http://selinuxproject.org/w/?title=NB_XWIN&feed=atom&action=history NB XWIN - Revision history 2024-03-28T14:38:10Z Revision history for this page on the wiki MediaWiki 1.23.13 http://selinuxproject.org/w/?title=NB_XWIN&diff=1800&oldid=prev RichardHaines at 14:05, 25 September 2015 2015-09-25T14:05:10Z <p></p> <table class='diff diff-contentalign-left'> <col class='diff-marker' /> <col class='diff-content' /> <col class='diff-marker' /> <col class='diff-content' /> <tr style='vertical-align: top;'> <td colspan='2' style="background-color: white; color:black; text-align: center;">← Older revision</td> <td colspan='2' style="background-color: white; color:black; text-align: center;">Revision as of 14:05, 25 September 2015</td> </tr><tr><td colspan="2" class="diff-lineno">Line 2:</td> <td colspan="2" class="diff-lineno">Line 2:</td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>The SELinux X-Windows (XSELinux) implementation provides fine grained access control over the majority of the X-server objects (known as resources) using an X-Windows extention acting as the object manager (OM). The extension name is &quot;&lt;tt&gt;SELinux&lt;/tt&gt;&quot;.</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>The SELinux X-Windows (XSELinux) implementation provides fine grained access control over the majority of the X-server objects (known as resources) using an X-Windows extention acting as the object manager (OM). The extension name is &quot;&lt;tt&gt;SELinux&lt;/tt&gt;&quot;.</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> <tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>This Notebook will only give a high level description of the infrastructure based on the [http://<del class="diffchange diffchange-inline">taiga.</del>selinuxproject.org/~rhaines/NB4-diagrams/23-x-server.png X-Server and XSELinux Object Manager X-Server and XSELinux Object Manager] diagram, however the &quot;[http://www.nsa.gov/research/_files/selinux/papers/xorg07-paper.pdf Application of the Flask Architecture to the X Window ][http://www.nsa.gov/research/_files/selinux/papers/xorg07-paper.pdf System Server]&quot; paper has a good overview of how the object manager has been implemented, although it does not cover areas such as polyinstantiation.</div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>This Notebook will only give a high level description of the infrastructure based on the [http://selinuxproject.org/~rhaines/NB4-diagrams/23-x-server.png X-Server and XSELinux Object Manager X-Server and XSELinux Object Manager] diagram, however the &quot;[http://www.nsa.gov/research/_files/selinux/papers/xorg07-paper.pdf Application of the Flask Architecture to the X Window ][http://www.nsa.gov/research/_files/selinux/papers/xorg07-paper.pdf System Server]&quot; paper has a good overview of how the object manager has been implemented, although it does not cover areas such as polyinstantiation.</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>The X-Windows object classes and permissions are listed in the [[NB_ObjectClassesPermissions#X Windows Object Classes | X Windows Object Classes]] section and the Reference Policy modules have been updated to enforce policy using the XSELinux object manager.</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>The X-Windows object classes and permissions are listed in the [[NB_ObjectClassesPermissions#X Windows Object Classes | X Windows Object Classes]] section and the Reference Policy modules have been updated to enforce policy using the XSELinux object manager.</div></td></tr> <tr><td colspan="2" class="diff-lineno">Line 11:</td> <td colspan="2" class="diff-lineno">Line 11:</td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>It is important to note that the X-Windows OM operates on the low level window objects of the X-server. A windows manager (such as Gnome or twm) would then sit above this, however they (the windows manager or even the lower level Xlib) would not be aware of the policy being enforced by SELinux. Therefore there can be situations where X-Windows applications get bitter &amp; twisted at the denial of a service. This can result in either opening the policy more than desired, or just letting the application keep aborting, or modifying the application.