[rsbac] X with rsbac

Sheplyakov Alexei varg at thsun1.jinr.ru
Thu Apr 1 16:32:00 CEST 2004


On Thu, Apr 01, 2004 at 08:44:34AM -0400, webby wrote:
> I tried to run X with rsbac. but got error. 
> 
> (**) RgbPath set to "/usr/X11R6/lib/X11/rgb"
> (==) ModulePath set to "/usr/X11R6/lib/modules"
> (WW) xf86ReadBIOS: Failed to open /dev/mem (Operation not permitted)
> (--) using VT number 7
> 
> (II) Open APM successful
> 
> Fatal server error:
> xf86EnableIOPorts: Failed to set IOPL for I/O
> 

[snipped]

> in my /var/log/messages
> Mar 31 16:15:38 slack kernel: rsbac_adf_request(): request GET_STATUS_DATA, 
> pid 3422, ppid 3421, prog_name X, uid 1000, target_type SCD, tid kmem, attr 
> none, value 0, result NOT_GRANTED by GEN RC ACL
> Mar 31 16:15:38 slack kernel: rsbac_adf_request(): request 
> MODIFY_PERMISSIONS_DATA, pid 3422, ppid 3421, prog_name X, uid 1000, 
> target_type SCD, tid ioports, attr none, value 0, result NOT_GRANTED by GEN 
> RC ACL
> 
> What can I do to have x running with my kernel?

Create a role "X server" ( you may just copy role System Admin) 
and give it necessary permissions: 

MODIFY_PERMISSIONS_DATA for SCD ioports target,
GET_STATUS_DATA for SCD kmem target.

(and some more, probably; you can guess it from logs)

Then set rc_force_role for your X server binary to "X server".

Note: 
 
 1) you can do the same thing in many other ways,
 2) there is special switch in RSBAC relevant part of kernel.config,
 (something like "Enable X", sorry, I don't remember exactly)
 wich sets default SCD permissions properly ( form point of view
 of X server ).




More information about the rsbac mailing list