SELinux: avc_has_perm: unexpected error 22

SELinux: avc_has_perm: unexpected error 22

[Justin P. Mattock]

this is showing up with the latest Mainline kernel.
gdm craps out..:

[    60.817] (II) Unloading synaptics
[    60.822] SELinux: avc_has_perm: unexpected error 22
[    60.822] SELinux: avc_has_perm: unexpected error 22
[    60.828] SELinux: avc_has_perm: unexpected error 22
[    60.831] SELinux: avc_has_perm: unexpected error 22
[    60.871] SELinux: avc_has_perm: unexpected error 22
[    60.871] SELinux: avc_has_perm: unexpected error 22
[    60.881] (II) UnloadModule: "mouse"
[    60.881] (II) Unloading mouse


full xorg.0.log is here:
http://fpaste.org/OOM2/

Justin P. Mattock

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[refpolicy] SELinux: avc_has_perm: unexpected error 22

[Justin P. Mattock]

this is showing up with the latest Mainline kernel.
gdm craps out..:

[    60.817] (II) Unloading synaptics
[    60.822] SELinux: avc_has_perm: unexpected error 22
[    60.822] SELinux: avc_has_perm: unexpected error 22
[    60.828] SELinux: avc_has_perm: unexpected error 22
[    60.831] SELinux: avc_has_perm: unexpected error 22
[    60.871] SELinux: avc_has_perm: unexpected error 22
[    60.871] SELinux: avc_has_perm: unexpected error 22
[    60.881] (II) UnloadModule: "mouse"
[    60.881] (II) Unloading mouse


full xorg.0.log is here:
http://fpaste.org/OOM2/

Justin P. Mattock

Re: SELinux: avc_has_perm: unexpected error 22

[Justin P. Mattock]

On 03/21/2011 09:52 AM, Justin P. Mattock wrote:
> this is showing up with the latest Mainline kernel.
> gdm craps out..:
>
> [ 60.817] (II) Unloading synaptics
> [ 60.822] SELinux: avc_has_perm: unexpected error 22
> [ 60.822] SELinux: avc_has_perm: unexpected error 22
> [ 60.828] SELinux: avc_has_perm: unexpected error 22
> [ 60.831] SELinux: avc_has_perm: unexpected error 22
> [ 60.871] SELinux: avc_has_perm: unexpected error 22
> [ 60.871] SELinux: avc_has_perm: unexpected error 22
> [ 60.881] (II) UnloadModule: "mouse"
> [ 60.881] (II) Unloading mouse
>
>
> full xorg.0.log is here:
> http://fpaste.org/OOM2/
>
> Justin P. Mattock

seems doing a bisect right now during the merge window is breaking,
anyways looking through the commits I think this:

http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=c53fa1ed92cd671a1dfb1e7569e9ab672612ddc6;hp=06dc94b1ed05f91e246315afeb1c652d6d0dc9ab

might be what I am hitting, causing gdm to die out, as it starts.

any ideas?

Justin P. Mattock

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[refpolicy] SELinux: avc_has_perm: unexpected error 22

[Justin P. Mattock]

On 03/21/2011 09:52 AM, Justin P. Mattock wrote:
> this is showing up with the latest Mainline kernel.
> gdm craps out..:
>
> [ 60.817] (II) Unloading synaptics
> [ 60.822] SELinux: avc_has_perm: unexpected error 22
> [ 60.822] SELinux: avc_has_perm: unexpected error 22
> [ 60.828] SELinux: avc_has_perm: unexpected error 22
> [ 60.831] SELinux: avc_has_perm: unexpected error 22
> [ 60.871] SELinux: avc_has_perm: unexpected error 22
> [ 60.871] SELinux: avc_has_perm: unexpected error 22
> [ 60.881] (II) UnloadModule: "mouse"
> [ 60.881] (II) Unloading mouse
>
>
> full xorg.0.log is here:
> http://fpaste.org/OOM2/
>
> Justin P. Mattock

seems doing a bisect right now during the merge window is breaking,
anyways looking through the commits I think this:

http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=c53fa1ed92cd671a1dfb1e7569e9ab672612ddc6;hp=06dc94b1ed05f91e246315afeb1c652d6d0dc9ab

might be what I am hitting, causing gdm to die out, as it starts.

any ideas?

Justin P. Mattock

Re: SELinux: avc_has_perm: unexpected error 22

[Justin P. Mattock]

On 03/23/2011 11:07 AM, Justin P. Mattock wrote:
> On 03/21/2011 09:52 AM, Justin P. Mattock wrote:
>> this is showing up with the latest Mainline kernel.
>> gdm craps out..:
>>
>> [ 60.817] (II) Unloading synaptics
>> [ 60.822] SELinux: avc_has_perm: unexpected error 22
>> [ 60.822] SELinux: avc_has_perm: unexpected error 22
>> [ 60.828] SELinux: avc_has_perm: unexpected error 22
>> [ 60.831] SELinux: avc_has_perm: unexpected error 22
>> [ 60.871] SELinux: avc_has_perm: unexpected error 22
>> [ 60.871] SELinux: avc_has_perm: unexpected error 22
>> [ 60.881] (II) UnloadModule: "mouse"
>> [ 60.881] (II) Unloading mouse
>>
>>
>> full xorg.0.log is here:
>> http://fpaste.org/OOM2/
>>
>> Justin P. Mattock
>
> seems doing a bisect right now during the merge window is breaking,
> anyways looking through the commits I think this:
>
> http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=c53fa1ed92cd671a1dfb1e7569e9ab672612ddc6;hp=06dc94b1ed05f91e246315afeb1c652d6d0dc9ab
>
>
> might be what I am hitting, causing gdm to die out, as it starts.
>
> any ideas?
>
> Justin P. Mattock

not sure if anybody is seeing this or hitting this with the current,
but reverting the above commit does not fix the problem.
will try another bisect(hopefully)

