I'm running X.Org X Server 1.7.99.2
not sure if this is fixed with the latest
but after building the latest refpolicy
and defining my allow rules, both
regularly, and with make enableaudit
I still get avc's being generated here and there,
but for some they seem to just spamm Xorg.0.log
causing my system to freeze up.
heres an example:
(--) Synaptics Touchpad: touchpad found
(**) Option "SendCoreEvents" "true"
(**) Synaptics Touchpad: always reports core events
(II) XINPUT: Adding extended input device "Synaptics Touchpad" (type: TOUCHPAD)
(**) Synaptics Touchpad: (accel) keeping acceleration scheme 1
(**) Synaptics Touchpad: (accel) acceleration profile 0
(--) Synaptics Touchpad: touchpad found
(WW) avc: denied { getattr } for request=X11:QueryPointer
comm=/usr/bin/pidgin resid=10001fc restype=WINDOW
scontext=justin:user_r:user_t tcontext=justin:object_r:mplayer_t
tclass=x_drawable
(WW) avc: denied { getattr } for request=X11:QueryPointer
comm=/usr/bin/pidgin resid=10001fc restype=WINDOW
scontext=justin:user_r:user_t tcontext=justin:object_r:mplayer_t
tclass=x_drawable
(WW) avc: denied { getattr } for request=X11:QueryPointer
comm=/usr/bin/pidgin resid=10001fc restype=WINDOW
scontext=justin:user_r:user_t tcontext=justin:object_r:mplayer_t
tclass=x_drawable
(WW) avc: denied { getattr } for request=X11:QueryPointer
comm=/usr/bin/pidgin resid=10001fc restype=WINDOW
scontext=justin:user_r:user_t tcontext=justin:object_r:mplayer_t
tclass=x_drawable
(WW) avc: denied { getattr } for request=X11:QueryPointer
comm=/usr/bin/pidgin resid=10001fc restype=WINDOW
scontext=justin:user_r:user_t tcontext=justin:object_r:mplayer_t
tclass=x_drawable
(WW) avc: denied { getattr } for request=X11:QueryPointer
comm=/usr/bin/pidgin resid=10001fc restype=WINDOW
scontext=justin:user_r:user_t tcontext=justin:object_r:mplayer_t
tclass=x_drawable
(WW) avc: denied { getattr } for request=X11:QueryPointer
comm=/usr/bin/pidgin resid=10001fc restype=WINDOW
scontext=justin:user_r:user_t tcontext=justin:object_r:mplayer_t
tclass=x_drawable
(WW) avc: denied { getattr } for request=X11:QueryPointer
comm=/usr/bin/pidgin resid=10001fc restype=WINDOW
scontext=justin:user_r:user_t tcontext=justin:object_r:mplayer_t
tclass=x_drawable
(WW) avc: denied { getattr } for request=X11:QueryPointer
comm=/usr/bin/pidgin resid=10001fc restype=WINDOW
scontext=justin:user_r:user_t tcontext=justin:object_r:mplayer_t
tclass=x_drawable
(WW) avc: denied { getattr } for request=X11:QueryPointer
comm=/usr/bin/pidgin resid=10001fc restype=WINDOW
scontext=justin:user_r:user_t tcontext=justin:object_r:mplayer_t
tclass=x_drawable
same avc's but just keeps generating.
is there an option for this like
printk_ratelimit?
--
Justin P. Mattock
On 12/11/2009 04:44 PM, Justin Mattock wrote:
> I'm running X.Org X Server 1.7.99.2
> not sure if this is fixed with the latest
> but after building the latest refpolicy
> and defining my allow rules, both
> regularly, and with make enableaudit
> I still get avc's being generated here and there,
> but for some they seem to just spamm Xorg.0.log
> causing my system to freeze up.
> heres an example:
>
If the denials are not causing a problem other than log spam, just use a
dontaudit rule to silence them.
