Any clue what is going on with this AVC? This is is a local variant of selinux-policy-mls-3.5.13-125. xterms and our non-gtk apps do not generate this AVC. It is fatal to the apps that experience it. New in F10.
joe
node=fast type=USER_AVC msg=audit(1231388602.219:4379667): user pid=3917 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:xdm_xserver_t:s0-s15:c0.c1023 msg='avc: denied { write } for request=RANDR:SelectInput comm=/usr/lib64/ firefox-3.0.5/firefox resid=78 restype=WINDOW scontext=user_u:user_r:user_t:s6:c0.c511 tcontext=system_u:object_r:xdm_rootwindow_t:s0-s15:c0.c1023 tclass=x_drawable : exe="/usr/bin/Xorg" (sauid=0, hostname=?, addr=?, terminal=?)' node=fast type=USER_AVC msg=audit(1231388632.992:4379857): user pid=3917 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:xdm_xserver_t:s0-s15:c0.c1023 msg='avc: denied { write } for request=RANDR:SelectInput comm=/usr/bin/gnome- terminal resid=78 restype=WINDOW scontext=user_u:user_r:user_t:s4:c0,c2,c11,c200.c511 tcontext=system_u:object_r:xdm_rootwindow_t:s0-s15:c0.c1023 tclass=x_drawable : exe="/usr/bin/Xorg" (sauid=0, hostname=?, addr=?, terminal=?)'
On Jan 7, 2009, at 10:34 PM, Joe Nall wrote:
Any clue what is going on with this AVC? This is is a local variant of selinux-policy-mls-3.5.13-125. xterms and our non-gtk apps do not generate this AVC. It is fatal to the apps that experience it. New in F10.
Follow up: I can get around this by disabling RANDR and XINERAMA
joe
node=fast type=USER_AVC msg=audit(1231388602.219:4379667): user pid=3917 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:xdm_xserver_t:s0-s15:c0.c1023 msg='avc: denied { write } for request=RANDR:SelectInput comm=/usr/lib64/ firefox-3.0.5/firefox resid=78 restype=WINDOW scontext=user_u:user_r:user_t:s6:c0.c511 tcontext=system_u:object_r:xdm_rootwindow_t:s0-s15:c0.c1023 tclass=x_drawable : exe="/usr/bin/Xorg" (sauid=0, hostname=?, addr=?, terminal=?)' node=fast type=USER_AVC msg=audit(1231388632.992:4379857): user pid=3917 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:xdm_xserver_t:s0-s15:c0.c1023 msg='avc: denied { write } for request=RANDR:SelectInput comm=/usr/bin/gnome- terminal resid=78 restype=WINDOW scontext=user_u:user_r:user_t:s4:c0,c2,c11,c200.c511 tcontext=system_u:object_r:xdm_rootwindow_t:s0-s15:c0.c1023 tclass=x_drawable : exe="/usr/bin/Xorg" (sauid=0, hostname=?, addr=?, terminal=?)'
Did you make Fedora 10 enforcing in MLS policy? Didn't you encounter the X windows problem like previous releases of Fedora( i.e. Fedora 9 or earlier)?
Joe Nall wrote:
Any clue what is going on with this AVC? This is is a local variant of selinux-policy-mls-3.5.13-125. xterms and our non-gtk apps do not generate this AVC. It is fatal to the apps that experience it. New in F10.
joe
node=fast type=USER_AVC msg=audit(1231388602.219:4379667): user pid=3917 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:xdm_xserver_t:s0-s15:c0.c1023 msg='avc: denied { write } for request=RANDR:SelectInput comm=/usr/lib64/ firefox-3.0.5/firefox resid=78 restype=WINDOW scontext=user_u:user_r:user_t:s6:c0.c511 tcontext=system_u:object_r:xdm_rootwindow_t:s0-s15:c0.c1023 tclass=x_drawable : exe="/usr/bin/Xorg" (sauid=0, hostname=?, addr=?, terminal=?)' node=fast type=USER_AVC msg=audit(1231388632.992:4379857): user pid=3917 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:xdm_xserver_t:s0-s15:c0.c1023 msg='avc: denied { write } for request=RANDR:SelectInput comm=/usr/bin/gnome- terminal resid=78 restype=WINDOW scontext=user_u:user_r:user_t:s4:c0,c2,c11,c200.c511 tcontext=system_u:object_r:xdm_rootwindow_t:s0-s15:c0.c1023 tclass=x_drawable : exe="/usr/bin/Xorg" (sauid=0, hostname=?, addr=?, terminal=?)'
