[DSE-Dev] refpolicy HEAD, Debian, ioctl on xconsole by syslogd
Václav Ovsík
vaclav.ovsik at i.cz
Fri Dec 21 14:31:03 UTC 2007
Hi,
On Mon, Dec 17, 2007 at 09:32:28AM -0500, Christopher J. PeBenito wrote:
>...
> > Move xconsole_device_t staff from xserver into logging?
> >
> > Any idea how to solve this?
>
> This came up before, and I was under the impression that it had been
> fixed. I guess not. You can see the previous thread:
>
> http://marc.info/?l=selinux&m=115816229022334&w=2
Ok, and what is the conclusion from this thread? I think, that the move
xconsole pipe from xserver to logging can solve problem on Debian.
I didn't find /dev/xconsole on CentoOS, don't know what Gentoo and Suse.
On Debian:
Xconsole pipe is created by init script (/etc/init.d/sysklogd) under
/dev with type device_t, then chown and chmod is done and finally
restorecon is (will be) called on it (obtains xconsole_device_t type).
Init script is capable to create the pipe (with device_t type) thanks to
unconfined module. I tried to remove unconfined module and some new
denials appeared on system startup and I will report this in 2008 :).
I rewrite Erichs S. changeset a bit and is attached. One version is
patch with logging_setattr_xconsole macro (xconsole-move.patch) and
another is without it (xconsole-move2.patch). This macro call with
domain initrc_t as argument is not too interesting I think. Init script
is capable of creating pipe thanks to unconfined module. More
permissions are needed without unconfined module. I save this for
later.
What about to rename xconsole_device_t to xconsole_pipe_t?
Please consider some changes above. Thanks.
Mary Xmass.
--
Zito
-------------- next part --------------
A non-text attachment was scrubbed...
Name: xconsole-move.patch
Type: text/x-diff
Size: 5616 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/selinux-devel/attachments/20071221/8d1fd657/attachment.patch
-------------- next part --------------
A non-text attachment was scrubbed...
Name: xconsole-move2.patch
Type: text/x-diff
Size: 4996 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/selinux-devel/attachments/20071221/8d1fd657/attachment-0001.patch
More information about the SELinux-devel
mailing list