Bug 391187

Created attachment 293261 [details, diff]
xorg-server-1.11.2-r1.ebuild.diff

Comment 2 Sven Vermeulen (RETIRED) 2011-12-26 13:19:12 UTC

What happens when this is enabled? It looks like it triggers the SELinux extensions for xorg, have you tested these? I'm personally more in favor of using a new USE flag for selinux extensions (xselinux or so) so that other applications that use such extensions (like Postgresql for the SEPostgresql server) can switch this as well.

xorg-server[ --enable-xselinux --enable-record ] + nouveau
We could audit some application which requiring xorg at runtime via /var/log/Xorg.0.log:
cat /var/log/Xorg.*.log* | audit2allow
...
selinux policy rules
...

xorg-server[ --enable-xselinux --enable-record ] + nvidia
cat /var/log/Xorg.*.log* | audit2allow
empty...

Comment 4 Sven Vermeulen (RETIRED) 2012-04-05 18:40:40 UTC

Just had a nice read on it. The XSELinux support is to introduce additional SELinux support in Xorg, but for Xorg-specific calls and objects. The article I read also stipulated that it doesn't "just work" for all cases and that the (reference) policy needs some updates as well.

I suggest to let this rest for a while, possible hitting it with USE="xselinux" (which enables SELinux extension support) which we can also introduce for Postgresql then (and other applications that introduce additional security classes and privileges for their inner working).

Comment 5 Sven Vermeulen (RETIRED) 2012-04-22 11:48:17 UTC

I'm going to mark this as WONTFIX for now, primarily because I don't have the resources to properly test and support this. If a developer wants to take this up, I'll gladly reopen.