Justin P. Mattock

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[refpolicy] SELinux: avc_has_perm: unexpected error 22

[Justin P. Mattock]

On 03/23/2011 11:07 AM, Justin P. Mattock wrote:
> On 03/21/2011 09:52 AM, Justin P. Mattock wrote:
>> this is showing up with the latest Mainline kernel.
>> gdm craps out..:
>>
>> [ 60.817] (II) Unloading synaptics
>> [ 60.822] SELinux: avc_has_perm: unexpected error 22
>> [ 60.822] SELinux: avc_has_perm: unexpected error 22
>> [ 60.828] SELinux: avc_has_perm: unexpected error 22
>> [ 60.831] SELinux: avc_has_perm: unexpected error 22
>> [ 60.871] SELinux: avc_has_perm: unexpected error 22
>> [ 60.871] SELinux: avc_has_perm: unexpected error 22
>> [ 60.881] (II) UnloadModule: "mouse"
>> [ 60.881] (II) Unloading mouse
>>
>>
>> full xorg.0.log is here:
>> http://fpaste.org/OOM2/
>>
>> Justin P. Mattock
>
> seems doing a bisect right now during the merge window is breaking,
> anyways looking through the commits I think this:
>
> http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=c53fa1ed92cd671a1dfb1e7569e9ab672612ddc6;hp=06dc94b1ed05f91e246315afeb1c652d6d0dc9ab
>
>
> might be what I am hitting, causing gdm to die out, as it starts.
>
> any ideas?
>
> Justin P. Mattock

not sure if anybody is seeing this or hitting this with the current,
but reverting the above commit does not fix the problem.
will try another bisect(hopefully)

Justin P. Mattock

Re: SELinux: avc_has_perm: unexpected error 22

[Stephen Smalley]

On Wed, 2011-03-23 at 19:30 -0700, Justin P. Mattock wrote:
> On 03/23/2011 11:07 AM, Justin P. Mattock wrote:
> > On 03/21/2011 09:52 AM, Justin P. Mattock wrote:
> >> this is showing up with the latest Mainline kernel.
> >> gdm craps out..:
> >>
> >> [ 60.817] (II) Unloading synaptics
> >> [ 60.822] SELinux: avc_has_perm: unexpected error 22
> >> [ 60.822] SELinux: avc_has_perm: unexpected error 22
> >> [ 60.828] SELinux: avc_has_perm: unexpected error 22
> >> [ 60.831] SELinux: avc_has_perm: unexpected error 22
> >> [ 60.871] SELinux: avc_has_perm: unexpected error 22
> >> [ 60.871] SELinux: avc_has_perm: unexpected error 22
> >> [ 60.881] (II) UnloadModule: "mouse"
> >> [ 60.881] (II) Unloading mouse
> >>
> >>
> >> full xorg.0.log is here:
> >> http://fpaste.org/OOM2/
> >>
> >> Justin P. Mattock
> >
> > seems doing a bisect right now during the merge window is breaking,
> > anyways looking through the commits I think this:
> >
> > http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=c53fa1ed92cd671a1dfb1e7569e9ab672612ddc6;hp=06dc94b1ed05f91e246315afeb1c652d6d0dc9ab
> >
> >
> > might be what I am hitting, causing gdm to die out, as it starts.
> >
> > any ideas?
> >
> > Justin P. Mattock
> 
> not sure if anybody is seeing this or hitting this with the current,
> but reverting the above commit does not fix the problem.
> will try another bisect(hopefully)

Are you sure it is a kernel issue?  Seems more likely that it would be a
policy problem.  What AVC denials are you getting?

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[refpolicy] SELinux: avc_has_perm: unexpected error 22

[Stephen Smalley]

On Wed, 2011-03-23 at 19:30 -0700, Justin P. Mattock wrote:
> On 03/23/2011 11:07 AM, Justin P. Mattock wrote:
> > On 03/21/2011 09:52 AM, Justin P. Mattock wrote:
> >> this is showing up with the latest Mainline kernel.
> >> gdm craps out..:
> >>
> >> [ 60.817] (II) Unloading synaptics
> >> [ 60.822] SELinux: avc_has_perm: unexpected error 22
> >> [ 60.822] SELinux: avc_has_perm: unexpected error 22
> >> [ 60.828] SELinux: avc_has_perm: unexpected error 22
> >> [ 60.831] SELinux: avc_has_perm: unexpected error 22
> >> [ 60.871] SELinux: avc_has_perm: unexpected error 22
> >> [ 60.871] SELinux: avc_has_perm: unexpected error 22
> >> [ 60.881] (II) UnloadModule: "mouse"
> >> [ 60.881] (II) Unloading mouse
> >>
> >>
> >> full xorg.0.log is here:
> >> http://fpaste.org/OOM2/
> >>
> >> Justin P. Mattock
> >
> > seems doing a bisect right now during the merge window is breaking,
> > anyways looking through the commits I think this:
> >
> > http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=c53fa1ed92cd671a1dfb1e7569e9ab672612ddc6;hp=06dc94b1ed05f91e246315afeb1c652d6d0dc9ab
> >
> >
> > might be what I am hitting, causing gdm to die out, as it starts.
> >
> > any ideas?
> >
> > Justin P. Mattock
> 
> not sure if anybody is seeing this or hitting this with the current,
> but reverting the above commit does not fix the problem.
> will try another bisect(hopefully)

Are you sure it is a kernel issue?  Seems more likely that it would be a
policy problem.  What AVC denials are you getting?