>
> (--) Synaptics Touchpad: touchpad found
> (**) Option "SendCoreEvents" "true"
> (**) Synaptics Touchpad: always reports core events
> (II) XINPUT: Adding extended input device "Synaptics Touchpad" (type: TOUCHPAD)
> (**) Synaptics Touchpad: (accel) keeping acceleration scheme 1
> (**) Synaptics Touchpad: (accel) acceleration profile 0
> (--) Synaptics Touchpad: touchpad found
> (WW) avc: denied { getattr } for request=X11:QueryPointer
> comm=/usr/bin/pidgin resid=10001fc restype=WINDOW
> scontext=justin:user_r:user_t tcontext=justin:object_r:mplayer_t
> tclass=x_drawable
> (WW) avc: denied { getattr } for request=X11:QueryPointer
> comm=/usr/bin/pidgin resid=10001fc restype=WINDOW
> scontext=justin:user_r:user_t tcontext=justin:object_r:mplayer_t
> tclass=x_drawable
> (WW) avc: denied { getattr } for request=X11:QueryPointer
> comm=/usr/bin/pidgin resid=10001fc restype=WINDOW
> scontext=justin:user_r:user_t tcontext=justin:object_r:mplayer_t
> tclass=x_drawable
> (WW) avc: denied { getattr } for request=X11:QueryPointer
> comm=/usr/bin/pidgin resid=10001fc restype=WINDOW
> scontext=justin:user_r:user_t tcontext=justin:object_r:mplayer_t
> tclass=x_drawable
> (WW) avc: denied { getattr } for request=X11:QueryPointer
> comm=/usr/bin/pidgin resid=10001fc restype=WINDOW
> scontext=justin:user_r:user_t tcontext=justin:object_r:mplayer_t
> tclass=x_drawable
> (WW) avc: denied { getattr } for request=X11:QueryPointer
> comm=/usr/bin/pidgin resid=10001fc restype=WINDOW
> scontext=justin:user_r:user_t tcontext=justin:object_r:mplayer_t
> tclass=x_drawable
> (WW) avc: denied { getattr } for request=X11:QueryPointer
> comm=/usr/bin/pidgin resid=10001fc restype=WINDOW
> scontext=justin:user_r:user_t tcontext=justin:object_r:mplayer_t
> tclass=x_drawable
> (WW) avc: denied { getattr } for request=X11:QueryPointer
> comm=/usr/bin/pidgin resid=10001fc restype=WINDOW
> scontext=justin:user_r:user_t tcontext=justin:object_r:mplayer_t
> tclass=x_drawable
> (WW) avc: denied { getattr } for request=X11:QueryPointer
> comm=/usr/bin/pidgin resid=10001fc restype=WINDOW
> scontext=justin:user_r:user_t tcontext=justin:object_r:mplayer_t
> tclass=x_drawable
> (WW) avc: denied { getattr } for request=X11:QueryPointer
> comm=/usr/bin/pidgin resid=10001fc restype=WINDOW
> scontext=justin:user_r:user_t tcontext=justin:object_r:mplayer_t
> tclass=x_drawable
>
>
> same avc's but just keeps generating.
> is there an option for this like
> printk_ratelimit?
>
>
>
--
Eamon Walsh
National Security Agency
On 12/14/09 09:37, Eamon Walsh wrote:
> On 12/11/2009 04:44 PM, Justin Mattock wrote:
>> I'm running X.Org X Server 1.7.99.2
>> not sure if this is fixed with the latest
>> but after building the latest refpolicy
>> and defining my allow rules, both
>> regularly, and with make enableaudit
>> I still get avc's being generated here and there,
>> but for some they seem to just spamm Xorg.0.log
>> causing my system to freeze up.
>> heres an example:
>>
>
>
> If the denials are not causing a problem other than log spam, just use a
> dontaudit rule to silence them.
>
>
ahh.. didn't even think of that.
as for xace and everything, pretty good.
I'll just donaudit(like you had mentioned)
those few avc denials that find themselves
showing up long after making the policy
and putting her into enforcing mode.
Justin P. Mattock
On Mon, Dec 14, 2009 at 11:37 AM, Eamon Walsh <[email protected]> wrote:
> On 12/11/2009 04:44 PM, Justin Mattock wrote:
>> I'm running X.Org X Server 1.7.99.2
>> not sure if this is fixed with the latest
>> but after building the latest refpolicy
>> and defining my allow rules, both
>> regularly, and with make enableaudit
>> I still get avc's being generated here and there,
>> but for some they seem to just spamm Xorg.0.log
>> causing my system to freeze up.
>> heres an example:
>>
>
>
> If the denials are not causing a problem other than log spam, just use a
> dontaudit rule to silence them.