</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>It is important to note that the X-Windows OM operates on the low level window objects of the X-server. A windows manager (such as Gnome or twm) would then sit above this, however they (the windows manager or even the lower level Xlib) would not be aware of the policy being enforced by SELinux. Therefore there can be situations where X-Windows applications get bitter &amp; twisted at the denial of a service. This can result in either opening the policy more than desired, or just letting the application keep aborting, or modifying the application.</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> <tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>Using the [http://<del class="diffchange diffchange-inline">taiga.</del>selinuxproject.org/~rhaines/NB4-diagrams/23-x-server.png X-Server and XSELinux Object Manager X-Server and XSELinux Object Manager] diagram, the major components that form the overall XSELinux OM are (top left to right):</div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>Using the [http://selinuxproject.org/~rhaines/NB4-diagrams/23-x-server.png X-Server and XSELinux Object Manager X-Server and XSELinux Object Manager] diagram, the major components that form the overall XSELinux OM are (top left to right):</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>: '''The Policy''' - The Reference Policy has been updated, however in Fedora the OM is enabled for mls and disabled for targeted policies via the &lt;tt&gt;xserver-object-manager&lt;/tt&gt; boolean. Enabling this boolean also initialises the XSELinux OM extension. Important note - The boolean must be present in any policy and be set to &lt;tt&gt;true&lt;/tt&gt;, otherwise the object manager will be disabled as the code specifically checks for the boolean.</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>: '''The Policy''' - The Reference Policy has been updated, however in Fedora the OM is enabled for mls and disabled for targeted policies via the &lt;tt&gt;xserver-object-manager&lt;/tt&gt; boolean. Enabling this boolean also initialises the XSELinux OM extension. Important note - The boolean must be present in any policy and be set to &lt;tt&gt;true&lt;/tt&gt;, otherwise the object manager will be disabled as the code specifically checks for the boolean.</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>: &lt;tt&gt;'''libselinux'''&lt;/tt&gt; - This library provides the necessary interfaces between the OM, the SELinux userspace services (e.g. reading configuration information and providing the AVC), and kernel services (e.g. security server for access decisions and policy update notification).</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>: &lt;tt&gt;'''libselinux'''&lt;/tt&gt; - This library provides the necessary interfaces between the OM, the SELinux userspace services (e.g. reading configuration information and providing the AVC), and kernel services (e.g. security server for access decisions and policy update notification).</div></td></tr> </table> RichardHaines http://selinuxproject.org/w/?title=NB_XWIN&diff=1721&oldid=prev RichardHaines at 12:14, 8 December 2014 2014-12-08T12:14:11Z <p></p> <a href="http://selinuxproject.org/w/?title=NB_XWIN&amp;diff=1721&amp;oldid=1042">Show changes</a> RichardHaines http://selinuxproject.org/w/?title=NB_XWIN&diff=1042&oldid=prev Jaxelson at 21:06, 13 September 2010 2010-09-13T21:06:50Z <p></p> <table class='diff diff-contentalign-left'> <col class='diff-marker' /> <col class='diff-content' /> <col class='diff-marker' /> <col class='diff-content' /> <tr style='vertical-align: top;'> <td colspan='2' style="background-color: white; color:black; text-align: center;">← Older revision</td> <td colspan='2' style="background-color: white; color:black; text-align: center;">Revision as of 21:06, 13 September 2010</td> </tr><tr><td colspan="2" class="diff-lineno">Line 277:</td> <td colspan="2" class="diff-lineno">Line 277:</td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>----</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>----</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>&lt;references/&gt;</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>&lt;references/&gt;</div></td></tr> <tr><td colspan="2">&#160;</td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;"></ins></div></td></tr> <tr><td colspan="2">&#160;</td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">[[Category:Notebook]]</ins></div></td></tr> </table> Jaxelson http://selinuxproject.org/w/?title=NB_XWIN&diff=968&oldid=prev RichardHaines at 14:55, 18 May 2010 2010-05-18T14:55:33Z <p></p> <table class='diff diff-contentalign-left'> <col class='diff-marker' /> <col class='diff-content' /> <col class='diff-marker' /> <col class='diff-content' /> <tr style='vertical-align: top;'> <td colspan='2' style="background-color: white; color:black; text-align: center;">← Older revision</td> <td colspan='2' style="background-color: white; color:black; text-align: center;">Revision as of 14:55, 18 May 2010</td> </tr><tr><td colspan="2" class="diff-lineno">Line 264:</td> <td colspan="2" class="diff-lineno">Line 264:</td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>Note that for systems using the Reference Policy all X-clients connecting remotely will be allocated a security context from the &lt;tt&gt;x_contexts&lt;/tt&gt; file of:</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>Note that for systems using the Reference Policy all X-clients connecting remotely will be allocated a security context from the &lt;tt&gt;x_contexts&lt;/tt&gt; file of:</div></td></tr> <tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>&lt;<del class="diffchange diffchange-inline">ref</del>&gt;</div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>&lt;<ins class="diffchange diffchange-inline">pre</ins>&gt;</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div># object_type object_name context</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div># object_type object_name context</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>client * system_u:object_r:remote_t</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>client * system_u:object_r:remote_t</div></td></tr> </table> RichardHaines http://selinuxproject.org/w/?title=NB_XWIN&diff=967&oldid=prev RichardHaines: /* SELinux X-Windows Support */ 2010-05-18T14:46:41Z <p>‎<span dir="auto"><span class="autocomment">SELinux X-Windows Support</span></span></p> <table class='diff diff-contentalign-left'> <col class='diff-marker' /> <col class='diff-content' /> <col class='diff-marker' /> <col class='diff-content' /> <tr style='vertical-align: top;'> <td colspan='2' style="background-color: white; color:black; text-align: center;">← Older revision</td> <td colspan='2' style="background-color: white; color:black; text-align: center;">Revision as of 14:46, 18 May 2010</td> </tr><tr><td colspan="2" class="diff-lineno">Line 4:</td> <td colspan="2" class="diff-lineno">Line 4:</td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>This section will only give a high level description of the infrastructure based on the [http://taiga.selinuxproject.org/~rhaines/diagrams/26-x-windows.png X-Server and XSELinux Object Manager] diagram, however the &quot;[http://www.nsa.gov/research/_files/selinux/papers/xorg07-paper.pdf Application of the Flask Architecture to the X Window System Server]&quot; paper has a good overview of how the object manager (OM) has been implemented, although it does not cover areas such as polyinstantiation. There are also some sample X-widows applications for experimenting with policy in the Experimenting with X-Windows section of volume 2 (and also in the [[Experimenters_Corner | Experimenters Corner]] section). &#160;</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>This section will only give a high level description of the infrastructure based on the [http://taiga.selinuxproject.org/~rhaines/diagrams/26-x-windows.png X-Server and XSELinux Object Manager] diagram, however the &quot;[http://www.nsa.gov/research/_files/selinux/papers/xorg07-paper.pdf Application of the Flask Architecture to the X Window System Server]&quot; paper has a good overview of how the object manager (OM) has been implemented, although it does not cover areas such as polyinstantiation. There are also some sample X-widows applications for experimenting with policy in the Experimenting with X-Windows section of volume 2 (and also in the [[Experimenters_Corner | Experimenters Corner]] section). &#160;</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> <tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>The object classes and permissions are listed in the [[ObjectClassesPerms | X Windows Object Classes] section.</div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>The object classes and permissions are listed in the [[ObjectClassesPerms | X Windows Object Classes<ins class="diffchange diffchange-inline">]</ins>] section.