-- 
Stephen Smalley
National Security Agency

Re: SELinux: avc_has_perm: unexpected error 22

[Justin P. Mattock]

On 03/24/2011 06:58 AM, Stephen Smalley wrote:
> On Wed, 2011-03-23 at 19:30 -0700, Justin P. Mattock wrote:
>> On 03/23/2011 11:07 AM, Justin P. Mattock wrote:
>>> On 03/21/2011 09:52 AM, Justin P. Mattock wrote:
>>>> this is showing up with the latest Mainline kernel.
>>>> gdm craps out..:
>>>>
>>>> [ 60.817] (II) Unloading synaptics
>>>> [ 60.822] SELinux: avc_has_perm: unexpected error 22
>>>> [ 60.822] SELinux: avc_has_perm: unexpected error 22
>>>> [ 60.828] SELinux: avc_has_perm: unexpected error 22
>>>> [ 60.831] SELinux: avc_has_perm: unexpected error 22
>>>> [ 60.871] SELinux: avc_has_perm: unexpected error 22
>>>> [ 60.871] SELinux: avc_has_perm: unexpected error 22
>>>> [ 60.881] (II) UnloadModule: "mouse"
>>>> [ 60.881] (II) Unloading mouse
>>>>
>>>>
>>>> full xorg.0.log is here:
>>>> http://fpaste.org/OOM2/
>>>>
>>>> Justin P. Mattock
>>>
>>> seems doing a bisect right now during the merge window is breaking,
>>> anyways looking through the commits I think this:
>>>
>>> http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=c53fa1ed92cd671a1dfb1e7569e9ab672612ddc6;hp=06dc94b1ed05f91e246315afeb1c652d6d0dc9ab
>>>
>>>
>>> might be what I am hitting, causing gdm to die out, as it starts.
>>>
>>> any ideas?
>>>
>>> Justin P. Mattock
>>
>> not sure if anybody is seeing this or hitting this with the current,
>> but reverting the above commit does not fix the problem.
>> will try another bisect(hopefully)
>
> Are you sure it is a kernel issue?  Seems more likely that it would be a
> policy problem.  What AVC denials are you getting?
>


strange.. was not even thinking of the avc's because the policy has 
already been customized and has been working for a while now without 
adding any rules.

Anyways your right, seems the labels get changed or something with this 
kernel or something:
http://fpaste.org/w4nK/

Justin P. Mattock


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[refpolicy] SELinux: avc_has_perm: unexpected error 22

[Justin P. Mattock]

On 03/24/2011 06:58 AM, Stephen Smalley wrote:
> On Wed, 2011-03-23 at 19:30 -0700, Justin P. Mattock wrote:
>> On 03/23/2011 11:07 AM, Justin P. Mattock wrote:
>>> On 03/21/2011 09:52 AM, Justin P. Mattock wrote:
>>>> this is showing up with the latest Mainline kernel.
>>>> gdm craps out..:
>>>>
>>>> [ 60.817] (II) Unloading synaptics
>>>> [ 60.822] SELinux: avc_has_perm: unexpected error 22
>>>> [ 60.822] SELinux: avc_has_perm: unexpected error 22
>>>> [ 60.828] SELinux: avc_has_perm: unexpected error 22
>>>> [ 60.831] SELinux: avc_has_perm: unexpected error 22
>>>> [ 60.871] SELinux: avc_has_perm: unexpected error 22
>>>> [ 60.871] SELinux: avc_has_perm: unexpected error 22
>>>> [ 60.881] (II) UnloadModule: "mouse"
>>>> [ 60.881] (II) Unloading mouse
>>>>
>>>>
>>>> full xorg.0.log is here:
>>>> http://fpaste.org/OOM2/
>>>>
>>>> Justin P. Mattock
>>>
>>> seems doing a bisect right now during the merge window is breaking,
>>> anyways looking through the commits I think this:
>>>
>>> http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=c53fa1ed92cd671a1dfb1e7569e9ab672612ddc6;hp=06dc94b1ed05f91e246315afeb1c652d6d0dc9ab
>>>
>>>
>>> might be what I am hitting, causing gdm to die out, as it starts.
>>>
>>> any ideas?
>>>
>>> Justin P. Mattock
>>
>> not sure if anybody is seeing this or hitting this with the current,
>> but reverting the above commit does not fix the problem.
>> will try another bisect(hopefully)
>
> Are you sure it is a kernel issue?  Seems more likely that it would be a
> policy problem.  What AVC denials are you getting?
>


strange.. was not even thinking of the avc's because the policy has 
already been customized and has been working for a while now without 
adding any rules.

Anyways your right, seems the labels get changed or something with this 
kernel or something:
http://fpaste.org/w4nK/

Justin P. Mattock

Re: SELinux: avc_has_perm: unexpected error 22

[Stephen Smalley]

