Re: SELinux mystery

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Joe Smith wrote:
> Last week, I was doing an X server update and I wanted to test the
> config. I wanted to run X as a normal user, so (logged in as root) I did
> this:
> 
> # (su - joe -c "xinit -- :1 >x.log.my 2>&1")
> 
> Some time after that (I think it was the next day, after a reboot), I
> got a flag from setroubleshoot:
> 
> Nov  6 21:25:09 duros setroubleshoot: SELinux is preventing the
> /sbin/modprobe from using potentially mislabeled files
> (/home/joe/x.log.my). For complete SELinux messages. run ...
> 
> At the time, I just removed the log file (I didn't need it anymore) and
> forgot about it, but it kept bugging me:
> 
> Why was this flagged as an access problem? The file was not owned by
> root--it was created under a normal user's environment.
> 
> What was modprobe doing (or trying to do) with a file in a user's home
> directory?
> 
> Hmmm...
> 
> <Joe
> 
You redirected stdout/stderr to a file labeled user_home_t and started
the Xserver.  From that point on ever app that starts by default get its
stdout/stderr redirected to user_home_t.  The kernel checks when
confined apps start up whether they have read/write access to all open
file descriptors including stderr/stdout.  So eventually modprobe gets
executed while in your X session.  The kernel sees that you need
read/write to user_home_t, and it says that is not allowed generating
the AVC.  The kernel then closes the file descriptor and reopens
stderr/stdout to /dev/null.  So You can safely ignore this avc.
modprobe was not trying to do anything evil.  This is the most common
source of AVC's in SELinux and something we would like to be able to
eliminate.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFHOx8xrlYvE4MpobMRAmonAKC1Oe961GlU582IL8UrQ08jNCr+LQCg3lf2
Ze7mAE7/g1I1wZZHbTvSSy4=
=oA5s
-----END PGP SIGNATURE-----

-- 
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux