This is from dmesg, after running startxfce4 from console (and the X server fails to start with permission denied error): [ 110.392817] type=1401 audit(1334408174.770:11): security_compute_sid: invalid context unconfined_u:unconfined_r:xserver_t for scontext=unconfined_u:unconfined_r:unconfined_t tcontext=system_u:object_r:xserver_exec_t tclass=process ... [ 732.169857] type=1401 audit(1334408796.547:21): security_compute_sid: invalid context unconfined_u:unconfined_r:xserver_t for scontext=unconfined_u:unconfined_r:xserver_t tcontext=unconfined_u:unconfined_r:xserver_t tclass=unix_stream_socket ... [ 734.706029] type=1401 audit(1334408799.083:25): security_compute_sid: invalid context unconfined_u:unconfined_r:xserver_t for scontext=unconfined_u:unconfined_r:xserver_t tcontext=system_u:object_r:shell_exec_t tclass=process ... [ 734.719838] type=1401 audit(1334408799.097:26): security_compute_sid: invalid context unconfined_u:unconfined_r:xserver_t for scontext=unconfined_u:unconfined_r:xserver_t tcontext=system_u:object_r:bin_t tclass=process [ 734.943658] type=1401 audit(1334408799.321:27): security_compute_sid: invalid context unconfined_u:unconfined_r:xserver_t for scontext=unconfined_u:unconfined_r:xserver_t tcontext=unconfined_u:unconfined_r:xserver_t tclass=netlink_kobject_uevent_socket [ 734.943782] type=1401 audit(1334408799.321:28): security_compute_sid: invalid context unconfined_u:unconfined_r:xserver_t for scontext=unconfined_u:unconfined_r:xserver_t tcontext=unconfined_u:unconfined_r:xserver_t tclass=netlink_kobject_uevent_socket This is after a successful rlpkg -a -r. X works in permissive mode. $ qlist -ICv sec-policy sec-policy/selinux-base-policy-2.20110726-r13 sec-policy/selinux-consolekit-2.20110726-r1 sec-policy/selinux-dbus-2.20110726-r2 sec-policy/selinux-desktop-2.20110726 sec-policy/selinux-dhcp-2.20110726-r2 sec-policy/selinux-gnupg-2.20101213-r2 sec-policy/selinux-gpg-2.20110726-r3 sec-policy/selinux-java-2.20110726 sec-policy/selinux-mono-2.20110726 sec-policy/selinux-mplayer-2.20110726 sec-policy/selinux-policykit-2.20110726 sec-policy/selinux-vmware-2.20110726 sec-policy/selinux-wine-2.20110726 sec-policy/selinux-wm-2.20110726 sec-policy/selinux-xfs-2.20110726 sec-policy/selinux-xserver-2.20110726-r2 Portage 2.1.10.49 (hardened/linux/amd64/selinux, gcc-4.5.3, glibc-2.13-r4, 3.2.2-hardened-r1 x86_64) ================================================================= System uname: Linux-3.2.2-hardened-r1-x86_64-Intel-R-_Core-TM-2_Duo_CPU_P8700_@_2.53GHz-with-gentoo-2.0.3 Timestamp of tree: Wed, 11 Apr 2012 05:30:01 +0000 app-shells/bash: 4.2_p20 dev-lang/python: 2.7.2-r3, 3.2.2 dev-util/cmake: 2.8.6-r4 dev-util/pkgconfig: 0.26 sys-apps/baselayout: 2.0.3 sys-apps/openrc: 0.9.8.4 sys-apps/sandbox: 2.5 sys-devel/autoconf: 2.13, 2.68 sys-devel/automake: 1.11.1 sys-devel/binutils: 2.21.1-r1 sys-devel/gcc: 4.5.3-r2 sys-devel/gcc-config: 1.5-r2 sys-devel/libtool: 2.4-r1 sys-devel/make: 3.82-r1 sys-kernel/linux-headers: 3.1 (virtual/os-headers) sys-libs/glibc: 2.13-r4 Repositories: gentoo x-portage ACCEPT_KEYWORDS="amd64" ACCEPT_LICENSE="* -@EULA" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=native -O2 -pipe -ggdb" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo" CXXFLAGS="-march=native -O2 -pipe -ggdb" DISTDIR="/usr/portage/distfiles" FEATURES="assume-digests binpkg-logs distlocks ebuild-locks fixlafiles news parallel-fetch protect-owned sandbox selinux sesandbox sfperms splitdebug strict unknown-features-warn unmerge-logs unmerge-orphans userfetch" FFLAGS="" GENTOO_MIRRORS="http://distfiles.gentoo.org" LDFLAGS="-Wl,-O1 -Wl,--as-needed" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="X alsa amd64 berkdb bzip2 cli consolekit cracklib crypt cups cxx dbus dri gdbm gdu gudev hardened iconv icu jpeg justify libkms mmx modules mudflap multilib ncurses nls nptl nptlonly open_perms openmp pam pax_kernel pcre policykit pppd python readline selinux session sse sse2 ssl startup-notification sysfs tcpd thunar udev urandom xorg zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" PHP_TARGETS="php5-3" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="intel vesa vmware" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LINGUAS, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, USE_PYTHON