On Thu, 2011-03-24 at 09:26 -0700, Justin P. Mattock wrote:
> On 03/24/2011 06:58 AM, Stephen Smalley wrote:
> > On Wed, 2011-03-23 at 19:30 -0700, Justin P. Mattock wrote:
> >> On 03/23/2011 11:07 AM, Justin P. Mattock wrote:
> >>> On 03/21/2011 09:52 AM, Justin P. Mattock wrote:
> >>>> this is showing up with the latest Mainline kernel.
> >>>> gdm craps out..:
> >>>>
> >>>> [ 60.817] (II) Unloading synaptics
> >>>> [ 60.822] SELinux: avc_has_perm: unexpected error 22
> >>>> [ 60.822] SELinux: avc_has_perm: unexpected error 22
> >>>> [ 60.828] SELinux: avc_has_perm: unexpected error 22
> >>>> [ 60.831] SELinux: avc_has_perm: unexpected error 22
> >>>> [ 60.871] SELinux: avc_has_perm: unexpected error 22
> >>>> [ 60.871] SELinux: avc_has_perm: unexpected error 22
> >>>> [ 60.881] (II) UnloadModule: "mouse"
> >>>> [ 60.881] (II) Unloading mouse
> >>>>
> >>>>
> >>>> full xorg.0.log is here:
> >>>> http://fpaste.org/OOM2/
> >>>>
> >>>> Justin P. Mattock
> >>>
> >>> seems doing a bisect right now during the merge window is breaking,
> >>> anyways looking through the commits I think this:
> >>>
> >>> http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=c53fa1ed92cd671a1dfb1e7569e9ab672612ddc6;hp=06dc94b1ed05f91e246315afeb1c652d6d0dc9ab
> >>>
> >>>
> >>> might be what I am hitting, causing gdm to die out, as it starts.
> >>>
> >>> any ideas?
> >>>
> >>> Justin P. Mattock
> >>
> >> not sure if anybody is seeing this or hitting this with the current,
> >> but reverting the above commit does not fix the problem.
> >> will try another bisect(hopefully)
> >
> > Are you sure it is a kernel issue?  Seems more likely that it would be a
> > policy problem.  What AVC denials are you getting?
> >
> 
> 
> strange.. was not even thinking of the avc's because the policy has 
> already been customized and has been working for a while now without 
> adding any rules.
> 
> Anyways your right, seems the labels get changed or something with this 
> kernel or something:
> http://fpaste.org/w4nK/

audit(1300983537.941:34): security_compute_sid:  invalid context
system_u:system_r:root_xdrawable_t:s0-s0:c0.c1023 for
scontext=system_u:system_r:xserver_t:s0-s0:c0.c1023
tcontext=system_u:system_r:xserver_t:s0-s0:c0.c1023 tclass=x_drawable

This looks like it might be a kernel regression after all.
security_compute_sid should return object_r for tclass x_drawable, not
system_r.  Likely due to the recent changes there to support socket type
transitions.  Not sure exactly what is going wrong, as it should only
happen on the socket classes.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux: avc_has_perm: unexpected error 22

[Justin P. Mattock]

On 03/24/2011 01:13 PM, Stephen Smalley wrote:
> On Thu, 2011-03-24 at 09:26 -0700, Justin P. Mattock wrote:
>> On 03/24/2011 06:58 AM, Stephen Smalley wrote:
>>> On Wed, 2011-03-23 at 19:30 -0700, Justin P. Mattock wrote:
>>>> On 03/23/2011 11:07 AM, Justin P. Mattock wrote:
>>>>> On 03/21/2011 09:52 AM, Justin P. Mattock wrote:
>>>>>> this is showing up with the latest Mainline kernel.
>>>>>> gdm craps out..:
>>>>>>
>>>>>> [ 60.817] (II) Unloading synaptics
>>>>>> [ 60.822] SELinux: avc_has_perm: unexpected error 22
>>>>>> [ 60.822] SELinux: avc_has_perm: unexpected error 22
>>>>>> [ 60.828] SELinux: avc_has_perm: unexpected error 22
>>>>>> [ 60.831] SELinux: avc_has_perm: unexpected error 22
>>>>>> [ 60.871] SELinux: avc_has_perm: unexpected error 22
>>>>>> [ 60.871] SELinux: avc_has_perm: unexpected error 22
>>>>>> [ 60.881] (II) UnloadModule: "mouse"
>>>>>> [ 60.881] (II) Unloading mouse
>>>>>>
>>>>>>
>>>>>> full xorg.0.log is here:
>>>>>> http://fpaste.org/OOM2/
>>>>>>
>>>>>> Justin P. Mattock
>>>>>
>>>>> seems doing a bisect right now during the merge window is breaking,
>>>>> anyways looking through the commits I think this:
>>>>>
>>>>> http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=c53fa1ed92cd671a1dfb1e7569e9ab672612ddc6;hp=06dc94b1ed05f91e246315afeb1c652d6d0dc9ab
>>>>>
>>>>>
>>>>> might be what I am hitting, causing gdm to die out, as it starts.
>>>>>
>>>>> any ideas?
>>>>>
>>>>> Justin P. Mattock
>>>>
>>>> not sure if anybody is seeing this or hitting this with the current,
>>>> but reverting the above commit does not fix the problem.
>>>> will try another bisect(hopefully)
>>>
>>> Are you sure it is a kernel issue?  Seems more likely that it would be a
>>> policy problem.  What AVC denials are you getting?
>>>
>>
>>
>> strange.. was not even thinking of the avc's because the policy has
>> already been customized and has been working for a while now without
>> adding any rules.
>>
>> Anyways your right, seems the labels get changed or something with this
>> kernel or something:
>> http://fpaste.org/w4nK/
>
> audit(1300983537.941:34): security_compute_sid:  invalid context
> system_u:system_r:root_xdrawable_t:s0-s0:c0.c1023 for
> scontext=system_u:system_r:xserver_t:s0-s0:c0.c1023
> tcontext=system_u:system_r:xserver_t:s0-s0:c0.c1023 tclass=x_drawable
>
> This looks like it might be a kernel regression after all.
> security_compute_sid should return object_r for tclass x_drawable, not
> system_r.  Likely due to the recent changes there to support socket type
> transitions.  Not sure exactly what is going wrong, as it should only
> happen on the socket classes.
>

alright!!

as for good kernel:
2.6.38-00071-g5a69473
is the last good one I have, so bisecting wont be too much but if I hit 
the breakage like last time it might slow things down and/or ruin the 
bisect.

