Re: AVC every server boot: SELinux is preventing the setxkbmap from using potentially mislabeled files (./.X11-unix).

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 08/12/2009 07:53 PM, Richard Chapman wrote:
> I am running Centos 5.3 in permissive mode - and recently I started
> getting 4 avcs every time I boot the server. I am not sure - but I think
> these might have started when I changed my desktop from Gnome to KDE. I
> have tried the relabelling suggested in the AVC - but this hasn't fixed it.
> Does it look like I have something set up wrong - or is there a policy
> problem?
> Richard.
> 
> 
> Summary
> SELinux is preventing the setxkbmap from using potentially mislabeled
> files (./.X11-unix).
> Detailed Description
> [SELinux is in permissive mode, the operation would have been denied but
> was permitted due to permissive mode.]
> 
> SELinux has denied setxkbmap access to potentially mislabeled file(s)
> (./.X11-unix). This means that SELinux will not allow setxkbmap to use
> these files. It is common for users to edit files in their home
> directory or tmp directories and then move (mv) them to system
> directories. The problem is that the files end up with the wrong file
> context which confined applications are not allowed to access.
> 
> Allowing Access
> If you want setxkbmap to access this files, you need to relabel them
> using restorecon -v './.X11-unix'. You might want to relabel the entire
> directory using restorecon -R -v './.X11-unix'.
> Additional Information
> 
> Source Context:       system_u:system_r:rhgb_t
> Target Context:       system_u:object_r:initrc_tmp_t
> Target Objects:       ./.X11-unix [ dir ]
> Source:       setxkbmap
> Source Path:       /usr/bin/setxkbmap
> Port:       <Unknown>
> Host:       C5.aardvark.com.au
> Source RPM Packages:       xorg-x11-xkb-utils-1.0.2-2.1
> Target RPM Packages:      Policy RPM:       selinux-policy-2.4.6-225.el5
> Selinux Enabled:       True
> Policy Type:       targeted
> MLS Enabled:       True
> Enforcing Mode:       Permissive
> Plugin Name:       home_tmp_bad_labels
> Host Name:       C5.aardvark.com.au
> Platform:       Linux C5.aardvark.com.au 2.6.18-128.4.1.el5 #1 SMP Tue
> Aug 4 20:19:25 EDT 2009 x86_64 x86_64
> Alert Count:       34
> First Seen:       Sun Jan 11 17:55:13 2009
> Last Seen:       Mon Aug 10 18:13:15 2009
> Local ID:       0950df01-cfad-420a-9e84-4996a8d31942
> Line Numbers:     
> Raw Audit Messages :
> 
> host=C5.aardvark.com.au type=AVC msg=audit(1249899195.897:15): avc:
> denied { search } for pid=4022 comm="setxkbmap" name=".X11-unix"
> dev=dm-0 ino=27590701 scontext=system_u:system_r:rhgb_t:s0
> tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir
> host=C5.aardvark.com.au type=AVC msg=audit(1249899195.897:15): avc:
> denied { search } for pid=4022 comm="setxkbmap" name=".X11-unix"
> dev=dm-0 ino=27590701 scontext=system_u:system_r:rhgb_t:s0
> tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir
> host=C5.aardvark.com.au type=SYSCALL msg=audit(1249899195.897:15):
> arch=c000003e syscall=42 success=no exit=-2 a0=3 a1=7fffd74235b0 a2=13
> a3=3d29351a30 items=0 ppid=4021 pid=4022 auid=4294967295 uid=0 gid=0
> euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
> comm="setxkbmap" exe="/usr/bin/setxkbmap"
> subj=system_u:system_r:rhgb_t:s0 key=(null)
> host=C5.aardvark.com.au type=SYSCALL msg=audit(1249899195.897:15):
> arch=c000003e syscall=42 success=no exit=-2 a0=3 a1=7fffd74235b0 a2=13
> a3=3d29351a30 items=0 ppid=4021 pid=4022 auid=4294967295 uid=0 gid=0
> euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
> comm="setxkbmap" exe="/usr/bin/setxkbmap"
> subj=system_u:system_r:rhgb_t:s0 key=(null)
> 
> 
> Summary
> SELinux is preventing the setxkbmap from using potentially mislabeled
> files (./.X11-unix).
> Detailed Description
> [SELinux is in permissive mode, the operation would have been denied but
> was permitted due to permissive mode.]
> 
> SELinux has denied setxkbmap access to potentially mislabeled file(s)
> (./.X11-unix). This means that SELinux will not allow setxkbmap to use
> these files. It is common for users to edit files in their home
> directory or tmp directories and then move (mv) them to system
> directories. The problem is that the files end up with the wrong file
> context which confined applications are not allowed to access.
