gnome login broken.... "null" avcs...
Tom London
selinux at gmail.com
Thu Feb 28 21:38:27 UTC 2008
On Thu, Feb 28, 2008 at 12:21 PM, Eamon Walsh <ewalsh at tycho.nsa.gov> wrote:
> Tom London wrote:
> > On Thu, Feb 28, 2008 at 10:06 AM, Daniel J Walsh <dwalsh at redhat.com> wrote:
> >
> >> -----BEGIN PGP SIGNED MESSAGE-----
> >> Hash: SHA1
> >>
> >>
> >>
> >> Tom London wrote:
> >> > On Thu, Feb 28, 2008 at 7:41 AM, Tom London <selinux at gmail.com> wrote:
> >> >> After applying today's selinux-policy* packages, gnome/gdm login
> >> >> fails: gdmgreeter runs, but X quickly dies after enter password and
> >> >> you're back to the greeter.
> >> >>
> >> >> Booting up in permissive lets me log in.
> >> >>
> >> >> Here are the borkages:
> >> >>
> >> >>
> >> >> #============= mono_t ==============
> >> >> allow mono_t xdm_xserver_t:x_device read;
> >> >>
> >> >> #============= unconfined_execmem_t ==============
> >> >> allow unconfined_execmem_t xdm_xserver_t:x_device read;
> >> >>
> >> >> #============= unconfined_t ==============
> >> >> allow unconfined_t mono_t:x_resource write;
> >> >> allow unconfined_t unconfined_execmem_t:x_resource { write read };
> >> >> allow unconfined_t unlabeled_t:x_drawable { destroy getattr };
> >> >> [root at localhost ~]#
> >> >>
>
> The "null" avc's are fixed in the upstream X server. This is a bad
> security hook call in the GLX code and affects GLX programs such as compiz.
>
> The unlabeled AVC is the result of a mislabeled program?
>
>
>
> --
> Eamon Walsh <ewalsh at tycho.nsa.gov>
> National Security Agency
>
>
I've backed up policy to previous version, and checking for unlabeled
programs indicates nothing amiss.
No programs were relabeled on install of poicy; something else I should check?
tom
--
Tom London
More information about the fedora-selinux-list
mailing list