Justin P. Mattock

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux: avc_has_perm: unexpected error 22

[Stephen Smalley]

On Thu, 2011-03-24 at 13:22 -0700, Justin P. Mattock wrote:
> On 03/24/2011 01:13 PM, Stephen Smalley wrote:
> > On Thu, 2011-03-24 at 09:26 -0700, Justin P. Mattock wrote:
> >> On 03/24/2011 06:58 AM, Stephen Smalley wrote:
> >>> On Wed, 2011-03-23 at 19:30 -0700, Justin P. Mattock wrote:
> >>>> On 03/23/2011 11:07 AM, Justin P. Mattock wrote:
> >>>>> On 03/21/2011 09:52 AM, Justin P. Mattock wrote:
> >>>>>> this is showing up with the latest Mainline kernel.
> >>>>>> gdm craps out..:
> >>>>>>
> >>>>>> [ 60.817] (II) Unloading synaptics
> >>>>>> [ 60.822] SELinux: avc_has_perm: unexpected error 22
> >>>>>> [ 60.822] SELinux: avc_has_perm: unexpected error 22
> >>>>>> [ 60.828] SELinux: avc_has_perm: unexpected error 22
> >>>>>> [ 60.831] SELinux: avc_has_perm: unexpected error 22
> >>>>>> [ 60.871] SELinux: avc_has_perm: unexpected error 22
> >>>>>> [ 60.871] SELinux: avc_has_perm: unexpected error 22
> >>>>>> [ 60.881] (II) UnloadModule: "mouse"
> >>>>>> [ 60.881] (II) Unloading mouse
> >>>>>>
> >>>>>>
> >>>>>> full xorg.0.log is here:
> >>>>>> http://fpaste.org/OOM2/
> >>>>>>
> >>>>>> Justin P. Mattock
> >>>>>
> >>>>> seems doing a bisect right now during the merge window is breaking,
> >>>>> anyways looking through the commits I think this:
> >>>>>
> >>>>> http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=c53fa1ed92cd671a1dfb1e7569e9ab672612ddc6;hp=06dc94b1ed05f91e246315afeb1c652d6d0dc9ab
> >>>>>
> >>>>>
> >>>>> might be what I am hitting, causing gdm to die out, as it starts.
> >>>>>
> >>>>> any ideas?
> >>>>>
> >>>>> Justin P. Mattock
> >>>>
> >>>> not sure if anybody is seeing this or hitting this with the current,
> >>>> but reverting the above commit does not fix the problem.
> >>>> will try another bisect(hopefully)
> >>>
> >>> Are you sure it is a kernel issue?  Seems more likely that it would be a
> >>> policy problem.  What AVC denials are you getting?
> >>>
> >>
> >>
> >> strange.. was not even thinking of the avc's because the policy has
> >> already been customized and has been working for a while now without
> >> adding any rules.
> >>
> >> Anyways your right, seems the labels get changed or something with this
> >> kernel or something:
> >> http://fpaste.org/w4nK/
> >
> > audit(1300983537.941:34): security_compute_sid:  invalid context
> > system_u:system_r:root_xdrawable_t:s0-s0:c0.c1023 for
> > scontext=system_u:system_r:xserver_t:s0-s0:c0.c1023
> > tcontext=system_u:system_r:xserver_t:s0-s0:c0.c1023 tclass=x_drawable
> >
> > This looks like it might be a kernel regression after all.
> > security_compute_sid should return object_r for tclass x_drawable, not
> > system_r.  Likely due to the recent changes there to support socket type
> > transitions.  Not sure exactly what is going wrong, as it should only
> > happen on the socket classes.
> >
> 
> alright!!
> 
> as for good kernel:
> 2.6.38-00071-g5a69473
> is the last good one I have, so bisecting wont be too much but if I hit 
> the breakage like last time it might slow things down and/or ruin the 
> bisect.

If it is what I think it is, then the breakage would be commit
6f5317e730505d5cbc851c435a2dfe3d5a21d343

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux: avc_has_perm: unexpected error 22

[Justin P. Mattock]