</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> <tr><td colspan="2" class="diff-lineno">Line 20:</td> <td colspan="2" class="diff-lineno">Line 20:</td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>: '''XSELinux Object Manager''' - This is an X-extension for the X-server process that mediates all access decisions between the the X-server (via the XACE interface) and the SELinux security server (via &lt;tt&gt;libselinux&lt;/tt&gt;). The OM is initialised before any X-clients connect to the X-server. &#160;</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>: '''XSELinux Object Manager''' - This is an X-extension for the X-server process that mediates all access decisions between the the X-server (via the XACE interface) and the SELinux security server (via &lt;tt&gt;libselinux&lt;/tt&gt;). The OM is initialised before any X-clients connect to the X-server. &#160;</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> <tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>: The OM has added X-protocol extensions to allow contexts to be set and retrieved by userspace SELinux-aware applications. These are shown in Table 1 and used in the Experimenting with X-Windows section <del class="diffchange diffchange-inline">of volume 2</del>.</div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>: The OM has added X-protocol extensions to allow contexts to be set and retrieved by userspace SELinux-aware applications. These are shown in Table 1 and used in the <ins class="diffchange diffchange-inline">[[Experimenters_Corner | </ins>Experimenting with X-Windows section<ins class="diffchange diffchange-inline">]]</ins>.</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>: '''XACE Interface''' - This is a standards based 'X Access Control Extension' (XACE) that can be used by other access control security extensions, not only SELinux. Note that if other security extensions are linked at the same time, then the X-function will only succeed if allowed by all the security extensions in the chain.</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>: '''XACE Interface''' - This is a standards based 'X Access Control Extension' (XACE) that can be used by other access control security extensions, not only SELinux. Note that if other security extensions are linked at the same time, then the X-function will only succeed if allowed by all the security extensions in the chain.</div></td></tr> <tr><td colspan="2" class="diff-lineno">Line 31:</td> <td colspan="2" class="diff-lineno">Line 31:</td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>: '''Kernel-Space Services''' - These are discussed in the [[NB_LSM | Linux Security Module and SELinux]] section.</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>: '''Kernel-Space Services''' - These are discussed in the [[NB_LSM | Linux Security Module and SELinux]] section.</div></td></tr> <tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del style="font-weight: bold; text-decoration: none;"></del></div></td><td colspan="2">&#160;</td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> <tr><td colspan="2" class="diff-lineno">Line 129:</td> <td colspan="2" class="diff-lineno">Line 128:</td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>| WindowID</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>| WindowID</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>| List the contexts of properties associated with the selected WindowID.</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>| List the contexts of properties associated with the selected WindowID.</div></td></tr> <tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del style="font-weight: bold; text-decoration: none;"></del></div></td><td colspan="2">&#160;</td></tr> <tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del style="font-weight: bold; text-decoration: none;">|}</del></div></td><td colspan="2">&#160;</td></tr> <tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del style="font-weight: bold; text-decoration: none;"></del></div></td><td colspan="2">&#160;</td></tr> <tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del style="font-weight: bold; text-decoration: none;">{| border=&quot;1&quot;</del></div></td><td colspan="2">&#160;</td></tr> <tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del style="font-weight: bold; text-decoration: none;">! Function Name</del></div></td><td colspan="2">&#160;</td></tr> <tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del style="font-weight: bold; text-decoration: none;">! Minor Opcode</del></div></td><td