gnome login broken.... "null" avcs...
Eamon Walsh
ewalsh at tycho.nsa.gov
Thu Feb 28 20:21:10 UTC 2008
Tom London wrote:
> On Thu, Feb 28, 2008 at 10:06 AM, Daniel J Walsh <dwalsh at redhat.com> wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>>
>>
>> Tom London wrote:
>> > On Thu, Feb 28, 2008 at 7:41 AM, Tom London <selinux at gmail.com> wrote:
>> >> After applying today's selinux-policy* packages, gnome/gdm login
>> >> fails: gdmgreeter runs, but X quickly dies after enter password and
>> >> you're back to the greeter.
>> >>
>> >> Booting up in permissive lets me log in.
>> >>
>> >> Here are the borkages:
>> >>
>> >>
>> >> #============= mono_t ==============
>> >> allow mono_t xdm_xserver_t:x_device read;
>> >>
>> >> #============= unconfined_execmem_t ==============
>> >> allow unconfined_execmem_t xdm_xserver_t:x_device read;
>> >>
>> >> #============= unconfined_t ==============
>> >> allow unconfined_t mono_t:x_resource write;
>> >> allow unconfined_t unconfined_execmem_t:x_resource { write read };
>> >> allow unconfined_t unlabeled_t:x_drawable { destroy getattr };
>> >> [root at localhost ~]#
>> >>
The "null" avc's are fixed in the upstream X server. This is a bad
security hook call in the GLX code and affects GLX programs such as compiz.
The unlabeled AVC is the result of a mislabeled program?
--
Eamon Walsh <ewalsh at tycho.nsa.gov>
National Security Agency
More information about the fedora-selinux-list
mailing list