On 03/24/2011 01:24 PM, Stephen Smalley wrote:
> On Thu, 2011-03-24 at 13:22 -0700, Justin P. Mattock wrote:
>> On 03/24/2011 01:13 PM, Stephen Smalley wrote:
>>> On Thu, 2011-03-24 at 09:26 -0700, Justin P. Mattock wrote:
>>>> On 03/24/2011 06:58 AM, Stephen Smalley wrote:
>>>>> On Wed, 2011-03-23 at 19:30 -0700, Justin P. Mattock wrote:
>>>>>> On 03/23/2011 11:07 AM, Justin P. Mattock wrote:
>>>>>>> On 03/21/2011 09:52 AM, Justin P. Mattock wrote:
>>>>>>>> this is showing up with the latest Mainline kernel.
>>>>>>>> gdm craps out..:
>>>>>>>>
>>>>>>>> [ 60.817] (II) Unloading synaptics
>>>>>>>> [ 60.822] SELinux: avc_has_perm: unexpected error 22
>>>>>>>> [ 60.822] SELinux: avc_has_perm: unexpected error 22
>>>>>>>> [ 60.828] SELinux: avc_has_perm: unexpected error 22
>>>>>>>> [ 60.831] SELinux: avc_has_perm: unexpected error 22
>>>>>>>> [ 60.871] SELinux: avc_has_perm: unexpected error 22
>>>>>>>> [ 60.871] SELinux: avc_has_perm: unexpected error 22
>>>>>>>> [ 60.881] (II) UnloadModule: "mouse"
>>>>>>>> [ 60.881] (II) Unloading mouse
>>>>>>>>
>>>>>>>>
>>>>>>>> full xorg.0.log is here:
>>>>>>>> http://fpaste.org/OOM2/
>>>>>>>>
>>>>>>>> Justin P. Mattock
>>>>>>>
>>>>>>> seems doing a bisect right now during the merge window is breaking,
>>>>>>> anyways looking through the commits I think this:
>>>>>>>
>>>>>>> http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=c53fa1ed92cd671a1dfb1e7569e9ab672612ddc6;hp=06dc94b1ed05f91e246315afeb1c652d6d0dc9ab
>>>>>>>
>>>>>>>
>>>>>>> might be what I am hitting, causing gdm to die out, as it starts.
>>>>>>>
>>>>>>> any ideas?
>>>>>>>
>>>>>>> Justin P. Mattock
>>>>>>
>>>>>> not sure if anybody is seeing this or hitting this with the current,
>>>>>> but reverting the above commit does not fix the problem.
>>>>>> will try another bisect(hopefully)
>>>>>
>>>>> Are you sure it is a kernel issue?  Seems more likely that it would be a
>>>>> policy problem.  What AVC denials are you getting?
>>>>>
>>>>
>>>>
>>>> strange.. was not even thinking of the avc's because the policy has
>>>> already been customized and has been working for a while now without
>>>> adding any rules.
>>>>
>>>> Anyways your right, seems the labels get changed or something with this
>>>> kernel or something:
>>>> http://fpaste.org/w4nK/
>>>
>>> audit(1300983537.941:34): security_compute_sid:  invalid context
>>> system_u:system_r:root_xdrawable_t:s0-s0:c0.c1023 for
>>> scontext=system_u:system_r:xserver_t:s0-s0:c0.c1023
>>> tcontext=system_u:system_r:xserver_t:s0-s0:c0.c1023 tclass=x_drawable
>>>
>>> This looks like it might be a kernel regression after all.
>>> security_compute_sid should return object_r for tclass x_drawable, not
>>> system_r.  Likely due to the recent changes there to support socket type
>>> transitions.  Not sure exactly what is going wrong, as it should only
>>> happen on the socket classes.
>>>
>>
>> alright!!
>>
>> as for good kernel:
>> 2.6.38-00071-g5a69473
>> is the last good one I have, so bisecting wont be too much but if I hit
>> the breakage like last time it might slow things down and/or ruin the
>> bisect.
>
> If it is what I think it is, then the breakage would be commit
> 6f5317e730505d5cbc851c435a2dfe3d5a21d343
>

yep!

reverting that commit gets gdm to not crap out.
full dmesg here:
http://fpaste.org/34DC/

Justin P. Mattock

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux: avc_has_perm: unexpected error 22

[Harry Ciao]

Hi Justin,

Justin P. Mattock 写道:
> On 03/24/2011 01:24 PM, Stephen Smalley wrote:
>> On Thu, 2011-03-24 at 13:22 -0700, Justin P. Mattock wrote:
>>> On 03/24/2011 01:13 PM, Stephen Smalley wrote:
>>>> On Thu, 2011-03-24 at 09:26 -0700, Justin P. Mattock wrote:
>>>>> On 03/24/2011 06:58 AM, Stephen Smalley wrote:
>>>>>> On Wed, 2011-03-23 at 19:30 -0700, Justin P. Mattock wrote:
>>>>>>> On 03/23/2011 11:07 AM, Justin P. Mattock wrote:
>>>>>>>> On 03/21/2011 09:52 AM, Justin P. Mattock wrote:
>>>>>>>>> this is showing up with the latest Mainline kernel.
>>>>>>>>> gdm craps out..:
>>>>>>>>>
>>>>>>>>> [ 60.817] (II) Unloading synaptics
>>>>>>>>> [ 60.822] SELinux: avc_has_perm: unexpected error 22
>>>>>>>>> [ 60.822] SELinux: avc_has_perm: unexpected error 22
>>>>>>>>> [ 60.828] SELinux: avc_has_perm: unexpected error 22
>>>>>>>>> [ 60.831] SELinux: avc_has_perm: unexpected error 22
>>>>>>>>> [ 60.871] SELinux: avc_has_perm: unexpected error 22
>>>>>>>>> [ 60.871] SELinux: avc_has_perm: unexpected error 22
>>>>>>>>> [ 60.881] (II) UnloadModule: "mouse"
>>>>>>>>> [ 60.881] (II) Unloading mouse
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> full xorg.0.log is here:
>>>>>>>>> http://fpaste.org/OOM2/
>>>>>>>>>
>>>>>>>>> Justin P. Mattock
>>>>>>>>
>>>>>>>> seems doing a bisect right now during the merge window is
>>>>>>>> breaking,
>>>>>>>> anyways looking through the commits I think this:
>>>>>>>>
>>>>>>>> http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=c53fa1ed92cd671a1dfb1e7569e9ab672612ddc6;hp=06dc94b1ed05f91e246315afeb1c652d6d0dc9ab
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> might be what I am hitting, causing gdm to die out, as it starts.
>>>>>>>>
>>>>>>>> any ideas?
>>>>>>>>
>>>>>>>> Justin P. Mattock
>>>>>>>
>>>>>>> not sure if anybody is seeing this or hitting this with the
>>>>>>> current,
>>>>>>> but reverting the above commit does not fix the problem.
>>>>>>> will try another bisect(hopefully)
>>>>>>
>>>>>> Are you sure it is a kernel issue? Seems more likely that it
>>>>>> would be a
>>>>>> policy problem. What AVC denials are you getting?
>>>>>>
>>>>>
>>>>>
>>>>> strange.. was not even thinking of the avc's because the policy has
>>>>> already been customized and has been working for a while now without
>>>>> adding any rules.
>>>>>
>>>>> Anyways your right, seems the labels get changed or something with
>>>>> this
>>>>> kernel or something:
>>>>> http://fpaste.org/w4nK/
>>>>
>>>> audit(1300983537.941:34): security_compute_sid: invalid context
>>>> system_u:system_r:root_xdrawable_t:s0-s0:c0.c1023 for
>>>> scontext=system_u:system_r:xserver_t:s0-s0:c0.c1023
>>>> tcontext=system_u:system_r:xserver_t:s0-s0:c0.c1023 tclass=x_drawable
>>>>
>>>> This looks like it might be a kernel regression after all.
>>>> security_compute_sid should return object_r for tclass x_drawable, not
>>>> system_r. Likely due to the recent changes there to support socket
>>>> type
>>>> transitions. Not sure exactly what is going wrong, as it should only
>>>> happen on the socket classes.
>>>>
>>>
>>> alright!!
>>>
>>> as for good kernel:
>>> 2.6.38-00071-g5a69473
>>> is the last good one I have, so bisecting wont be too much but if I hit
>>> the breakage like last time it might slow things down and/or ruin the
>>> bisect.
>>
>> If it is what I think it is, then the breakage would be commit
>> 6f5317e730505d5cbc851c435a2dfe3d5a21d343
>>
>
> yep!
>
> reverting that commit gets gdm to not crap out.
> full dmesg here:
> http://fpaste.org/34DC/
>
> Justin P. Mattock
>
So far I have not got an environment as your to reproduce this problem.
Could you please kindly print the orig_class and the sock boolean in
your case? It's weird since so far only the process and socket classes
could retain the creator's role, any other classes object should have
"object_r" as usual.