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
On Jan 10, 2009, at 5:36 AM, zoroufi wrote:
Did you make Fedora 10 enforcing in MLS policy?
Yes, with a modified policy and using openbox instead of gnome.
joe
Didn't you encounter the X windows problem like previous releases of Fedora( i.e. Fedora 9 or earlier)?
Joe Nall wrote:
Any clue what is going on with this AVC? This is is a local variant of selinux-policy-mls-3.5.13-125. xterms and our non-gtk apps do not generate this AVC. It is fatal to the apps that experience it. New in F10.
joe
node=fast type=USER_AVC msg=audit(1231388602.219:4379667): user pid=3917 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:xdm_xserver_t:s0-s15:c0.c1023 msg='avc: denied { write } for request=RANDR:SelectInput comm=/usr/lib64/ firefox-3.0.5/firefox resid=78 restype=WINDOW scontext=user_u:user_r:user_t:s6:c0.c511 tcontext=system_u:object_r:xdm_rootwindow_t:s0-s15:c0.c1023 tclass=x_drawable : exe="/usr/bin/Xorg" (sauid=0, hostname=?, addr=?, terminal=?)' node=fast type=USER_AVC msg=audit(1231388632.992:4379857): user pid=3917 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:xdm_xserver_t:s0-s15:c0.c1023 msg='avc: denied { write } for request=RANDR:SelectInput comm=/usr/bin/gnome- terminal resid=78 restype=WINDOW scontext=user_u:user_r:user_t:s4:c0,c2,c11,c200.c511 tcontext=system_u:object_r:xdm_rootwindow_t:s0-s15:c0.c1023 tclass=x_drawable : exe="/usr/bin/Xorg" (sauid=0, hostname=?, addr=?, terminal=?)'
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
-- View this message in context: http://www.nabble.com/New-F10-X-AVC-tp21345740p21387191.html Sent from the Fedora SELinux List mailing list archive at Nabble.com.
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Would you please state in detail which modification and why the openbox instead of gnome? I'm in trouble with this and trying to overcome this problem. Thanks again for your carefulness
Joe Nall wrote:
On Jan 10, 2009, at 5:36 AM, zoroufi wrote:
Did you make Fedora 10 enforcing in MLS policy?
Yes, with a modified policy and using openbox instead of gnome.
joe
Didn't you encounter the X windows problem like previous releases of Fedora( i.e. Fedora 9 or earlier)?
Joe Nall wrote:
Any clue what is going on with this AVC? This is is a local variant of selinux-policy-mls-3.5.13-125. xterms and our non-gtk apps do not generate this AVC. It is fatal to the apps that experience it. New in F10.
joe
node=fast type=USER_AVC msg=audit(1231388602.219:4379667): user pid=3917 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:xdm_xserver_t:s0-s15:c0.c1023 msg='avc: denied { write } for request=RANDR:SelectInput comm=/usr/lib64/ firefox-3.0.5/firefox resid=78 restype=WINDOW scontext=user_u:user_r:user_t:s6:c0.c511 tcontext=system_u:object_r:xdm_rootwindow_t:s0-s15:c0.c1023 tclass=x_drawable : exe="/usr/bin/Xorg" (sauid=0, hostname=?, addr=?, terminal=?)' node=fast type=USER_AVC msg=audit(1231388632.992:4379857): user pid=3917 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:xdm_xserver_t:s0-s15:c0.c1023 msg='avc: denied { write } for request=RANDR:SelectInput comm=/usr/bin/gnome- terminal resid=78 restype=WINDOW scontext=user_u:user_r:user_t:s4:c0,c2,c11,c200.c511 tcontext=system_u:object_r:xdm_rootwindow_t:s0-s15:c0.c1023 tclass=x_drawable : exe="/usr/bin/Xorg" (sauid=0, hostname=?, addr=?, terminal=?)'
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
-- View this message in context: http://www.nabble.com/New-F10-X-AVC-tp21345740p21387191.html Sent from the Fedora SELinux List mailing list archive at Nabble.com.
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
On Jan 10, 2009, at 1:56 PM, zoroufi wrote:
Would you please state in detail which modification
When time permits. This is an easy request to make and a harder one to fulfill.
and why the openbox instead of gnome?
Because dbus/gnome interaction hasn't a clue about MLS. We had to simplify things to get something to work.
joe
selinux@lists.fedoraproject.org