[V3] [PATCH 1/1] XSELinux: When SELinux is enabled the xserver seg faults

Richard Haines richard_c_haines at btinternet.com
Thu Jul 5 09:44:41 PDT 2012


This patch was created using xorg-server-1.12.2 source.

When using Fedora 17 with xorg-server-1.12.2 and SELinux is enabled
('setsebool xserver_object_manager on') the xserver will not load. The 
Xlog file has a seg fault pointing to XACE/SELinux. Bug 50641 was raised
(https://bugs.freedesktop.org/show_bug.cgi?id=50641).

The bug is caused by X calling XaceHook(XACE_DEVICE_ACCESS, client, ...)
with a device ID of '1' that is XIAllMasterDevices. It would also happen if
the device ID = 0 (XIAllDevices).

The fix is to return if device is XIAll*Devices and let the permission be
determined when a real device ID is presented.

Signed-off-by: Richard Haines <richard_c_haines at btinternet.com>
---
 Xext/xselinux_hooks.c |   10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/Xext/xselinux_hooks.c b/Xext/xselinux_hooks.c
index e9c7e93..82d3892 100644
--- a/Xext/xselinux_hooks.c
+++ b/Xext/xselinux_hooks.c
@@ -336,7 +336,15 @@ SELinuxDevice(CallbackListPtr *pcbl, pointer unused, pointer calldata)
     int rc;
 
     subj = dixLookupPrivate(&rec->client->devPrivates, subjectKey);
-    obj = dixLookupPrivate(&rec->dev->devPrivates, objectKey);
+    /*
+     * The XIAllMasterDevices or XIAllDevices do not have devPrivates
+     * entries. If they are requested we just return as each device access
+     * will be checked individually.
+     */
+    if (rec->dev->id != XIAllDevices && rec->dev->id != XIAllMasterDevices)
+        obj = dixLookupPrivate(&rec->dev->devPrivates, objectKey);
+    else 
+        return;
 
     /* If this is a new object that needs labeling, do it now */
     if (rec->access_mode & DixCreateAccess) {
-- 
1.7.10.4



More information about the xorg-devel mailing list