policy rules for use as Xterminal

Herald van der Breggen herald at breggen.xs4all.nl
Mon Apr 12 14:35:31 UTC 2004 

Op ma 12-04-2004, om 15:29 schreef Russell Coker:
> On Mon, 12 Apr 2004 20:36, Herald van der Breggen <herald at breggen.xs4all.nl> 
> wrote:
> > removed the line
> > #x:5:respawn:/etc/X11/prefdm -nodaemon
> >
> > added the line
> > x:5:respawn:/usr/X11R6/bin/X -query 192.168.1.12
> >
> > The current policy files don't allow init to start X (which is a symlink
> > to XFree in the same direcory).
> >
> > avc:  denied  { execute } for  pid=3058 exe=/sbin/init name=XFree86
> > dev=hda5 ino=395703 scontext=system_u:system_r:init_t
> > tcontext=system_u:object_r:policy_config_t tclass=file
> 
> Firstly there is something very wrong in having the file labeled as 
> policy_config_t.  Please use setfiles to relabel /usr/X11R6 before trying it 
> again.

Yes, you are right, in my attempts to fix the problem, I made a mistake.
I did a relabel and now a "better" avc message appears when init tries
to start X:

avc:  denied  { execute } for  pid=1908 exe=/sbin/init name=XFree86
dev=hda5 ino=395703 scontext=system_u:system_r:init_t
tcontext=system_u:object_r:xserver_exec_t tclass=file

> 
> > Question one: should the default set of policy rules not allow this?
> 
> Yes, I think it should.
> 
> > Question two: what is the best way to allow to start the X server by
> > init? I am new to selinux and have trouble to find my way. I struggled
> > with the newrules.pl script (which not seemed to right way to solve this
> > problem) and tried rules like
> >
> > can_exec(init_t, xserver_exec_t);
> > can_exec(init_t, xserver_log_t);
> 
> I don't know why a log file is being executed, I guess that there is a 
> mislabeled file.  Maybe relabelling your system would be a good idea.
> 
> As for solving the problem, what you want is for init_t to transition to 
> xdm_xserver_t (the domain for system X server processes).  The following 
> policy should work:
> 
> domain_auto_trans(init_t, xserver_exec_t, xdm_xserver_t)

I have put the line in domains/program/init.te, did a "make load" and
there were no more avc messages anymore. Nice!

The only thing was that the screen stayed black. I decided to reboot.
And after that... It worked!

So, the domain_auto_trans line really works! Thanks a lot!

Herald

More information about the fedora-selinux-list mailing list