gnome login broken.... "null" avcs...

Thu Feb 28 21:43:04 UTC 2008

On Thu, 2008-02-28 at 13:38 -0800, Tom London wrote:
> On Thu, Feb 28, 2008 at 12:21 PM, Eamon Walsh <ewalsh at tycho.nsa.gov> wrote:
> > Tom London wrote:
> >  > On Thu, Feb 28, 2008 at 10:06 AM, Daniel J Walsh <dwalsh at redhat.com> wrote:
> >  >
> >  >> -----BEGIN PGP SIGNED MESSAGE-----
> >  >>  Hash: SHA1
> >  >>
> >  >>
> >  >>
> >  >>  Tom London wrote:
> >  >>  > On Thu, Feb 28, 2008 at 7:41 AM, Tom London <selinux at gmail.com> wrote:
> >  >>  >> After applying today's selinux-policy* packages, gnome/gdm login
> >  >>  >>  fails: gdmgreeter runs, but X quickly dies after enter password and
> >  >>  >>  you're back to the greeter.
> >  >>  >>
> >  >>  >>  Booting up in permissive lets me log in.
> >  >>  >>
> >  >>  >>  Here are the borkages:
> >  >>  >>
> >  >>  >>
> >  >>  >>  #============= mono_t ==============
> >  >>  >>  allow mono_t xdm_xserver_t:x_device read;
> >  >>  >>
> >  >>  >>  #============= unconfined_execmem_t ==============
> >  >>  >>  allow unconfined_execmem_t xdm_xserver_t:x_device read;
> >  >>  >>
> >  >>  >>  #============= unconfined_t ==============
> >  >>  >>  allow unconfined_t mono_t:x_resource write;
> >  >>  >>  allow unconfined_t unconfined_execmem_t:x_resource { write read };
> >  >>  >>  allow unconfined_t unlabeled_t:x_drawable { destroy getattr };
> >  >>  >>  [root at localhost ~]#
> >  >>  >>
> >
> >  The "null" avc's are fixed in the upstream X server.  This is a bad
> >  security hook call in the GLX code and affects GLX programs such as compiz.
> >
> >  The unlabeled AVC is the result of a mislabeled program?
> >
> >
> >
> >  --
> >  Eamon Walsh <ewalsh at tycho.nsa.gov>
> >  National Security Agency
> >
> >
> I've backed up policy to previous version, and checking for unlabeled
> programs indicates nothing amiss.
> 
> No programs were relabeled on install of poicy; something else I should check?

grep 'invalidating context' /var/log/messages

-- 
Stephen Smalley
National Security Agency