[refpolicy] range_transitions not working

Daniel J Walsh dwalsh at redhat.com
Fri Nov 14 09:05:09 CST 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Xavier Toth wrote:
> As part of my copy/paste policy development effort I've added the
> following rules to my selection
> managers policy:
> 
>        type $1_securecp_rootwindow_t;
>        type_transition $1_securecp_t $2_rootwindow_t:x_drawable
> $1_securecp_rootwindow_t;
>        range_transition $1_securecp_t
> $1_securecp_rootwindow_t:x_drawable s0 - s15:c0.c1023;
> 
> However when the manager starts the first window created isn't ranged
> but the the second one is, can anyone think of a reason why this would
> be?
> 
> node=comms type=USER_AVC msg=audit(1226245445.138:213): user pid=3199
> uid=0 auid=4294967295 ses=4294967295
> subj=system_u:system_r:xdm_xserver_t:s0-s15:c0.c1023 msg='avc:  denied
>  { create setattr } for request=X11:CreateWindow comm=python
> resid=2800001 restype=WINDOW
> scontext=user_u:user_r:user_securecp_t:s0-s15:c0.c1023
> tcontext=user_u:object_r:user_securecp_rootwindow_t:s0
> tclass=x_drawable : exe="/usr/bin/Xorg" (sauid=0, hostname=?, addr=?,
> terminal=?)'
> node=comms type=USER_AVC msg=audit(1226245445.138:214): user pid=3199
> uid=0 auid=4294967295 ses=4294967295
> subj=system_u:system_r:xdm_xserver_t:s0-s15:c0.c1023 msg='avc:  denied
>  { blend } for request=X11:CreateWindow comm=python resid=2800001
> restype=WINDOW scontext=user_u:user_r:user_securecp_t:s0-s15:c0.c1023
> tcontext=user_u:object_r:user_securecp_rootwindow_t:s0
> tclass=x_drawable : exe="/usr/bin/Xorg" (sauid=0, hostname=?, addr=?,
> terminal=?)'
> node=comms type=USER_AVC msg=audit(1226245445.140:215): user pid=3199
> uid=0 auid=4294967295 ses=4294967295
> subj=system_u:system_r:xdm_xserver_t:s0-s15:c0.c1023 msg='avc:  denied
>  { set_property } for request=X11:ChangeProperty comm=python
> resid=2800001 restype=WINDOW
> scontext=user_u:user_r:user_securecp_t:s0-s15:c0.c1023
> tcontext=user_u:object_r:user_securecp_rootwindow_t:s0
> tclass=x_drawable : exe="/usr/bin/Xorg" (sauid=0, hostname=?, addr=?,
> terminal=?)'
> node=comms type=USER_AVC msg=audit(1226245445.140:216): user pid=3199
> uid=0 auid=4294967295 ses=4294967295
> subj=system_u:system_r:xdm_xserver_t:s0-s15:c0.c1023 msg='avc:  denied
>  { receive } for  comm=python
> scontext=user_u:user_r:user_securecp_t:s0-s15:c0.c1023
> tcontext=user_u:object_r:user_securecp_rootwindow_t:s0
> tclass=x_drawable : exe="/usr/bin/Xorg" (sauid=0, hostname=?, addr=?,
> terminal=?)'
> node=comms type=USER_AVC msg=audit(1226245445.142:217): user pid=3199
> uid=0 auid=4294967295 ses=4294967295
> subj=system_u:system_r:xdm_xserver_t:s0-s15:c0.c1023 msg='avc:  denied
>  { add_child } for request=X11:CreateWindow comm=python resid=2800001
> restype=WINDOW scontext=user_u:user_r:user_securecp_t:s0-s15:c0.c1023
> tcontext=user_u:object_r:user_securecp_rootwindow_t:s0
> tclass=x_drawable : exe="/usr/bin/Xorg" (sauid=0, hostname=?, addr=?,
> terminal=?)'
> node=comms type=USER_AVC msg=audit(1226245445.142:218): user pid=3199
> uid=0 auid=4294967295 ses=4294967295
> subj=system_u:system_r:xdm_xserver_t:s0-s15:c0.c1023 msg='avc:  denied
>  { create setattr } for request=X11:CreateWindow comm=python
> resid=2800002 restype=WINDOW
> scontext=user_u:user_r:user_securecp_t:s0-s15:c0.c1023
> tcontext=user_u:object_r:user_securecp_rootwindow_t:s0-s15:c0.c1023
> tclass=x_drawable : exe="/usr/bin/Xorg" (sauid=0, hostname=?, addr=?,
> terminal=?)'
> node=comms type=USER_AVC msg=audit(1226245445.142:219): user pid=3199
> uid=0 auid=4294967295 ses=4294967295
> subj=system_u:system_r:xdm_xserver_t:s0-s15:c0.c1023 msg='avc:  denied
>  { blend } for request=X11:CreateWindow comm=python resid=2800002
> restype=WINDOW scontext=user_u:user_r:user_securecp_t:s0-s15:c0.c1023
> tcontext=user_u:object_r:user_securecp_rootwindow_t:s0-s15:c0.c1023
> tclass=x_drawable : exe="/usr/bin/Xorg" (sauid=0, hostname=?, addr=?,
> terminal=?)'
> 
> I also have :
> 
>        type $1_securecp_clipboard_xproperty_t;
>        type_transition $1_securecp_t clipboard_xproperty_t:x_property
> $1_securecp_clipboard_xproperty_t;
>        range_transition $1_securecp_t
> $1_securecp_clipboard_xproperty_t:x_property s0 - s15:c0.c1023;
> 
> in policy but these properties don't get labeled with the range.
> 
> node=comms type=USER_AVC msg=audit(1226249010.717:255): user pid=3198
> uid=0 auid=4294967295 ses=4294967295
> subj=system_u:system_r:xdm_xserver_t:s0-s15:c0.c1023 msg='avc:  denied
>  { write create } for request=X11:ChangeProperty comm=python
> property=GDK_SELECTION
> scontext=user_u:user_r:user_securecp_t:s0-s15:c0.c1023
> tcontext=user_u:object_r:user_securecp_clipboard_xproperty_t:s0
> tclass=x_property : exe="/usr/bin/Xorg" (sauid=0, hostname=?, addr=?,
> terminal=?)'
> 
> Ted
I would guess this is a bug in the xserver?  Ask Eamon?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkkdk6UACgkQrlYvE4MpobNpZgCfc3kLRRj5e7lBMEHtmXK2mwEO
gEwAmgPGQq/rmwg3VpHAZ+c+G0aiFj5S
=3HvT
-----END PGP SIGNATURE-----

More information about the refpolicy mailing list