Many thanks for your help!

Best regards,
Harry

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux: avc_has_perm: unexpected error 22

[Stephen Smalley]

On Fri, 2011-03-25 at 11:18 +0800, Harry Ciao wrote:
> So far I have not got an environment as your to reproduce this problem.
> Could you please kindly print the orig_class and the sock boolean in
> your case? It's weird since so far only the process and socket classes
> could retain the creator's role, any other classes object should have
> "object_r" as usual.
> 
> Many thanks for your help!

You can exercise the code without using XACE/XSELinux by running the
compute_create program from libselinux/utils, e.g.
$ compute_create `id -Z` `id -Z` x_drawable

I think the bug lies in map_class() handling of the case where the
userspace object class has no corresponding kernel class, as would be
the case for the x_* classes.  map_class() should likely return 0
(SECCLASS_NULL) in that case rather than pol_value and thereby ensure
that we won't match any legitimate kernel class value.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux: avc_has_perm: unexpected error 22

[Stephen Smalley]

On Fri, 2011-03-25 at 08:26 -0400, Stephen Smalley wrote:
> On Fri, 2011-03-25 at 11:18 +0800, Harry Ciao wrote:
> > So far I have not got an environment as your to reproduce this problem.
> > Could you please kindly print the orig_class and the sock boolean in
> > your case? It's weird since so far only the process and socket classes
> > could retain the creator's role, any other classes object should have
> > "object_r" as usual.
> > 
> > Many thanks for your help!
> 
> You can exercise the code without using XACE/XSELinux by running the
> compute_create program from libselinux/utils, e.g.
> $ compute_create `id -Z` `id -Z` x_drawable
> 
> I think the bug lies in map_class() handling of the case where the
> userspace object class has no corresponding kernel class, as would be
> the case for the x_* classes.  map_class() should likely return 0
> (SECCLASS_NULL) in that case rather than pol_value and thereby ensure
> that we won't match any legitimate kernel class value.

To test this theory, Justin, can you try this patch?

diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index 3e7544d..ea7c01f 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -213,7 +213,7 @@ static u16 map_class(u16 pol_value)
 			return i;
 	}
 
-	return pol_value;
+	return SECCLASS_NULL;
 }
 
 static void map_decision(u16 tclass, struct av_decision *avd,


-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[PATCH] selinux: Fix regression for Xorg

[Stephen Smalley]

Commit 6f5317e730505d5cbc851c435a2dfe3d5a21d343 introduced a bug in the
handling of userspace object classes that is causing breakage for Xorg
when XSELinux is enabled.  Fix the bug by changing map_class() to return
SECCLASS_NULL when the class cannot be mapped to a kernel object class.

Reported-by:  "Justin P. Mattock" <justinmattock@gmail.com>
Signed-off-by:  Stephen Smalley <sds@tycho.nsa.gov>

---

 security/selinux/ss/services.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index 3e7544d..ea7c01f 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -213,7 +213,7 @@ static u16 map_class(u16 pol_value)
 			return i;
 	}
 
-	return pol_value;
+	return SECCLASS_NULL;
 }
 
 static void map_decision(u16 tclass, struct av_decision *avd,

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH] selinux: Fix regression for Xorg

[Justin P. Mattock]

alright!! patch applied to the current Mainline..
Yes this fixes the issue of gdm crapping out.

full dmesg below:
http://fpaste.org/Sgy7/

> Commit 6f5317e730505d5cbc851c435a2dfe3d5a21d343 introduced a bug in the
> handling of userspace object classes that is causing breakage for Xorg
> when XSELinux is enabled.  Fix the bug by changing map_class() to return
> SECCLASS_NULL when the class cannot be mapped to a kernel object class.
>
> Reported-by:  "Justin P. Mattock"<justinmattock@gmail.com>
> Signed-off-by:  Stephen Smalley<sds@tycho.nsa.gov>
>
> ---
>
>   security/selinux/ss/services.c |    2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
> index 3e7544d..ea7c01f 100644
> --- a/security/selinux/ss/services.c
> +++ b/security/selinux/ss/services.c
> @@ -213,7 +213,7 @@ static u16 map_class(u16 pol_value)
>   			return i;
>   	}
>
> -	return pol_value;
> +	return SECCLASS_NULL;
>   }
>
>   static void map_decision(u16 tclass, struct av_decision *avd,
>
> -- Stephen Smalley National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH] selinux: Fix regression for Xorg

