tclass=x_drawable
>> (WW) avc:  denied  { getattr } for request=X11:QueryPointer
>> comm=/usr/bin/pidgin resid=10001fc restype=WINDOW
>> scontext=justin:user_r:user_t tcontext=justin:object_r:mplayer_t
>> tclass=x_drawable
>> (WW) avc:  denied  { getattr } for request=X11:QueryPointer
>> comm=/usr/bin/pidgin resid=10001fc restype=WINDOW
>> scontext=justin:user_r:user_t tcontext=justin:object_r:mplayer_t
>> tclass=x_drawable
>> (WW) avc:  denied  { getattr } for request=X11:QueryPointer
>> comm=/usr/bin/pidgin resid=10001fc restype=WINDOW
>> scontext=justin:user_r:user_t tcontext=justin:object_r:mplayer_t
>> tclass=x_drawable
>> (WW) avc:  denied  { getattr } for request=X11:QueryPointer
>> comm=/usr/bin/pidgin resid=10001fc restype=WINDOW
>> scontext=justin:user_r:user_t tcontext=justin:object_r:mplayer_t
>> tclass=x_drawable
>> (WW) avc:  denied  { getattr } for request=X11:QueryPointer
>> comm=/usr/bin/pidgin resid=10001fc restype=WINDOW
>> scontext=justin:user_r:user_t tcontext=justin:object_r:mplayer_t
>> tclass=x_drawable
>> (WW) avc:  denied  { getattr } for request=X11:QueryPointer
>> comm=/usr/bin/pidgin resid=10001fc restype=WINDOW
>> scontext=justin:user_r:user_t tcontext=justin:object_r:mplayer_t
>> tclass=x_drawable
>>
>>
>> same avc's but just keeps generating.
>> is there an option for this like
>> printk_ratelimit?
>>
>>
>>
>
>
> --
>
> Eamon Walsh
> National Security Agency
>
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
>

Sounds to me like Justin needs the QueryPointer spoofing code.

Ted


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[refpolicy] avc's generated causes the system to freeze up

[Xavier Toth]