colspan="2">&#160;</td></tr> <tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del style="font-weight: bold; text-decoration: none;">! Parameters</del></div></td><td colspan="2">&#160;</td></tr> <tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del style="font-weight: bold; text-decoration: none;">! Comments</del></div></td><td colspan="2">&#160;</td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>|-</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>|-</div></td></tr> </table> RichardHaines http://selinuxproject.org/w/?title=NB_XWIN&diff=966&oldid=prev RichardHaines: New page: = SELinux X-Windows Support = The SELinux X-Windows (XSELinux) implementation provides fine grained access control over the majority of the X-server objects (known as resources). The Refer... 2010-05-18T14:38:48Z <p>New page: = SELinux X-Windows Support = The SELinux X-Windows (XSELinux) implementation provides fine grained access control over the majority of the X-server objects (known as resources). The Refer...</p> <p><b>New page</b></p><div>= SELinux X-Windows Support =<br /> The SELinux X-Windows (XSELinux) implementation provides fine grained access control over the majority of the X-server objects (known as resources). The Reference Policy modules have also been updated to enforce policy using the XSELinux object manager (OM).<br /> <br /> This section will only give a high level description of the infrastructure based on the [http://taiga.selinuxproject.org/~rhaines/diagrams/26-x-windows.png X-Server and XSELinux Object Manager] diagram, however the &quot;[http://www.nsa.gov/research/_files/selinux/papers/xorg07-paper.pdf Application of the Flask Architecture to the X Window System Server]&quot; paper has a good overview of how the object manager (OM) has been implemented, although it does not cover areas such as polyinstantiation. There are also some sample X-widows applications for experimenting with policy in the Experimenting with X-Windows section of volume 2 (and also in the [[Experimenters_Corner | Experimenters Corner]] section). <br /> <br /> The object classes and permissions are listed in the [[ObjectClassesPerms | X Windows Object Classes] section.<br /> <br /> <br /> == Infrastructure Overview ==<br /> It is important to note that the X-windows OM operates on the low level window objects of the X-server. A windows manager (such as Gnome or twm) would then sit above this, however they (the windows manager or even the lower level Xlib) would not be aware of the policy being enforced by SELinux. Therefore there can be situations where X-windows applications get bitter &amp; twisted at the denial of a service. This can result in either opening the policy more than desired, just letting the application keep aborting, or modifying the application.<br /> <br /> Using the [http://taiga.selinuxproject.org/~rhaines/diagrams/26-x-windows.png X-Server and XSELinux Object Manager] diagram, the major components that form the overall XSELinux OM are (top left to right):<br /> <br /> : '''The Policy''' - The Reference Policy has been updated to support the XSELinux OM and F-12 is now operational from policy version &lt;tt&gt;selinux-policy-3.6.32-100.fc12&lt;/tt&gt; for &lt;tt&gt;targeted&lt;/tt&gt; and &lt;tt&gt;mls&lt;/tt&gt; versions (Note that in F-12 the OM is enabled for mls and disabled for targeted policies via the &lt;tt&gt;xserver-object-manager&lt;/tt&gt; boolean).<br /> <br /> : &lt;tt&gt;'''libselinux'''&lt;/tt&gt; - This library provides the necessary interfaces between the OM , the SELinux userspace services (e.g. reading configuration information and providing the AVC), and kernel services (e.g. security server for access decisions and policy update notification).<br /> <br /> : &lt;tt&gt;'''x_contexts&lt;/tt&gt; File''' - This contains context configuration information that is required by the OM for labeling certain objects. The OM reads its contents using the &lt;tt&gt;selabel_lookup&lt;/tt&gt; function.<br /> <br /> : '''XSELinux Object Manager''' - This is an X-extension for the X-server process that mediates all access decisions between the the X-server (via the XACE interface) and the SELinux security server (via &lt;tt&gt;libselinux&lt;/tt&gt;). The OM is initialised before any X-clients connect to the X-server. <br /> <br /> : The OM has added X-protocol extensions to allow contexts to be set and retrieved by userspace SELinux-aware applications. These are shown in Table 1 and used in the Experimenting with X-Windows section of volume 2.