From: dwalsh@redhat.com (Daniel J Walsh) Date: Fri, 14 Nov 2008 10:05:09 -0500 Subject: [refpolicy] range_transitions not working In-Reply-To: References: Message-ID: <491D93A5.2080007@redhat.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xavier Toth wrote: > As part of my copy/paste policy development effort I've added the > following rules to my selection > managers policy: > > type $1_securecp_rootwindow_t; > type_transition $1_securecp_t $2_rootwindow_t:x_drawable > $1_securecp_rootwindow_t; > range_transition $1_securecp_t > $1_securecp_rootwindow_t:x_drawable s0 - s15:c0.c1023; > > However when the manager starts the first window created isn't ranged > but the the second one is, can anyone think of a reason why this would > be? > > node=comms type=USER_AVC msg=audit(1226245445.138:213): user pid=3199 > uid=0 auid=4294967295 ses=4294967295 > subj=system_u:system_r:xdm_xserver_t:s0-s15:c0.c1023 msg='avc: denied > { create setattr } for request=X11:CreateWindow comm=python > resid=2800001 restype=WINDOW > scontext=user_u:user_r:user_securecp_t:s0-s15:c0.c1023 > tcontext=user_u:object_r:user_securecp_rootwindow_t:s0 > tclass=x_drawable : exe="/usr/bin/Xorg" (sauid=0, hostname=?, addr=?, > terminal=?)' > node=comms type=USER_AVC msg=audit(1226245445.138:214): user pid=3199 > uid=0 auid=4294967295 ses=4294967295 > subj=system_u:system_r:xdm_xserver_t:s0-s15:c0.c1023 msg='avc: denied > { blend } for request=X11:CreateWindow comm=python resid=2800001 > restype=WINDOW scontext=user_u:user_r:user_securecp_t:s0-s15:c0.c1023 > tcontext=user_u:object_r:user_securecp_rootwindow_t:s0 > tclass=x_drawable : exe="/usr/bin/Xorg" (sauid=0, hostname=?, addr=?, > terminal=?)' > node=comms type=USER_AVC msg=audit(1226245445.140:215): user pid=3199 > uid=0 auid=4294967295 ses=4294967295 > subj=system_u:system_r:xdm_xserver_t:s0-s15:c0.c1023 msg='avc: denied > { set_property } for request=X11:ChangeProperty comm=python > resid=2800001 restype=WINDOW > scontext=user_u:user_r:user_securecp_t:s0-s15:c0.c1023 > tcontext=user_u:object_r:user_securecp_rootwindow_t:s0 > tclass=x_drawable : exe="/usr/bin/Xorg" (sauid=0, hostname=?, addr=?, > terminal=?)' > node=comms type=USER_AVC msg=audit(1226245445.140:216): user pid=3199 > uid=0 auid=4294967295 ses=4294967295 > subj=system_u:system_r:xdm_xserver_t:s0-s15:c0.c1023 msg='avc: denied > { receive } for comm=python > scontext=user_u:user_r:user_securecp_t:s0-s15:c0.c1023 > tcontext=user_u:object_r:user_securecp_rootwindow_t:s0 > tclass=x_drawable : exe="/usr/bin/Xorg" (sauid=0, hostname=?, addr=?, > terminal=?)' > node=comms type=USER_AVC msg=audit(1226245445.142:217): user pid=3199 > uid=0 auid=4294967295 ses=4294967295 > subj=system_u:system_r:xdm_xserver_t:s0-s15:c0.c1023 msg='avc: denied > { add_child } for request=X11:CreateWindow comm=python resid=2800001 > restype=WINDOW scontext=user_u:user_r:user_securecp_t:s0-s15:c0.c1023 > tcontext=user_u:object_r:user_securecp_rootwindow_t:s0 > tclass=x_drawable : exe="/usr/bin/Xorg" (sauid=0, hostname=?, addr=?, > terminal=?)' > node=comms type=USER_AVC msg=audit(1226245445.142:218): user pid=3199 > uid=0 auid=4294967295 ses=4294967295 > subj=system_u:system_r:xdm_xserver_t:s0-s15:c0.c1023 msg='avc: denied > { create setattr } for request=X11:CreateWindow comm=python > resid=2800002 restype=WINDOW > scontext=user_u:user_r:user_securecp_t:s0-s15:c0.c1023 > tcontext=user_u:object_r:user_securecp_rootwindow_t:s0-s15:c0.c1023 > tclass=x_drawable : exe="/usr/bin/Xorg" (sauid=0, hostname=?, addr=?, > terminal=?)' > node=comms type=USER_AVC msg=audit(1226245445.142:219): user pid=3199 > uid=0 auid=4294967295 ses=4294967295 > subj=system_u:system_r:xdm_xserver_t:s0-s15:c0.c1023 msg='avc: denied > { blend } for request=X11:CreateWindow comm=python resid=2800002 > restype=WINDOW scontext=user_u:user_r:user_securecp_t:s0-s15:c0.c1023 > tcontext=user_u:object_r:user_securecp_rootwindow_t:s0-s15:c0.c1023 > tclass=x_drawable : exe="/usr/bin/Xorg" (sauid=0, hostname=?, addr=?, > terminal=?)' > > I also have : > > type $1_securecp_clipboard_xproperty_t; > type_transition $1_securecp_t clipboard_xproperty_t:x_property > $1_securecp_clipboard_xproperty_t; > range_transition $1_securecp_t > $1_securecp_clipboard_xproperty_t:x_property s0 - s15:c0.c1023; > > in policy but these properties don't get labeled with the range. > > node=comms type=USER_AVC msg=audit(1226249010.717:255): user pid=3198 > uid=0 auid=4294967295 ses=4294967295 > subj=system_u:system_r:xdm_xserver_t:s0-s15:c0.c1023 msg='avc: denied > { write create } for request=X11:ChangeProperty comm=python > property=GDK_SELECTION > scontext=user_u:user_r:user_securecp_t:s0-s15:c0.c1023 > tcontext=user_u:object_r:user_securecp_clipboard_xproperty_t:s0 > tclass=x_property : exe="/usr/bin/Xorg" (sauid=0, hostname=?, addr=?, > terminal=?)' > > Ted I would guess this is a bug in the xserver? Ask Eamon? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkkdk6UACgkQrlYvE4MpobNpZgCfc3kLRRj5e7lBMEHtmXK2mwEO gEwAmgPGQq/rmwg3VpHAZ+c+G0aiFj5S =3HvT -----END PGP SIGNATURE-----