[rsbac] X with rsbac
Sheplyakov Alexei
varg at thsun1.jinr.ru
Thu Apr 1 16:32:00 CEST 2004
On Thu, Apr 01, 2004 at 08:44:34AM -0400, webby wrote:
> I tried to run X with rsbac. but got error.
>
> (**) RgbPath set to "/usr/X11R6/lib/X11/rgb"
> (==) ModulePath set to "/usr/X11R6/lib/modules"
> (WW) xf86ReadBIOS: Failed to open /dev/mem (Operation not permitted)
> (--) using VT number 7
>
> (II) Open APM successful
>
> Fatal server error:
> xf86EnableIOPorts: Failed to set IOPL for I/O
>
[snipped]
> in my /var/log/messages
> Mar 31 16:15:38 slack kernel: rsbac_adf_request(): request GET_STATUS_DATA,
> pid 3422, ppid 3421, prog_name X, uid 1000, target_type SCD, tid kmem, attr
> none, value 0, result NOT_GRANTED by GEN RC ACL
> Mar 31 16:15:38 slack kernel: rsbac_adf_request(): request
> MODIFY_PERMISSIONS_DATA, pid 3422, ppid 3421, prog_name X, uid 1000,
> target_type SCD, tid ioports, attr none, value 0, result NOT_GRANTED by GEN
> RC ACL
>
> What can I do to have x running with my kernel?
Create a role "X server" ( you may just copy role System Admin)
and give it necessary permissions:
MODIFY_PERMISSIONS_DATA for SCD ioports target,
GET_STATUS_DATA for SCD kmem target.
(and some more, probably; you can guess it from logs)
Then set rc_force_role for your X server binary to "X server".
Note:
1) you can do the same thing in many other ways,
2) there is special switch in RSBAC relevant part of kernel.config,
(something like "Enable X", sorry, I don't remember exactly)
wich sets default SCD permissions properly ( form point of view
of X server ).
More information about the rsbac
mailing list