selinux June 2008 archive
Main Archive Page > Month Archives  > selinux archives
selinux: Re: x_extension use

Re: x_extension use

From: Christopher J. PeBenito <cpebenito_at_nospam>
Date: Mon Jun 23 2008 - 13:01:18 GMT
To: Xavier Toth <txtoth@gmail.com>


On Thu, 2008-06-19 at 17:33 -0500, Xavier Toth wrote:
> I'm seeing a number of AVCs out of gnome applications for a range of X
> extensions. Now I wondering about allowing access to X extensions. In
> general should apps be able to use any extension or are there specific
> one that need greater access control?

I can't really add anything to what Eamon said but there is one thing I wanted to note:

> type=USER_AVC msg=audit(1213883755.647:918): user pid=23989 uid=0
> auid=4294967295 ses=4294967295
> subj=system_u:system_r:xdm_xserver_t:s0-s15:c0.c1023 msg='avc: denied
> { use } for request=XFree86-VidModeExtension:QueryVersion
> comm=gnome-screensaver extension=XFree86-VidModeExtension
> scontext=user_u:user_r:user_t:s0
> tcontext=system_u:object_r:directhw_xext_t:s0 tclass=x_extension :
> exe="/usr/bin/Xorg" (sauid=0, hostname=?, addr=?, terminal=?)'

This extension gives direct access to hardware, so you may not want to allow this one. -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150 -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.