Building the XSELinux Function Test Application

From SELinux Wiki
Jump to: navigation, search

Building the XSELinux Function Test Application

The X-setest application allows a user to execute all of the SELinuxGet/Set.. functions that are integrated with the X-Windows object manager. The application is shown in Figure 1 and should be easy to drive.

This application does not require any specific policy module to run, however it will require permissions to be granted if you want to obtain information when running in other domains than the default. This has been tested with the Reference Policy once the X-windows object manager is running by setting the xserver_object_manager boolean to TRUE. Important note - The new x_keyboard and x_pointer object classes and their permissions must be be available. Red Hat F-12 policy RPMs from selinux-policy-3.6.32-100.fc12.noarch.rpm will have these added.

The Calling the XSELinux Functions section explains some of the issues around error handling and the source code has plenty of comments.

The functions 12, 13, 19, 20 & 22 return an XError of BadAlloc when access is denied and generates a USER_AVC entry in the audit.log. Note however, XErrors are checked first and are not logged in audit.log, only USER_AVC errors will be logged

When entering Atom names, the application will check if they are valid, however they are NOT checked to see if they are valid for the specific function (e.g. PRIMARY can be entered for a GetProperty... function, but it will fail with BadMatch).

Window and Resource IDs entered are not checked by the application and if incorrect the function will fail with BadMatch.

The 'o' option allows an output file to be specified to log the session, only minimum information is then displayed on the screen.

The application requires the following to be installed if recompiled:

  • libX11, libX11-common, libX11-devel - These are standard Xlib packages.
  • libXi, libXi-devel - These are required for retrieving Xdevice information.
  • The XSELinuxOMFunctions.c and Xlib-selinux.h files that are located in the ./x-windows/x-common directory.
  • The application source code X-setest.c that is located in the ./x-windows/x-setest directory.

The X-setest application can be built using the following command:

gcc X-setest.c ../x-common/XSELinuxOMFunctions.c -o X-setest -l selinux -l X11 -l Xi

The X-setest application can be called as follows:

# Output all information to the screen:
X-setest

# Output all information to a specified file [log_file_name],
# with minimum information displayed on the screen:
X-setest [log_file_name]