[DSE-Dev] Bug#706559: selinux-policy-default: unconfined_t should not domain transition to xserver_t

Félix Sipma felix.sipma at no-log.org
Wed May 1 15:32:18 UTC 2013

Package: selinux-policy-default
Version: 2:2.20110726-12
Severity: important
Tags: patch

Dear Maintainer,

With the default selinux-policy-default, my logs where full of: 

type=SELINUX_ERR msg=audit(1367419745.572:211): security_compute_sid:  invalid context          unconfined_u:unconfined_r:xserver_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:      xserver_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:xserver_t:s0-s0:c0.c1023            tclass=unix_stream_socket

Priority set to important, as xserver is used by a lot of people.

Thanks to grift on #selinux who provided the addressed policy, which fixes the issue.

-- System Information:
Debian Release: 7.0
  APT prefers unstable
  APT policy: (900, 'unstable'), (600, 'testing'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages selinux-policy-default depends on:
ii  libpam-modules   1.1.3-9
ii  libselinux1      2.1.9-5
ii  libsepol1        2.1.4-3
ii  policycoreutils  2.1.10-9
ii  python           2.7.3-4

Versions of packages selinux-policy-default recommends:
ii  checkpolicy  2.1.8-2
ii  setools      3.3.7-3.3

Versions of packages selinux-policy-default suggests:
ii  logcheck        1.3.15
ii  syslog-summary  1.14-2

-- Configuration Files:
/etc/selinux/default/modules/active/file_contexts.local [Errno 13] Permission denied: u'/etc/selinux/default/modules/active/file_contexts.local'

-- no debconf information

-------------- next part --------------
module localxserver 1.0.0;
require {
role unconfined_r;
type xserver_t;
role unconfined_r types xserver_t;
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/selinux-devel/attachments/20130501/d9ed0b7b/attachment.pgp>

More information about the SELinux-devel mailing list