Hide Forgot
Description of problem: * audit2allow says #!!!! This avc can be allowed using the boolean 'xserver_object_manager' allow staff_t root_xdrawable_t:x_drawable manage; * but the xserver_object_manager boolean was enabled # grep -i selinux /var/log/Xorg.* /var/log/Xorg.0.log:[ 6075.362] (II) SELinux: Configured in enforcing mode /var/log/Xorg.0.log.old:[ 5470.542] (II) SELinux: Configured in enforcing mode * if the xserver_object_manager boolean was disabled then the SELinux extension for X server wouldn't be active at all Version-Release number of selected component (if applicable): selinux-policy-3.13.1-102.el7_3.6.noarch selinux-policy-devel-3.13.1-102.el7_3.6.noarch selinux-policy-doc-3.13.1-102.el7_3.6.noarch selinux-policy-minimum-3.13.1-102.el7_3.6.noarch selinux-policy-mls-3.13.1-102.el7_3.6.noarch selinux-policy-sandbox-3.13.1-102.el7_3.6.noarch selinux-policy-targeted-3.13.1-102.el7_3.6.noarch xorg-x11-server-common-1.17.2-22.el7.x86_64 xorg-x11-server-utils-7.7-14.el7.x86_64 xorg-x11-server-Xdmx-1.17.2-22.el7.x86_64 xorg-x11-server-Xephyr-1.17.2-22.el7.x86_64 xorg-x11-server-Xnest-1.17.2-22.el7.x86_64 xorg-x11-server-Xorg-1.17.2-22.el7.x86_64 xorg-x11-server-Xspice-0.1.1-18.el7.x86_64 xorg-x11-server-Xvfb-1.17.2-22.el7.x86_64 How reproducible: * always Steps to Reproduce: 1. get a RHEL-7.3 machine (targeted policy is active) 2. enable the xserver_object_manager boolean 3. create /etc/X11/xorg.conf.d/selinux.conf which has following content: Section "Module" SubSection "extmod" Option "SELinux mode enforcing" EndSubSection EndSection 4. restart X server 5. log into X session as staff_u user 6. search for SELinux denials Actual results: ---- type=USER_AVC msg=audit(11/16/2016 13:53:49.108:649) : pid=6828 uid=root auid=unset ses=unset subj=system_u:system_r:xserver_t:s0-s0:c0.c1023 msg='avc: denied { manage } for request=X11:ChangeWindowAttributes comm=/usr/bin/gnome-shell resid=276 restype=WINDOW scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:root_xdrawable_t:s0 tclass=x_drawable exe=/usr/bin/Xorg sauid=root hostname=? addr=? terminal=?' ---- # getsebool xserver_object_manager xserver_object_manager --> on # sesearch -s staff_t -t root_xdrawable_t -c x_drawable -DAC -p manage Found 1 semantic av rules: DF allow x_domain xdrawable_type : x_drawable { create destroy read write blend getattr setattr list_child add_child remove_child list_property get_property set_property manage override show hide send receive } ; [ xserver_object_manager ] # Expected results: * above-mentioned allow rule should be enabled when the boolean is enabled
Let's test it on Fedora first.
We're going to close this bug as WONTFIX because * of limited capacity of selinux-policy developers * the bug is related to EPEL component or 3rd party SW only * the bug appears in unsupported configuration We believe this bug can be fixed via a local policy module. For more information please see: * https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/sect-security-enhanced_linux-troubleshooting-fixing_problems#sect-Security-Enhanced_Linux-Fixing_Problems-Allowing_Access_audit2allow If you disagree, please re-open the bug.