selinux January 2012 archive
Main Archive Page > Month Archives  > selinux archives
selinux: Re: X server in enforcing x_drawable avcs

Re: X server in enforcing x_drawable avcs

From: Stephen Smalley <sds_at_nospam>
Date: Mon Jan 30 2012 - 16:12:58 GMT
To: Ted Toth <>

On Tue, 2012-01-24 at 13:27 -0600, Ted Toth wrote:
> I'm seeing x_drawable read denials in Xorg.0.log on a system with the
> X server in enforcing. I'm confused about these because the
> xserver_object_manager boolean is set which gets:
> allow x_domain xdrawable_type:x_drawable *;
> and the source context type of the avc is a type in the x_domain
> attribute and the target context type is in the xdrawable_type
> attribute which should be allowed by the included allow rule.

Have you checked whether compute_av (from libselinux/utils) gives the
expected result?

What does audit2why aka audit2allow -w say about the denial?
Could it be a constraint violation instead of a TE denial?

-- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to with the words "unsubscribe selinux" without quotes as the message.