<br /> <br /> : '''XACE Interface''' - This is a standards based 'X Access Control Extension' (XACE) that can be used by other access control security extensions, not only SELinux. Note that if other security extensions are linked at the same time, then the X-function will only succeed if allowed by all the security extensions in the chain.<br /> <br /> : The interface is defined in the &quot;[http://www.x.org/releases/X11R7.5/%20doc/security/XACE-Spec.pdf X Access Control Extension Specification]&quot;. This specification also defines the hooks available to OMs and how they should be used. The provision of polyinstantiation services for properties and selections is also discussed. The XACE interface is a similar service to the LSM that supports the kernel OMs.<br /> <br /> : '''X-server''' - This is the core X-windows server process that handles all request and responses to/from X-clients using the X-protocol. The XSELinux OM is intercepting these request/responses via XACE and enforcing policy decisions.<br /> <br /> : '''X-clients''' - These connect to the X-server are are typically windows managers such as Gnome, twm or KDE. The default for F-12 is the Gnome desktop manager. <br /> <br /> : '''Kernel-Space Services''' - These are discussed in the [[NB_LSM | Linux Security Module and SELinux]] section.<br /> <br /> <br /> <br /> {| border=&quot;1&quot;<br /> | '''Function Name'''<br /> | '''Minor Opcode'''<br /> | '''Parameters'''<br /> | '''Comments'''<br /> <br /> |-<br /> | SELinuxQueryVersion<br /> | &lt;center&gt;0&lt;/center&gt;<br /> | None<br /> | Returns the XSELinux version. F-12 returns 1.0<br /> <br /> |-<br /> | SELinuxSetDeviceCreateContext<br /> | &lt;center&gt;1&lt;/center&gt;<br /> | Context+Len<br /> | This is used by SELinux-aware applications for setting the context on device data.<br /> <br /> |-<br /> | SELinuxGetDeviceCreateContext<br /> | &lt;center&gt;2&lt;/center&gt;<br /> | None<br /> | Get the context set on the device data. This is for use by SELinux-aware applications.<br /> <br /> |-<br /> | SELinuxSetDeviceContext<br /> | &lt;center&gt;3&lt;/center&gt;<br /> | DeviceID + Context+Len<br /> | This is used by SELinux-aware applications for setting the context on selected &lt;tt&gt;x_device&lt;/tt&gt; object.<br /> <br /> |-<br /> | SELinuxGetDeviceContext<br /> | &lt;center&gt;4&lt;/center&gt;<br /> | DeviceID<br /> | Get context of the selected &lt;tt&gt;x_device&lt;/tt&gt; object.<br /> <br /> |-<br /> | SELinuxSetWindowCreateContext<br /> | &lt;center&gt;5&lt;/center&gt;<br /> | Context+Len<br /> | This is used by SELinux-aware applications for setting the context on windows data.<br /> <br /> |-<br /> | SELinuxGetWindowCreateContext<br /> | &lt;center&gt;6&lt;/center&gt;<br /> | None<br /> | Get the context set on the window data. This is for use by SELinux-aware applications.<br /> <br /> |-<br /> | SELinuxGetWindowContext<br /> | &lt;center&gt;7&lt;/center&gt;<br /> | WindowID<br /> | Get the process context that this window is running under (&lt;tt&gt;x_drawable&lt;/tt&gt; object ??)<br /> <br /> |-<br /> | SELinuxSetPropertyCreateContext<br /> | &lt;center&gt;8&lt;/center&gt;<br /> | Context+Len<br /> | This is used by SELinux-aware applications for setting the context on property data.<br /> <br /> |-<br /> | SELinuxGetPropertyCreateContext<br /> | &lt;center&gt;9&lt;/center&gt;<br /> | None<br /> | Get the context set on the property data. This is for use by SELinux-aware applications.<br /> <br /> |-<br /> | SELinuxSetPropertyUseContext<br /> | &lt;center&gt;10&lt;/center&gt;<br /> | Context+Len<br /> | This is for use by SELinux-aware applications for setting the context on the property object itself.<br /> <br /> |-<br /> | SELinuxGetPropertyUseContext<br /> | &lt;center&gt;11&lt;/center&gt;<br /> | None<br /> | Get the property object context. This is for use by SELinux-aware applications.<br /> <br /> |-<br /> | SELinuxGetPropertyContext<br /> | &lt;center&gt;12&lt;/center&gt;<br /> | WindowID + AtomID<br /> | Get context of the &lt;tt&gt;x_property&lt;/tt&gt; object.<br /> <br /> |-<br /> | SELinuxGetPropertyDataContext<br /> | &lt;center&gt;13&lt;/center&gt;<br /> | WindowID + AtomID<br /> | Get the context of the property data. This could be the policy default or that set by the &lt;tt&gt;SELinuxSetPropertyCreateContext&lt;/tt&gt; (9) function. <br /> <br /> |-<br /> | SELinuxListProperties<br /> | &lt;center&gt;14&lt;/center&gt;<br /> | WindowID<br /> | List the contexts of properties associated with the selected WindowID.