I have a Suse 11 Sp3 system with customized Selinux policy installed and in enforcing mode.
My kernel version is :
uname -a
Linux WUH1000070872 3.0.76-0.11-default #1 SMP Fri Jun 14 08:21:43 UTC 2013 (ccab990) x86_64 x86_64 x86_64 GNU/Linux
When i run the startx, it failed and in the Xorg.0.log, it reported as following:
xf86EnableIOPorts: failed to set IOPL for I/O (Operation not permitted)
In the /var/log/audit/audit.log, I get the following:
type=AVC msg=audit(1482486805.380:10): avc: denied { 0x20 } for pid=6670 comm="X" capability=37 scontext=system_u:unconfined_r:unconfined_t:s0:c0 tcontext=system_u:unconfined_r:unconfined_t:s0:c0 tclass=capability2
But actually some rules are there:
sesearch -s unconfined_t -t unconfined_t -ccapability2 --allow
Found 2 semantic av rules:
allow common_domain unconfined_t : capability2 { mac_override mac_admin syslog wake_alarm block_suspend audit_read } ;
allow unconfined_t unconfined_t : capability2 { mac_override mac_admin syslog wake_alarm block_suspend audit_read } ;
My policy is as following:
type unconfined_t, common_domain, file_type;
allow common_domain unconfined_t:capability2 *;
I have granted every permission but still the access is rejected. What is the problem? And the error " avc: denied { 0x20 }" is comfusing, here should be a permission string instead of a number. How to fix it?
It seemed that my kernel may need some patch to fix this problem. In another linux machine with the kernel version 3.0.101-0.47.86-default, with the same policy enforced, XWindow can start.