[Justin P. Mattock]

not sure whats going on now.. but loading up the latest on my iMac with 
the below patch makes no difference I still hit the bug macbook pro 
works fine(maybe something with the different video drivers or something)

full dmesg of my iMac here:
http://fpaste.org/SNFC/


> Commit 6f5317e730505d5cbc851c435a2dfe3d5a21d343 introduced a bug in the
> handling of userspace object classes that is causing breakage for Xorg
> when XSELinux is enabled.  Fix the bug by changing map_class() to return
> SECCLASS_NULL when the class cannot be mapped to a kernel object class.
>
> Reported-by:  "Justin P. Mattock"<justinmattock@gmail.com>
> Signed-off-by:  Stephen Smalley<sds@tycho.nsa.gov>
>
> ---
>
>   security/selinux/ss/services.c |    2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
> index 3e7544d..ea7c01f 100644
> --- a/security/selinux/ss/services.c
> +++ b/security/selinux/ss/services.c
> @@ -213,7 +213,7 @@ static u16 map_class(u16 pol_value)
>   			return i;
>   	}
>
> -	return pol_value;
> +	return SECCLASS_NULL;
>   }
>
>   static void map_decision(u16 tclass, struct av_decision *avd,
>


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH] selinux: Fix regression for Xorg

[Stephen Smalley]

On Fri, 2011-03-25 at 20:03 -0700, Justin P. Mattock wrote:
> not sure whats going on now.. but loading up the latest on my iMac with 
> the below patch makes no difference I still hit the bug macbook pro 
> works fine(maybe something with the different video drivers or something)
> 
> full dmesg of my iMac here:
> http://fpaste.org/SNFC/

Hi Justin,

I did before and after testing using the compute_create utility from
libselinux/utils, and it showed that the kernel returned the wrong
context prior to the patch and the right context afterward.  I'm
guessing you aren't booting the right kernel or didn't apply the patch
correctly.

You can run:
compute_create `id -Z` `id -Z` x_drawable
and see whether the returned context has object_r or not.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH] selinux: Fix regression for Xorg

[Stephen Smalley]

On Mon, 2011-03-28 at 08:42 -0400, Stephen Smalley wrote:
> On Fri, 2011-03-25 at 20:03 -0700, Justin P. Mattock wrote:
> > not sure whats going on now.. but loading up the latest on my iMac with 
> > the below patch makes no difference I still hit the bug macbook pro 
> > works fine(maybe something with the different video drivers or something)
> > 
> > full dmesg of my iMac here:
> > http://fpaste.org/SNFC/
> 
> Hi Justin,
> 
> I did before and after testing using the compute_create utility from
> libselinux/utils, and it showed that the kernel returned the wrong
> context prior to the patch and the right context afterward.  I'm
> guessing you aren't booting the right kernel or didn't apply the patch
> correctly.
> 
> You can run:
> compute_create `id -Z` `id -Z` x_drawable
> and see whether the returned context has object_r or not.

Also, I tested before and after the patch with Xorg, and confirmed that
the compute_sid errors vanished when using a kernel with the patch
applied.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH] selinux: Fix regression for Xorg

[Justin P. Mattock]

On 03/28/2011 07:24 AM, Stephen Smalley wrote:
> On Mon, 2011-03-28 at 08:42 -0400, Stephen Smalley wrote:
>> On Fri, 2011-03-25 at 20:03 -0700, Justin P. Mattock wrote:
>>> not sure whats going on now.. but loading up the latest on my iMac with
>>> the below patch makes no difference I still hit the bug macbook pro
>>> works fine(maybe something with the different video drivers or something)
>>>
>>> full dmesg of my iMac here:
>>> http://fpaste.org/SNFC/
>>
>> Hi Justin,
>>
>> I did before and after testing using the compute_create utility from
>> libselinux/utils, and it showed that the kernel returned the wrong
>> context prior to the patch and the right context afterward.  I'm
>> guessing you aren't booting the right kernel or didn't apply the patch
>> correctly.
>>
>> You can run:
>> compute_create `id -Z` `id -Z` x_drawable
>> and see whether the returned context has object_r or not.
>
> Also, I tested before and after the patch with Xorg, and confirmed that
> the compute_sid errors vanished when using a kernel with the patch
> applied.
>

I will retest that patch on that machine..(I was seeing crud with git)
other than that on the macbook patch works fine.

Justin P. Mattock

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH] selinux: Fix regression for Xorg

[Justin P. Mattock]

On 03/28/2011 07:24 AM, Stephen Smalley wrote:
> On Mon, 2011-03-28 at 08:42 -0400, Stephen Smalley wrote:
>> On Fri, 2011-03-25 at 20:03 -0700, Justin P. Mattock wrote:
>>> not sure whats going on now.. but loading up the latest on my iMac with
>>> the below patch makes no difference I still hit the bug macbook pro
>>> works fine(maybe something with the different video drivers or something)
>>>
>>> full dmesg of my iMac here:
>>> http://fpaste.org/SNFC/
>>
>> Hi Justin,
>>
>> I did before and after testing using the compute_create utility from
>> libselinux/utils, and it showed that the kernel returned the wrong
>> context prior to the patch and the right context afterward.  I'm
>> guessing you aren't booting the right kernel or didn't apply the patch
>> correctly.
>>
>> You can run:
>> compute_create `id -Z` `id -Z` x_drawable
>> and see whether the returned context has object_r or not.
>
> Also, I tested before and after the patch with Xorg, and confirmed that
> the compute_sid errors vanished when using a kernel with the patch
> applied.
>

appologize for that.. ended up putting the *_NULL in the wrong 
function(unmap).. after correcting that everything runs the way it should.

Thanks for the help on this!

Justin P. Mattock

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.