<br /> <br /> |}<br /> <br /> {| border=&quot;1&quot;<br /> ! Function Name<br /> ! Minor Opcode<br /> ! Parameters<br /> ! Comments<br /> <br /> |-<br /> | SELinuxSetSelectionCreateContext<br /> | &lt;center&gt;15&lt;/center&gt;<br /> | Context+Len<br /> | This is used by SELinux-aware applications for setting the context on selected data.<br /> <br /> |-<br /> | SELinuxGetSelectionCreateContext<br /> | &lt;center&gt;16&lt;/center&gt;<br /> | None<br /> | Get the context set on the selected data. This is for use by SELinux-aware applications.<br /> <br /> |-<br /> | SELinuxSetSelectionUseContext<br /> | &lt;center&gt;17&lt;/center&gt;<br /> | Context+Len<br /> | This is for use by SELinux-aware applications for setting the context on the selection object itself.<br /> <br /> |-<br /> | SELinuxGetSelectionUseContext<br /> | &lt;center&gt;18&lt;/center&gt;<br /> | None<br /> | Get the selection object context. This is for use by SELinux-aware applications.<br /> <br /> |-<br /> | SELinuxGetSelectionContext<br /> | &lt;center&gt;19&lt;/center&gt;<br /> | AtomID<br /> | Get context of the &lt;tt&gt;x_selection&lt;/tt&gt; object.<br /> <br /> |-<br /> | SELinuxGetSelectionDataContext<br /> | &lt;center&gt;20&lt;/center&gt;<br /> | AtomID<br /> | Get the context of the selected data. This could be the policy default or that set by the &lt;tt&gt;SELinuxSetSelectionCreateContext&lt;/tt&gt; (15) function. <br /> <br /> |-<br /> | SELinuxListSelections<br /> | &lt;center&gt;21&lt;/center&gt;<br /> | None<br /> | List the selection atoms for this display. The main difference in the listings is that when the &lt;tt&gt;PRIMARY&lt;/tt&gt; selection atom is polyinstantiated, multiple entries can returned. One has the context of the atom itself, and one entry for each process (or x-client) that has an active polyinstantiated entry, for example:<br /> <br /> Atom: PRIMARY - label defined in the&lt;tt&gt; x_contexts&lt;/tt&gt; file (this is also for non-poly listing):<br /> <br /> Object Context: system_u:object_r:primary_xselection_t<br /> Data Context: system_u:object_r:primary_xselection_t<br /> <br /> Atom: PRIMARY - Labels for client 1:<br /> <br /> Object Context: system_u:object_r:x_select_paste1_t<br /> Data Context: system_u:object_r:x_select_paste1_t<br /> <br /> Atom: PRIMARY - Labels for client 2:<br /> <br /> Object Context: system_u:object_r:x_select_paste2_t<br /> Data Context: system_u:object_r:x_select_paste2_t<br /> <br /> |-<br /> | SELinuxGetClientContext<br /> | &lt;center&gt;22&lt;/center&gt;<br /> | ResourceID<br /> | This function will return the process context any valid X resource ID is running under (or the &lt;tt&gt;x_client&lt;/tt&gt; object ?).<br /> <br /> |}<br /> ''Table 1: The XSELinux Functions - Supported by the object manager as X-protocol extensions. Note that some functions will return the default contexts, while others (2, 6, 9, 11, 16, 18) will not return a value unless one has been set the the appropriate function (1, 5, 8, 10, 15, 17) by an SELinux-aware application.''<br /> <br /> <br /> === Polyinstantiation ===<br /> The OM / XACE services support polyinstantiation of properties and selections as these form the InterClient Communication (ICC) that allows X-clients to communicate and exchange information. This allows properties and selections to be grouped into different membership areas so that one group does not know of the exsistance of the others. To implement polyinstantiation the &lt;tt&gt;poly_&lt;/tt&gt; keyword is required in the [[PolicyConfigurationFiles#contexts.2Fx_contexts_File | x_contexts file]] for the required selections and/or properties, there is then a corresponding [[TypeRules#type_member_Statement | type_member rule]] in the policy to enforce the separation.<br /> <br /> The Experimenting with X-Windows section in volume 2 has examples of using polyinstantiation for selections and then comparing the results to non-polyinstantiated cases.<br /> <br /> Note that the current Reference Policy (build 20091117) does not implement polyinstantiation, instead the MLS policy version uses the [[MLSStatements#mlsconstrain_Statement | mlsconstrain statement]] to limit the scope of these.<br /> <br /> <br /> == Configuration Information ==<br /> This section covers:<br /> <br /> * How to determine the OM X-extension opcode.