Can you try creating the following module and see if that helps? """[localxserver.te] policy_module(localxserver, 1.0) require { type unconfined_t; role unconfined_r; } xserver_role(unconfined_r, unconfined_t) """ Build the module and load it: ~# make -f /usr/share/selinux/targeted/include/Makefile localxserver.pp ~# semodule -i localxserver.pp Now try again
(In reply to comment #1) > Can you try creating the following module and see if that helps? > xserver_role(unconfined_r, unconfined_t) That moves it forward, but to make the X server fully start I also needed to add this: allow iceauth_t user_home_t:file { getattr open read unlink write }; Now I'm not sure if the above rule is possibly too coarse. Here are AVC denials: [31403.855987] type=1400 audit(1334439468.232:55): avc: denied { write } for pid=3093 comm="iceauth" name=".ICEauthority" dev="sda1" ino=522465 scontext=unconfined_u:unconfined_r:iceauth_t tcontext=unconfined_u:object_r:user_home_t tclass=file [31403.856018] type=1400 audit(1334439468.232:56): avc: denied { read } for pid=3093 comm="iceauth" name=".ICEauthority" dev="sda1" ino=522465 scontext=unconfined_u:unconfined_r:iceauth_t tcontext=unconfined_u:object_r:user_home_t tclass=file [31734.933452] type=1400 audit(1334439799.310:76): avc: denied { open } for pid=3496 comm="iceauth" name=".ICEauthority" dev="sda1" ino=522465 scontext=unconfined_u:unconfined_r:iceauth_t tcontext=unconfined_u:object_r:user_home_t tclass=file [31797.663281] type=1400 audit(1334439862.040:100): avc: denied { getattr } for pid=3689 comm="iceauth" path="/home/ph/.ICEauthority" dev="sda1" ino=522465 scontext=unconfined_u:unconfined_r:iceauth_t tcontext=unconfined_u:object_r:user_home_t tclass=file [31797.663548] type=1400 audit(1334439862.040:101): avc: denied { unlink } for pid=3689 comm="iceauth" name=".ICEauthority" dev="sda1" ino=522465 scontext=unconfined_u:unconfined_r:iceauth_t tcontext=unconfined_u:object_r:user_home_t tclass=file [31797.663573] type=1400 audit(1334439862.040:102): avc: denied { unlink } for pid=3689 comm="iceauth" name=".ICEauthority" dev="sda1" ino=522465 scontext=unconfined_u:unconfined_r:iceauth_t tcontext=unconfined_u:object_r:user_home_t tclass=file Now ls shows a different context: # ls -lZ /home/ph/.ICEauthority -rw-------. 1 ph ph unconfined_u:object_r:iceauth_home_t 990 Apr 14 23:47 /home/ph/.ICEauthority I'm not sure yet what's happening, maybe that file didn't exist originally or had wrong context.
(In reply to comment #2) > Now ls shows a different context: > > # ls -lZ /home/ph/.ICEauthority > -rw-------. 1 ph ph unconfined_u:object_r:iceauth_home_t 990 Apr 14 23:47 > /home/ph/.ICEauthority > > I'm not sure yet what's happening, maybe that file didn't exist originally > or had wrong context. Now I think I get it. When ~/.ICEauthority doesn't exist, it gets wrong type when it's created (user_home_t instead of iceauth_home_t). I don't need "allow iceauth_t user_home_t:file { getattr open read unlink write };" rule when ~/.ICEauthority has correct context.
If it is iceauth_t that is creating the file, then we can create a policy that automatically sets the right context. I'll add in the role definition.
Will be included in -r8
In hardened-dev overlay
In main tree, ~arch'ed
Stabilized
