-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Tom London wrote:
On Thu, Feb 28, 2008 at 1:43 PM, Stephen Smalley sds@tycho.nsa.gov wrote:
On Thu, 2008-02-28 at 13:38 -0800, Tom London wrote:
On Thu, Feb 28, 2008 at 12:21 PM, Eamon Walsh ewalsh@tycho.nsa.gov wrote:
Tom London wrote:
On Thu, Feb 28, 2008 at 10:06 AM, Daniel J Walsh dwalsh@redhat.com wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Tom London wrote: > On Thu, Feb 28, 2008 at 7:41 AM, Tom London selinux@gmail.com wrote: >> After applying today's selinux-policy* packages, gnome/gdm login >> fails: gdmgreeter runs, but X quickly dies after enter password and >> you're back to the greeter. >> >> Booting up in permissive lets me log in. >> >> Here are the borkages: >> >> >> #============= mono_t ============== >> allow mono_t xdm_xserver_t:x_device read; >> >> #============= unconfined_execmem_t ============== >> allow unconfined_execmem_t xdm_xserver_t:x_device read; >> >> #============= unconfined_t ============== >> allow unconfined_t mono_t:x_resource write; >> allow unconfined_t unconfined_execmem_t:x_resource { write read }; >> allow unconfined_t unlabeled_t:x_drawable { destroy getattr }; >> [root@localhost ~]# >>
The "null" avc's are fixed in the upstream X server. This is a bad security hook call in the GLX code and affects GLX programs such as compiz.
The unlabeled AVC is the result of a mislabeled program?
-- Eamon Walsh ewalsh@tycho.nsa.gov National Security Agency
I've backed up policy to previous version, and checking for unlabeled programs indicates nothing amiss.
No programs were relabeled on install of poicy; something else I should check?
grep 'invalidating context' /var/log/messages
-- Stephen Smalley National Security Agency
[root@localhost ~]# grep 'invalidating context' /var/log/messages Feb 27 07:13:31 localhost kernel: security: invalidating context unconfined_u:unconfined_r:samba_net_t:s0
Ok I removed the transition from unconfined_t to samba_net_t, and replaced it with samba_unconfined_net_t. But this removed the unconfined_r designation causing this.
Feb 28 06:47:08 localhost kernel: security: invalidating context system_u:system_r:httpd_unconfined_script_t:s0-s0:c0.c1023 Feb 28 06:47:08 localhost kernel: security: invalidating context unconfined_u:system_r:httpd_unconfined_script_t:s0 Feb 28 06:47:08 localhost kernel: security: invalidating context unconfined_u:unconfined_r:httpd_unconfined_script_t:s0 Feb 28 07:46:11 localhost kernel: security: invalidating context unconfined_u:system_r:httpd_user_script_t:s0 Feb 28 07:46:11 localhost kernel: security: invalidating context unconfined_u:system_r:httpd_user_script_t:s0-s0:c0.c255 Feb 28 07:46:11 localhost kernel: security: invalidating context system_u:system_r:httpd_user_script_t:s0-s0:c0.c1023
I have been working on switching apache scripts but not sure why this invalidated.
[root@localhost ~]#