Summary: | SELinux targeted, enforcing: cannot start X server, invalid context | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Paweł Hajdan, Jr. (RETIRED) <phajdan.jr> |
Component: | Hardened | Assignee: | Sven Vermeulen (RETIRED) <swift> |
Status: | VERIFIED FIXED | ||
Severity: | normal | CC: | selinux |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | sec-policy r8 | ||
Package list: | Runtime testing required: | --- |
Description
Paweł Hajdan, Jr. (RETIRED)
2012-04-14 11:15:23 UTC
Can you try creating the following module and see if that helps? """[localxserver.te] policy_module(localxserver, 1.0) require { type unconfined_t; role unconfined_r; } xserver_role(unconfined_r, unconfined_t) """ Build the module and load it: ~# make -f /usr/share/selinux/targeted/include/Makefile localxserver.pp ~# semodule -i localxserver.pp Now try again (In reply to comment #1) > Can you try creating the following module and see if that helps? > xserver_role(unconfined_r, unconfined_t) That moves it forward, but to make the X server fully start I also needed to add this: allow iceauth_t user_home_t:file { getattr open read unlink write }; Now I'm not sure if the above rule is possibly too coarse. Here are AVC denials: [31403.855987] type=1400 audit(1334439468.232:55): avc: denied { write } for pid=3093 comm="iceauth" name=".ICEauthority" dev="sda1" ino=522465 scontext=unconfined_u:unconfined_r:iceauth_t tcontext=unconfined_u:object_r:user_home_t tclass=file [31403.856018] type=1400 audit(1334439468.232:56): avc: denied { read } for pid=3093 comm="iceauth" name=".ICEauthority" dev="sda1" ino=522465 scontext=unconfined_u:unconfined_r:iceauth_t tcontext=unconfined_u:object_r:user_home_t tclass=file [31734.933452] type=1400 audit(1334439799.310:76): avc: denied { open } for pid=3496 comm="iceauth" name=".ICEauthority" dev="sda1" ino=522465 scontext=unconfined_u:unconfined_r:iceauth_t tcontext=unconfined_u:object_r:user_home_t tclass=file [31797.663281] type=1400 audit(1334439862.040:100): avc: denied { getattr } for pid=3689 comm="iceauth" path="/home/ph/.ICEauthority" dev="sda1" ino=522465 scontext=unconfined_u:unconfined_r:iceauth_t tcontext=unconfined_u:object_r:user_home_t tclass=file [31797.663548] type=1400 audit(1334439862.040:101): avc: denied { unlink } for pid=3689 comm="iceauth" name=".ICEauthority" dev="sda1" ino=522465 scontext=unconfined_u:unconfined_r:iceauth_t tcontext=unconfined_u:object_r:user_home_t tclass=file [31797.663573] type=1400 audit(1334439862.040:102): avc: denied { unlink } for pid=3689 comm="iceauth" name=".ICEauthority" dev="sda1" ino=522465 scontext=unconfined_u:unconfined_r:iceauth_t tcontext=unconfined_u:object_r:user_home_t tclass=file Now ls shows a different context: # ls -lZ /home/ph/.ICEauthority -rw-------. 1 ph ph unconfined_u:object_r:iceauth_home_t 990 Apr 14 23:47 /home/ph/.ICEauthority I'm not sure yet what's happening, maybe that file didn't exist originally or had wrong context. (In reply to comment #2) > Now ls shows a different context: > > # ls -lZ /home/ph/.ICEauthority > -rw-------. 1 ph ph unconfined_u:object_r:iceauth_home_t 990 Apr 14 23:47 > /home/ph/.ICEauthority > > I'm not sure yet what's happening, maybe that file didn't exist originally > or had wrong context. Now I think I get it. When ~/.ICEauthority doesn't exist, it gets wrong type when it's created (user_home_t instead of iceauth_home_t). I don't need "allow iceauth_t user_home_t:file { getattr open read unlink write };" rule when ~/.ICEauthority has correct context. If it is iceauth_t that is creating the file, then we can create a policy that automatically sets the right context. I'll add in the role definition. Will be included in -r8 In hardened-dev overlay In main tree, ~arch'ed Stabilized |