SELinux stops new X11?
Mike A. Harris
mharris at www.linux.org.uk
Sat Aug 21 07:07:09 UTC 2004
Stephen Smalley wrote:
> On Thu, 2004-08-19 at 19:10, Richard Hally wrote:
>
>>The new xorg-X11(6.7.99.902-1) will not start with the current strict
>>SELinux policy(1.15.16-1) in enforcing mode. (xorg-x11-*6.7.0-7.2 works
>>just fine). I have not tried permissive mode.
>> It looks like something has changed in X11 that has to do with the
>>fonts and the SE policy has not been updated to handle it but that is
>>just speculation.
>
>
> I applied the patch below to my /etc/init.d/xfs to fix. This patch
> restores the type on /tmp/.font-unix when it is re-created by
> /etc/init.d/xfs. I assume that previously xfs was directly creating the
> directory itself, so that the file_type_auto_trans rule for xfs_t was
> sufficient to label it, but since it is now being created by the init
> script, it is getting a different type.
>
> --- /etc/init.d/xfs.old 2004-08-18 14:45:54.000000000 -0400
> +++ /etc/init.d/xfs 2004-08-20 07:16:01.539914488 -0400
> @@ -78,6 +78,7 @@
> mkdir $FONT_UNIX_DIR
> chown root:root $FONT_UNIX_DIR
> chmod 1777 $FONT_UNIX_DIR
> + restorecon $FONT_UNIX_DIR
>
> daemon xfs -droppriv -daemon
> ret=$?
IIRC, the X server itself and/or xfs can create this directory also, in
which case the directory would still have SELinux problems.
I'm not sure what the best solution is for that though.
All of the X related temporary directories have some very long standing
race condition issues, which are being tracked in X.org bugzilla, and
there are some suggested solutions, but nothing has been implemented yet
to solve all of them in a clean way. The ugly code in the xfs
initscript is just an ugly hack to try to work around the problem for
now until the real solution comes later.
Can you please file this in RH bugzilla if it isn't all ready, and I'll
discuss with our security folks.
Thanks.
More information about the fedora-test-list
mailing list