On Mon, Dec 14, 2009 at 11:37 AM, Eamon Walsh <ewalsh@tycho.nsa.gov> wrote:
> On 12/11/2009 04:44 PM, Justin Mattock wrote:
>> I'm running X.Org X Server 1.7.99.2
>> not sure if this is fixed with the latest
>> but after building the latest refpolicy
>> and defining my allow rules, both
>> regularly, and with make enableaudit
>> I still get avc's being generated here and there,
>> but for some they seem to just spamm Xorg.0.log
>> causing my system to freeze up.
>> heres an example:
>>
>
>
> If the denials are not causing a problem other than log spam, just use a
> dontaudit rule to silence them.
>
>
>
>>
>> (--) Synaptics Touchpad: touchpad found
>> (**) Option "SendCoreEvents" "true"
>> (**) Synaptics Touchpad: always reports core events
>> (II) XINPUT: Adding extended input device "Synaptics Touchpad" (type: TOUCHPAD)
>> (**) Synaptics Touchpad: (accel) keeping acceleration scheme 1
>> (**) Synaptics Touchpad: (accel) acceleration profile 0
>> (--) Synaptics Touchpad: touchpad found
>> (WW) avc: ?denied ?{ getattr } for request=X11:QueryPointer
>> comm=/usr/bin/pidgin resid=10001fc restype=WINDOW
>> scontext=justin:user_r:user_t tcontext=justin:object_r:mplayer_t
>> tclass=x_drawable
>> (WW) avc: ?denied ?{ getattr } for request=X11:QueryPointer
>> comm=/usr/bin/pidgin resid=10001fc restype=WINDOW
>> scontext=justin:user_r:user_t tcontext=justin:object_r:mplayer_t
>> tclass=x_drawable
>> (WW) avc: ?denied ?{ getattr } for request=X11:QueryPointer
>> comm=/usr/bin/pidgin resid=10001fc restype=WINDOW
>> scontext=justin:user_r:user_t tcontext=justin:object_r:mplayer_t
>> tclass=x_drawable
>> (WW) avc: ?denied ?{ getattr } for request=X11:QueryPointer
>> comm=/usr/bin/pidgin resid=10001fc restype=WINDOW
>> scontext=justin:user_r:user_t tcontext=justin:object_r:mplayer_t
>> tclass=x_drawable
>> (WW) avc: ?denied ?{ getattr } for request=X11:QueryPointer
>> comm=/usr/bin/pidgin resid=10001fc restype=WINDOW
>> scontext=justin:user_r:user_t tcontext=justin:object_r:mplayer_t
>> tclass=x_drawable
>> (WW) avc: ?denied ?{ getattr } for request=X11:QueryPointer
>> comm=/usr/bin/pidgin resid=10001fc restype=WINDOW
>> scontext=justin:user_r:user_t tcontext=justin:object_r:mplayer_t
>> tclass=x_drawable
>> (WW) avc: ?denied ?{ getattr } for request=X11:QueryPointer
>> comm=/usr/bin/pidgin resid=10001fc restype=WINDOW
>> scontext=justin:user_r:user_t tcontext=justin:object_r:mplayer_t
>> tclass=x_drawable
>> (WW) avc: ?denied ?{ getattr } for request=X11:QueryPointer
>> comm=/usr/bin/pidgin resid=10001fc restype=WINDOW
>> scontext=justin:user_r:user_t tcontext=justin:object_r:mplayer_t
>> tclass=x_drawable
>> (WW) avc: ?denied ?{ getattr } for request=X11:QueryPointer
>> comm=/usr/bin/pidgin resid=10001fc restype=WINDOW
>> scontext=justin:user_r:user_t tcontext=justin:object_r:mplayer_t
>> tclass=x_drawable
>> (WW) avc: ?denied ?{ getattr } for request=X11:QueryPointer
>> comm=/usr/bin/pidgin resid=10001fc restype=WINDOW
>> scontext=justin:user_r:user_t tcontext=justin:object_r:mplayer_t
>> tclass=x_drawable
>>
>>
>> same avc's but just keeps generating.
>> is there an option for this like
>> printk_ratelimit?
>>
>>
>>
>
>
> --
>
> Eamon Walsh
> National Security Agency
>
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo at tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
>

Sounds to me like Justin needs the QueryPointer spoofing code.

Ted

Re: avc's generated causes the system to freeze up

[Justin P. Mattock]

> Sounds to me like Justin needs the QueryPointer spoofing code.
>
> Ted
>

I cut the thread to clean it up a bit.

As for QuearyPointer not sure exactly
what that is. a quick Google showed
something about root window or something.
(similar to the avc's I've been seeing);

In any case what I'm doing here is I have one machine
setup with monolithic, and then another machine will
be a binary policy(just need to setup semanage user *)

Then if I get any of these left over avc's I'll
put them under dontaudit and basically forget
about them.

looking at the git log there was some new stuff commited
towards the xserver, So within the next few days I might
as well pull all the xserver stuff, then go from there.

Justin P. Mattock


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[refpolicy] avc's generated causes the system to freeze up

[Justin P. Mattock]

> Sounds to me like Justin needs the QueryPointer spoofing code.
>
> Ted
>

I cut the thread to clean it up a bit.

As for QuearyPointer not sure exactly
what that is. a quick Google showed
something about root window or something.
(similar to the avc's I've been seeing);

In any case what I'm doing here is I have one machine
setup with monolithic, and then another machine will
be a binary policy(just need to setup semanage user *)

Then if I get any of these left over avc's I'll
put them under dontaudit and basically forget
about them.

looking at the git log there was some new stuff commited
towards the xserver, So within the next few days I might
as well pull all the xserver stuff, then go from there.

Justin P. Mattock