| Summary: | unexpected USER_AVCs appear when the xserver_object_manage boolean is enabled | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Milos Malik <mmalik> |
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
| Status: | CLOSED WONTFIX | QA Contact: | Milos Malik <mmalik> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 7.3 | CC: | lvrabec, mgrepl, mmalik, plautrba, pvrabec, ssekidde |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | Bug | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Bug Depends On: | |||
| Bug Blocks: | 1393066 | ||
Let's test it on Fedora first. We're going to close this bug as WONTFIX because * of limited capacity of selinux-policy developers * the bug is related to EPEL component or 3rd party SW only * the bug appears in unsupported configuration We believe this bug can be fixed via a local policy module. For more information please see: * https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/sect-security-enhanced_linux-troubleshooting-fixing_problems#sect-Security-Enhanced_Linux-Fixing_Problems-Allowing_Access_audit2allow If you disagree, please re-open the bug. We're going to close this bug as WONTFIX because * of limited capacity of selinux-policy developers * the bug is related to EPEL component or 3rd party SW only * the bug appears in unsupported configuration We believe this bug can be fixed via a local policy module. For more information please see: * https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/sect-security-enhanced_linux-troubleshooting-fixing_problems#sect-Security-Enhanced_Linux-Fixing_Problems-Allowing_Access_audit2allow If you disagree, please re-open the bug. |
Description of problem: * audit2allow says #!!!! This avc can be allowed using the boolean 'xserver_object_manager' allow staff_t root_xdrawable_t:x_drawable manage; * but the xserver_object_manager boolean was enabled # grep -i selinux /var/log/Xorg.* /var/log/Xorg.0.log:[ 6075.362] (II) SELinux: Configured in enforcing mode /var/log/Xorg.0.log.old:[ 5470.542] (II) SELinux: Configured in enforcing mode * if the xserver_object_manager boolean was disabled then the SELinux extension for X server wouldn't be active at all Version-Release number of selected component (if applicable): selinux-policy-3.13.1-102.el7_3.6.noarch selinux-policy-devel-3.13.1-102.el7_3.6.noarch selinux-policy-doc-3.13.1-102.el7_3.6.noarch selinux-policy-minimum-3.13.1-102.el7_3.6.noarch selinux-policy-mls-3.13.1-102.el7_3.6.noarch selinux-policy-sandbox-3.13.1-102.el7_3.6.noarch selinux-policy-targeted-3.13.1-102.el7_3.6.noarch xorg-x11-server-common-1.17.2-22.el7.x86_64 xorg-x11-server-utils-7.7-14.el7.x86_64 xorg-x11-server-Xdmx-1.17.2-22.el7.x86_64 xorg-x11-server-Xephyr-1.17.2-22.el7.x86_64 xorg-x11-server-Xnest-1.17.2-22.el7.x86_64 xorg-x11-server-Xorg-1.17.2-22.el7.x86_64 xorg-x11-server-Xspice-0.1.1-18.el7.x86_64 xorg-x11-server-Xvfb-1.17.2-22.el7.x86_64 How reproducible: * always Steps to Reproduce: 1. get a RHEL-7.3 machine (targeted policy is active) 2. enable the xserver_object_manager boolean 3. create /etc/X11/xorg.conf.d/selinux.conf which has following content: Section "Module" SubSection "extmod" Option "SELinux mode enforcing" EndSubSection EndSection 4. restart X server 5. log into X session as staff_u user 6. search for SELinux denials Actual results: ---- type=USER_AVC msg=audit(11/16/2016 13:53:49.108:649) : pid=6828 uid=root auid=unset ses=unset subj=system_u:system_r:xserver_t:s0-s0:c0.c1023 msg='avc: denied { manage } for request=X11:ChangeWindowAttributes comm=/usr/bin/gnome-shell resid=276 restype=WINDOW scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:root_xdrawable_t:s0 tclass=x_drawable exe=/usr/bin/Xorg sauid=root hostname=? addr=? terminal=?' ---- # getsebool xserver_object_manager xserver_object_manager --> on # sesearch -s staff_t -t root_xdrawable_t -c x_drawable -DAC -p manage Found 1 semantic av rules: DF allow x_domain xdrawable_type : x_drawable { create destroy read write blend getattr setattr list_child add_child remove_child list_property get_property set_property manage override show hide send receive } ; [ xserver_object_manager ] # Expected results: * above-mentioned allow rule should be enabled when the boolean is enabled