<br /> * How to configure the OM in permissive mode.<br /> * How to disable the OM when using the Reference policy.<br /> * The &lt;tt&gt;x-contexts&lt;/tt&gt; configuration file.<br /> * The OMs &lt;tt&gt;SELinuxGet/Set..&lt;/tt&gt; functions (shown in Table 1).<br /> <br /> === Determine OM X-extension Opcode ===<br /> The object manager is treated as an X-server extension and its major opcode can be queried using Xlib &lt;tt&gt;XQueryExtension&lt;/tt&gt; function as follows:<br /> &lt;pre&gt;<br /> // Get the SELinux Extension opcode<br /> if (!XQueryExtension (dpy, &quot;SELinux&quot;, &amp;opcode, &amp;event, &amp;error)) {<br /> perror (&quot;XSELinux extension not available&quot;);<br /> exit (1);<br /> }<br /> else<br /> printf (&quot;XQueryExtension for XSELinux Extension - Opcode: %d <br /> Events: %d Error: %d \n&quot;, opcode, event, error);<br /> // Have XSELinux Object Manager<br /> &lt;/pre&gt;<br /> <br /> === Configure OM in Permissive Mode ===<br /> If the X-server object manager needs to be run in permissive mode the following entry can be added to the &lt;tt&gt;xorg.conf&lt;/tt&gt; file (normally in &lt;tt&gt;/etc&lt;/tt&gt;):<br /> &lt;pre&gt;<br /> Section &quot;Module&quot;<br /> SubSection &quot;extmod&quot;<br /> Option &quot;SELinux mode permissive&quot;<br /> EndSubSection<br /> EndSection<br /> &lt;pre&gt;<br /> <br /> === Disable the OM ===<br /> The Reference Policy has a boolean that can be used to disable the x-server object manager if is not required by:<br /> &lt;pre&gt;<br /> setsebool -P xserver_object_manager false <br /> &lt;/pre&gt;<br /> <br /> === The x_contexts File ===<br /> The &lt;tt&gt;x_contexts&lt;/tt&gt; file contains labels and initial context information that is required by the OM to initialise the service and then to label objects as they are created. The policy will also need to be aware of the context information being used as it will use this to enforce policy or transition to a new context. A typical entry is as follows:<br /> &lt;pre&gt;<br /> # object_type object_name context<br /> selection PRIMARY system_u:object_r:clipboard_xselection_t<br /> &lt;/pre&gt;<br /> or for polyinstantiation support:<br /> &lt;pre&gt;<br /> # object_type object_name context<br /> poly_selection PRIMARY system_u:object_r:clipboard_xselection_t<br /> &lt;/pre&gt;<br /> <br /> The &lt;tt&gt;object_name&lt;/tt&gt; can contain '&lt;tt&gt;*&lt;/tt&gt;' for 'any' or '&lt;tt&gt;?&lt;/tt&gt;' for 'substitute'.<br /> <br /> The OM uses the &lt;tt&gt;selabel&lt;/tt&gt; functions (such as &lt;tt&gt;selabel_lookup&lt;/tt&gt;) that are a part of &lt;tt&gt;libselinux&lt;/tt&gt; (see the [[LibselinuxAPISummary | libselinux API]] section) to fetch the relevant information from the&lt;tt&gt; x_contexts&lt;/tt&gt; file.<br /> <br /> The valid &lt;tt&gt;object_type&lt;/tt&gt; entries are &lt;tt&gt;client&lt;/tt&gt;, &lt;tt&gt;property&lt;/tt&gt;, &lt;tt&gt;poly_property&lt;/tt&gt;, &lt;tt&gt;extension&lt;/tt&gt;, &lt;tt&gt;selection&lt;/tt&gt;, &lt;tt&gt;poly_selection&lt;/tt&gt; and &lt;tt&gt;events&lt;/tt&gt;.<br /> <br /> The &lt;tt&gt;object_name&lt;/tt&gt; entries can be any valid X-server resource name that is defined in the X-server source code and can typically be found in the &lt;tt&gt;protocol.txt&lt;/tt&gt; and &lt;tt&gt;BuiltInAtoms&lt;/tt&gt; source files (in the &lt;tt&gt;dix&lt;/tt&gt; directory of the &lt;tt&gt;xorg-server&lt;/tt&gt; source package), or user generated via the Xlib libraries (e.g. &lt;tt&gt;XInternAtom&lt;/tt&gt;). Note that if an &lt;tt&gt;object_name&lt;/tt&gt; has both poly and non-poly entries in the file, the non-poly entry takes precedence (i.e. the poly entry is ignored by the OM).<br /> <br /> Note that for systems using the Reference Policy all X-clients connecting remotely will be allocated a security context from the &lt;tt&gt;x_contexts&lt;/tt&gt; file of:<br /> &lt;ref&gt;<br /> # object_type object_name context<br /> client * system_u:object_r:remote_t<br /> &lt;/pre&gt;<br /> [[Experimenters_Corner | Experimenters Corner]] section has examples of adding additional entries to the &lt;tt&gt;x_contexts&lt;/tt&gt; file.<br /> <br /> A full description of the &lt;tt&gt;x_contexts&lt;/tt&gt; file format is given in the [[PolicyConfigurationFiles#contexts.2Fx_contexts_File | contexts/x_contexts File]] section.<br /> <br /> <br /> <br /> <br /> ----<br /> &lt;references/&gt;</div> RichardHaines