selinux June 2008 archive
Main Archive Page > Month Archives  > selinux archives
selinux: Re: x_extension use

Re: x_extension use

From: Christopher J. PeBenito <cpebenito_at_nospam>
Date: Mon Jun 23 2008 - 13:01:18 GMT
To: Xavier Toth <>

On Thu, 2008-06-19 at 17:33 -0500, Xavier Toth wrote:
> I'm seeing a number of AVCs out of gnome applications for a range of X
> extensions. Now I wondering about allowing access to X extensions. In
> general should apps be able to use any extension or are there specific
> one that need greater access control?

I can't really add anything to what Eamon said but there is one thing I wanted to note:

> type=USER_AVC msg=audit(1213883755.647:918): user pid=23989 uid=0
> auid=4294967295 ses=4294967295
> subj=system_u:system_r:xdm_xserver_t:s0-s15:c0.c1023 msg='avc: denied
> { use } for request=XFree86-VidModeExtension:QueryVersion
> comm=gnome-screensaver extension=XFree86-VidModeExtension
> scontext=user_u:user_r:user_t:s0
> tcontext=system_u:object_r:directhw_xext_t:s0 tclass=x_extension :
> exe="/usr/bin/Xorg" (sauid=0, hostname=?, addr=?, terminal=?)'

This extension gives direct access to hardware, so you may not want to allow this one. -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150 -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to with the words "unsubscribe selinux" without quotes as the message.