Building the XSELinux Function Test Application

From SELinux Wiki

(Difference between revisions)
Jump to: navigation, search
Revision as of 16:58, 14 March 2010 (edit)
RichardHaines (Talk | contribs)

← Previous diff
Current revision (15:38, 15 March 2010) (edit) (undo)
RichardHaines (Talk | contribs)

 
Line 2: Line 2:
The <tt>X-setest</tt> application allows a user to execute all of the SELinuxGet/Set.. functions that are integrated with the X-Windows object manager. The application is shown in [http://taiga.selinuxproject.org/~rhaines/diagrams/X-setest.png Figure 1] and should be easy to drive. The <tt>X-setest</tt> application allows a user to execute all of the SELinuxGet/Set.. functions that are integrated with the X-Windows object manager. The application is shown in [http://taiga.selinuxproject.org/~rhaines/diagrams/X-setest.png Figure 1] and should be easy to drive.
-This application does not require any specific policy module to run, however it will require permissions to be granted if you want to obtain information when running in other domains than the default. This has been tested with the Reference Policy once the X-windows object manager is running by setting the <tt>xserver_object_manager</tt> boolean to <tt>TRUE</tt>. Important note - The new <tt>x_keyboard</tt> and <tt>x_pointer</tt> object classes and their permissions must be be available. Red Hat F-12 builds from release XX will have these added.+This application does not require any specific policy module to run, however it will require permissions to be granted if you want to obtain information when running in other domains than the default. This has been tested with the Reference Policy once the X-windows object manager is running by setting the <tt>xserver_object_manager</tt> boolean to <tt>TRUE</tt>. Important note - The new <tt>x_keyboard</tt> and <tt>x_pointer</tt> object classes and their permissions must be be available. Red Hat F-12 policy RPMs from <tt>selinux-policy-3.6.32-100.fc12.noarch.rpm</tt> will have these added.
The [[Experimenting With X-Windows#Calling the XSELinux Functions |Calling the XSELinux Functions]] section explains some of the issues around error handling and the source code has plenty of comments. The [[Experimenting With X-Windows#Calling the XSELinux Functions |Calling the XSELinux Functions]] section explains some of the issues around error handling and the source code has plenty of comments.
Line 18: Line 18:
* <tt>libX11</tt>, <tt>libX11-common</tt>, <tt>libX11-devel</tt> - These are standard Xlib packages. * <tt>libX11</tt>, <tt>libX11-common</tt>, <tt>libX11-devel</tt> - These are standard Xlib packages.
* <tt>libXi</tt>, <tt>libXi-devel</tt> - These are required for retrieving Xdevice information. * <tt>libXi</tt>, <tt>libXi-devel</tt> - These are required for retrieving Xdevice information.
-* The <tt>XSELinuxOMFunctions.c</tt> and <tt>Xlib-selinux.h</tt> files that are located in the <tt>./x-windows/x-common</tt> directory. The contents of these files are shown in the [[Experimenting With X-Windows#Building the X-Windows Select and Paste Examples |Building the X-select and X-paste Applications]] section.+* The <tt>[http://taiga.selinuxproject.org/~rhaines/notebook-source/x-windows/x-common/XSELinuxOMFunctions.c XSELinuxOMFunctions.c]</tt> and <tt>[http://taiga.selinuxproject.org/~rhaines/notebook-source/x-windows/x-common/Xlib-selinux.h Xlib-selinux.h]</tt> files that are located in the <tt>./x-windows/x-common</tt> directory.
- +* The application source code <tt>[http://taiga.selinuxproject.org/~rhaines/notebook-source/x-windows/x-setest/X-setest.c X-setest.c]</tt> that is located in the <tt>./x-windows/x-setest</tt> directory.
-The application source code is available at <tt>./x-windows/x-setest/X-setest.c</tt> and is as follows:+
- +
-[http://taiga.selinuxproject.org/~rhaines/notebook-source/x-windows/x-setest/X-setest.c X-setest.c]+
The <tt>X-setest</tt> application can be built using the following command: The <tt>X-setest</tt> application can be built using the following command:

Current revision

[edit] Building the XSELinux Function Test Application

The X-setest application allows a user to execute all of the SELinuxGet/Set.. functions that are integrated with the X-Windows object manager. The application is shown in Figure 1 and should be easy to drive.

This application does not require any specific policy module to run, however it will require permissions to be granted if you want to obtain information when running in other domains than the default. This has been tested with the Reference Policy once the X-windows object manager is running by setting the xserver_object_manager boolean to TRUE. Important note - The new x_keyboard and x_pointer object classes and their permissions must be be available. Red Hat F-12 policy RPMs from selinux-policy-3.6.32-100.fc12.noarch.rpm will have these added.

The Calling the XSELinux Functions section explains some of the issues around error handling and the source code has plenty of comments.

The functions 12, 13, 19, 20 & 22 return an XError of BadAlloc when access is denied and generates a USER_AVC entry in the audit.log. Note however, XErrors are checked first and are not logged in audit.log, only USER_AVC errors will be logged

When entering Atom names, the application will check if they are valid, however they are NOT checked to see if they are valid for the specific function (e.g. PRIMARY can be entered for a GetProperty... function, but it will fail with BadMatch).

Window and Resource IDs entered are not checked by the application and if incorrect the function will fail with BadMatch.

The 'o' option allows an output file to be specified to log the session, only minimum information is then displayed on the screen.

The application requires the following to be installed if recompiled:

  • libX11, libX11-common, libX11-devel - These are standard Xlib packages.
  • libXi, libXi-devel - These are required for retrieving Xdevice information.
  • The XSELinuxOMFunctions.c and Xlib-selinux.h files that are located in the ./x-windows/x-common directory.
  • The application source code X-setest.c that is located in the ./x-windows/x-setest directory.

The X-setest application can be built using the following command:

gcc X-setest.c ../x-common/XSELinuxOMFunctions.c -o X-setest -l selinux -l X11 -l Xi

The X-setest application can be called as follows:

# Output all information to the screen:
X-setest

# Output all information to a specified file [log_file_name],
# with minimum information displayed on the screen:
X-setest [log_file_name]
Personal tools