From: txtoth@gmail.com (Xavier Toth) Date: Thu, 13 Nov 2008 08:25:32 -0600 Subject: [refpolicy] range_transitions not working Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com As part of my copy/paste policy development effort I've added the following rules to my selection managers policy: type $1_securecp_rootwindow_t; type_transition $1_securecp_t $2_rootwindow_t:x_drawable $1_securecp_rootwindow_t; range_transition $1_securecp_t $1_securecp_rootwindow_t:x_drawable s0 - s15:c0.c1023; However when the manager starts the first window created isn't ranged but the the second one is, can anyone think of a reason why this would be? node=comms type=USER_AVC msg=audit(1226245445.138:213): user pid=3199 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:xdm_xserver_t:s0-s15:c0.c1023 msg='avc: denied { create setattr } for request=X11:CreateWindow comm=python resid=2800001 restype=WINDOW scontext=user_u:user_r:user_securecp_t:s0-s15:c0.c1023 tcontext=user_u:object_r:user_securecp_rootwindow_t:s0 tclass=x_drawable : exe="/usr/bin/Xorg" (sauid=0, hostname=?, addr=?, terminal=?)' node=comms type=USER_AVC msg=audit(1226245445.138:214): user pid=3199 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:xdm_xserver_t:s0-s15:c0.c1023 msg='avc: denied { blend } for request=X11:CreateWindow comm=python resid=2800001 restype=WINDOW scontext=user_u:user_r:user_securecp_t:s0-s15:c0.c1023 tcontext=user_u:object_r:user_securecp_rootwindow_t:s0 tclass=x_drawable : exe="/usr/bin/Xorg" (sauid=0, hostname=?, addr=?, terminal=?)' node=comms type=USER_AVC msg=audit(1226245445.140:215): user pid=3199 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:xdm_xserver_t:s0-s15:c0.c1023 msg='avc: denied { set_property } for request=X11:ChangeProperty comm=python resid=2800001 restype=WINDOW scontext=user_u:user_r:user_securecp_t:s0-s15:c0.c1023 tcontext=user_u:object_r:user_securecp_rootwindow_t:s0 tclass=x_drawable : exe="/usr/bin/Xorg" (sauid=0, hostname=?, addr=?, terminal=?)' node=comms type=USER_AVC msg=audit(1226245445.140:216): user pid=3199 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:xdm_xserver_t:s0-s15:c0.c1023 msg='avc: denied { receive } for comm=python scontext=user_u:user_r:user_securecp_t:s0-s15:c0.c1023 tcontext=user_u:object_r:user_securecp_rootwindow_t:s0 tclass=x_drawable : exe="/usr/bin/Xorg" (sauid=0, hostname=?, addr=?, terminal=?)' node=comms type=USER_AVC msg=audit(1226245445.142:217): user pid=3199 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:xdm_xserver_t:s0-s15:c0.c1023 msg='avc: denied { add_child } for request=X11:CreateWindow comm=python resid=2800001 restype=WINDOW scontext=user_u:user_r:user_securecp_t:s0-s15:c0.c1023 tcontext=user_u:object_r:user_securecp_rootwindow_t:s0 tclass=x_drawable : exe="/usr/bin/Xorg" (sauid=0, hostname=?, addr=?, terminal=?)' node=comms type=USER_AVC msg=audit(1226245445.142:218): user pid=3199 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:xdm_xserver_t:s0-s15:c0.c1023 msg='avc: denied { create setattr } for request=X11:CreateWindow comm=python resid=2800002 restype=WINDOW scontext=user_u:user_r:user_securecp_t:s0-s15:c0.c1023 tcontext=user_u:object_r:user_securecp_rootwindow_t:s0-s15:c0.c1023 tclass=x_drawable : exe="/usr/bin/Xorg" (sauid=0, hostname=?, addr=?, terminal=?)' node=comms type=USER_AVC msg=audit(1226245445.142:219): user pid=3199 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:xdm_xserver_t:s0-s15:c0.c1023 msg='avc: denied { blend } for request=X11:CreateWindow comm=python resid=2800002 restype=WINDOW scontext=user_u:user_r:user_securecp_t:s0-s15:c0.c1023 tcontext=user_u:object_r:user_securecp_rootwindow_t:s0-s15:c0.c1023 tclass=x_drawable : exe="/usr/bin/Xorg" (sauid=0, hostname=?, addr=?, terminal=?)' I also have : type $1_securecp_clipboard_xproperty_t; type_transition $1_securecp_t clipboard_xproperty_t:x_property $1_securecp_clipboard_xproperty_t; range_transition $1_securecp_t $1_securecp_clipboard_xproperty_t:x_property s0 - s15:c0.c1023; in policy but these properties don't get labeled with the range. node=comms type=USER_AVC msg=audit(1226249010.717:255): user pid=3198 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:xdm_xserver_t:s0-s15:c0.c1023 msg='avc: denied { write create } for request=X11:ChangeProperty comm=python property=GDK_SELECTION scontext=user_u:user_r:user_securecp_t:s0-s15:c0.c1023 tcontext=user_u:object_r:user_securecp_clipboard_xproperty_t:s0 tclass=x_property : exe="/usr/bin/Xorg" (sauid=0, hostname=?, addr=?, terminal=?)' Ted