Building the XSELinux Function Test Application

From SELinux Wiki

(Difference between revisions)
Jump to: navigation, search
Revision as of 16:17, 14 March 2010 (edit)
RichardHaines (Talk | contribs)
(New page: = Building the XSELinux Function Test Application = The <tt>X-setest</tt> application allows a user to execute all of the SELinuxGet/Set.. functions that are integrated with the X-Windows ...)
← Previous diff
Revision as of 16:58, 14 March 2010 (edit) (undo)
RichardHaines (Talk | contribs)

Next diff →
Line 1: Line 1:
= Building the XSELinux Function Test Application = = Building the XSELinux Function Test Application =
-The <tt>X-setest</tt> application allows a user to execute all of the SELinuxGet/Set.. functions that are integrated with the X-Windows object manager. The application is shown in [[http://taiga.selinuxproject.org/~rhaines/diagrams/X-setest.png Figure 1]] and should be easy to drive.+The <tt>X-setest</tt> application allows a user to execute all of the SELinuxGet/Set.. functions that are integrated with the X-Windows object manager. The application is shown in [http://taiga.selinuxproject.org/~rhaines/diagrams/X-setest.png Figure 1] and should be easy to drive.
This application does not require any specific policy module to run, however it will require permissions to be granted if you want to obtain information when running in other domains than the default. This has been tested with the Reference Policy once the X-windows object manager is running by setting the <tt>xserver_object_manager</tt> boolean to <tt>TRUE</tt>. Important note - The new <tt>x_keyboard</tt> and <tt>x_pointer</tt> object classes and their permissions must be be available. Red Hat F-12 builds from release XX will have these added. This application does not require any specific policy module to run, however it will require permissions to be granted if you want to obtain information when running in other domains than the default. This has been tested with the Reference Policy once the X-windows object manager is running by setting the <tt>xserver_object_manager</tt> boolean to <tt>TRUE</tt>. Important note - The new <tt>x_keyboard</tt> and <tt>x_pointer</tt> object classes and their permissions must be be available. Red Hat F-12 builds from release XX will have these added.
-The [[Experimenting with X-Windows#Calling the XSELinux Functions|Calling the XSELinux Functions]] section explains some of the issues around error handling and the source code has plenty of comments. +The [[Experimenting With X-Windows#Calling the XSELinux Functions |Calling the XSELinux Functions]] section explains some of the issues around error handling and the source code has plenty of comments.
The functions 12, 13, 19, 20 & 22 return an <tt>XError</tt> of <tt>BadAlloc</tt> when access is denied and generates a <tt>USER_AVC</tt> entry in the audit.log. Note however, <tt>XErrors</tt> are checked first and are not logged in audit.log, only USER_AVC errors will be logged The functions 12, 13, 19, 20 & 22 return an <tt>XError</tt> of <tt>BadAlloc</tt> when access is denied and generates a <tt>USER_AVC</tt> entry in the audit.log. Note however, <tt>XErrors</tt> are checked first and are not logged in audit.log, only USER_AVC errors will be logged
Line 18: Line 18:
* <tt>libX11</tt>, <tt>libX11-common</tt>, <tt>libX11-devel</tt> - These are standard Xlib packages. * <tt>libX11</tt>, <tt>libX11-common</tt>, <tt>libX11-devel</tt> - These are standard Xlib packages.
* <tt>libXi</tt>, <tt>libXi-devel</tt> - These are required for retrieving Xdevice information. * <tt>libXi</tt>, <tt>libXi-devel</tt> - These are required for retrieving Xdevice information.
-* The <tt>XSELinuxOMFunctions.c</tt> and <tt>Xlib-selinux.h</tt> files that are located in the <tt>./x-windows/x-common</tt> directory. The contents of these files are shown in the [[Experimenting with X-Windows#Building the X-select and X-paste Applications|Building the X-select and X-paste Applications]] section.+* The <tt>XSELinuxOMFunctions.c</tt> and <tt>Xlib-selinux.h</tt> files that are located in the <tt>./x-windows/x-common</tt> directory. The contents of these files are shown in the [[Experimenting With X-Windows#Building the X-Windows Select and Paste Examples |Building the X-select and X-paste Applications]] section.
The application source code is available at <tt>./x-windows/x-setest/X-setest.c</tt> and is as follows: The application source code is available at <tt>./x-windows/x-setest/X-setest.c</tt> and is as follows:
-[[http://taiga.selinuxproject.org/~rhaines/notebook-source/x-windows/x-setest/X-setest.c X-setest.c]]+[http://taiga.selinuxproject.org/~rhaines/notebook-source/x-windows/x-setest/X-setest.c X-setest.c]
The <tt>X-setest</tt> application can be built using the following command: The <tt>X-setest</tt> application can be built using the following command:

Revision as of 16:58, 14 March 2010

Building the XSELinux Function Test Application

The X-setest application allows a user to execute all of the SELinuxGet/Set.. functions that are integrated with the X-Windows object manager. The application is shown in Figure 1 and should be easy to drive.

This application does not require any specific policy module to run, however it will require permissions to be granted if you want to obtain information when running in other domains than the default. This has been tested with the Reference Policy once the X-windows object manager is running by setting the xserver_object_manager boolean to TRUE. Important note - The new x_keyboard and x_pointer object classes and their permissions must be be available. Red Hat F-12 builds from release XX will have these added.

The Calling the XSELinux Functions section explains some of the issues around error handling and the source code has plenty of comments.

The functions 12, 13, 19, 20 & 22 return an XError of BadAlloc when access is denied and generates a USER_AVC entry in the audit.log. Note however, XErrors are checked first and are not logged in audit.log, only USER_AVC errors will be logged

When entering Atom names, the application will check if they are valid, however they are NOT checked to see if they are valid for the specific function (e.g. PRIMARY can be entered for a GetProperty... function, but it will fail with BadMatch).

Window and Resource IDs entered are not checked by the application and if incorrect the function will fail with BadMatch.

The 'o' option allows an output file to be specified to log the session, only minimum information is then displayed on the screen.

The application requires the following to be installed if recompiled:

  • libX11, libX11-common, libX11-devel - These are standard Xlib packages.
  • libXi, libXi-devel - These are required for retrieving Xdevice information.
  • The XSELinuxOMFunctions.c and Xlib-selinux.h files that are located in the ./x-windows/x-common directory. The contents of these files are shown in the Building the X-select and X-paste Applications section.

The application source code is available at ./x-windows/x-setest/X-setest.c and is as follows:

X-setest.c

The X-setest application can be built using the following command:

gcc X-setest.c ../x-common/XSELinuxOMFunctions.c -o X-setest -l selinux -l X11 -l Xi

The X-setest application can be called as follows:

# Output all information to the screen:
X-setest

# Output all information to a specified file [log_file_name],
# with minimum information displayed on the screen:
X-setest [log_file_name]
Personal tools