>
>
>
>>
>> (--) Synaptics Touchpad: touchpad found
>> (**) Option "SendCoreEvents" "true"
>> (**) Synaptics Touchpad: always reports core events
>> (II) XINPUT: Adding extended input device "Synaptics Touchpad" (type: TOUCHPAD)
>> (**) Synaptics Touchpad: (accel) keeping acceleration scheme 1
>> (**) Synaptics Touchpad: (accel) acceleration profile 0
>> (--) Synaptics Touchpad: touchpad found
>> (WW) avc: ?denied ?{ getattr } for request=X11:QueryPointer
>> comm=/usr/bin/pidgin resid=10001fc restype=WINDOW
>> scontext=justin:user_r:user_t tcontext=justin:object_r:mplayer_t
>> tclass=x_drawable
>> (WW) avc: ?denied ?{ getattr } for request=X11:QueryPointer
>> comm=/usr/bin/pidgin resid=10001fc restype=WINDOW
>> scontext=justin:user_r:user_t tcontext=justin:object_r:mplayer_t
>> tclass=x_drawable
>> (WW) avc: ?denied ?{ getattr } for request=X11:QueryPointer
>> comm=/usr/bin/pidgin resid=10001fc restype=WINDOW
>> scontext=justin:user_r:user_t tcontext=justin:object_r:mplayer_t
>> tclass=x_drawable
>> (WW) avc: ?denied ?{ getattr } for request=X11:QueryPointer
>> comm=/usr/bin/pidgin resid=10001fc restype=WINDOW
>> scontext=justin:user_r:user_t tcontext=justin:object_r:mplayer_t
>> tclass=x_drawable
>> (WW) avc: ?denied ?{ getattr } for request=X11:QueryPointer
>> comm=/usr/bin/pidgin resid=10001fc restype=WINDOW
>> scontext=justin:user_r:user_t tcontext=justin:object_r:mplayer_t
>> tclass=x_drawable
>> (WW) avc: ?denied ?{ getattr } for request=X11:QueryPointer
>> comm=/usr/bin/pidgin resid=10001fc restype=WINDOW
>> scontext=justin:user_r:user_t tcontext=justin:object_r:mplayer_t
>> tclass=x_drawable
>> (WW) avc: ?denied ?{ getattr } for request=X11:QueryPointer
>> comm=/usr/bin/pidgin resid=10001fc restype=WINDOW
>> scontext=justin:user_r:user_t tcontext=justin:object_r:mplayer_t
>> tclass=x_drawable
>> (WW) avc: ?denied ?{ getattr } for request=X11:QueryPointer
>> comm=/usr/bin/pidgin resid=10001fc restype=WINDOW
>> scontext=justin:user_r:user_t tcontext=justin:object_r:mplayer_t
>> tclass=x_drawable
>> (WW) avc: ?denied ?{ getattr } for request=X11:QueryPointer
>> comm=/usr/bin/pidgin resid=10001fc restype=WINDOW
>> scontext=justin:user_r:user_t tcontext=justin:object_r:mplayer_t
>> tclass=x_drawable
>> (WW) avc: ?denied ?{ getattr } for request=X11:QueryPointer
>> comm=/usr/bin/pidgin resid=10001fc restype=WINDOW
>> scontext=justin:user_r:user_t tcontext=justin:object_r:mplayer_t
>> tclass=x_drawable
>>
>>
>> same avc's but just keeps generating.
>> is there an option for this like
>> printk_ratelimit?
>>
>>
>>
>
>
> --
>
> Eamon Walsh
> National Security Agency
>
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo at tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
>
Sounds to me like Justin needs the QueryPointer spoofing code.
Ted
> Sounds to me like Justin needs the QueryPointer spoofing code.
>
> Ted
>
I cut the thread to clean it up a bit.
As for QuearyPointer not sure exactly
what that is. a quick Google showed
something about root window or something.
(similar to the avc's I've been seeing);
In any case what I'm doing here is I have one machine
setup with monolithic, and then another machine will
be a binary policy(just need to setup semanage user *)
Then if I get any of these left over avc's I'll
put them under dontaudit and basically forget
about them.
looking at the git log there was some new stuff commited
towards the xserver, So within the next few days I might
as well pull all the xserver stuff, then go from there.
Justin P. Mattock