> 
> Allowing Access
> If you want setxkbmap to access this files, you need to relabel them
> using restorecon -v './.X11-unix'. You might want to relabel the entire
> directory using restorecon -R -v './.X11-unix'.
> Additional Information
> 
> Source Context:       system_u:system_r:rhgb_t
> Target Context:       system_u:object_r:initrc_tmp_t
> Target Objects:       ./.X11-unix [ dir ]
> Source:       setxkbmap
> Source Path:       /usr/bin/setxkbmap
> Port:       <Unknown>
> Host:       C5.aardvark.com.au
> Source RPM Packages:       xorg-x11-xkb-utils-1.0.2-2.1
> Target RPM Packages:      Policy RPM:       selinux-policy-2.4.6-225.el5
> Selinux Enabled:       True
> Policy Type:       targeted
> MLS Enabled:       True
> Enforcing Mode:       Permissive
> Plugin Name:       home_tmp_bad_labels
> Host Name:       C5.aardvark.com.au
> Platform:       Linux C5.aardvark.com.au 2.6.18-128.4.1.el5 #1 SMP Tue
> Aug 4 20:19:25 EDT 2009 x86_64 x86_64
> Alert Count:       35
> First Seen:       Sun Jan 11 17:55:13 2009
> Last Seen:       Mon Aug 10 18:13:16 2009
> Local ID:       0950df01-cfad-420a-9e84-4996a8d31942
> Line Numbers:     
> Raw Audit Messages :
> 
> host=C5.aardvark.com.au type=AVC msg=audit(1249899196.898:16): avc:
> denied { search } for pid=4022 comm="setxkbmap" name=".X11-unix"
> dev=dm-0 ino=27590701 scontext=system_u:system_r:rhgb_t:s0
> tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir
> host=C5.aardvark.com.au type=AVC msg=audit(1249899196.898:16): avc:
> denied { search } for pid=4022 comm="setxkbmap" name=".X11-unix"
> dev=dm-0 ino=27590701 scontext=system_u:system_r:rhgb_t:s0
> tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir
> host=C5.aardvark.com.au type=SYSCALL msg=audit(1249899196.898:16):
> arch=c000003e syscall=42 success=no exit=-2 a0=3 a1=7fffd74235b0 a2=13
> a3=8 items=0 ppid=1 pid=4022 auid=4294967295 uid=0 gid=0 euid=0 suid=0
> fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setxkbmap"
> exe="/usr/bin/setxkbmap" subj=system_u:system_r:rhgb_t:s0 key=(null)
> host=C5.aardvark.com.au type=SYSCALL msg=audit(1249899196.898:16):
> arch=c000003e syscall=42 success=no exit=-2 a0=3 a1=7fffd74235b0 a2=13
> a3=8 items=0 ppid=1 pid=4022 auid=4294967295 uid=0 gid=0 euid=0 suid=0
> fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setxkbmap"
> exe="/usr/bin/setxkbmap" subj=system_u:system_r:rhgb_t:s0 key=(null)
> 
> 
> Summary
> SELinux is preventing the setxkbmap from using potentially mislabeled
> files (./.X11-unix).
> Detailed Description
> [SELinux is in permissive mode, the operation would have been denied but
> was permitted due to permissive mode.]
> 
> SELinux has denied setxkbmap access to potentially mislabeled file(s)
> (./.X11-unix). This means that SELinux will not allow setxkbmap to use
> these files. It is common for users to edit files in their home
> directory or tmp directories and then move (mv) them to system
> directories. The problem is that the files end up with the wrong file
> context which confined applications are not allowed to access.
> 
> Allowing Access
> If you want setxkbmap to access this files, you need to relabel them
> using restorecon -v './.X11-unix'. You might want to relabel the entire
> directory using restorecon -R -v './.X11-unix'.
> Additional Information
> 
> Source Context:       system_u:system_r:rhgb_t
> Target Context:       system_u:object_r:initrc_tmp_t
> Target Objects:       ./.X11-unix [ dir ]
> Source:       setxkbmap
> Source Path:       /usr/bin/setxkbmap
> Port:       <Unknown>
> Host:       C5.aardvark.com.au
> Source RPM Packages:       xorg-x11-xkb-utils-1.0.2-2.1
> Target RPM Packages:      Policy RPM:       selinux-policy-2.4.6-225.el5
> Selinux Enabled:       True
> Policy Type:       targeted
> MLS Enabled:       True
> Enforcing Mode:       Permissive
> Plugin Name:       home_tmp_bad_labels
> Host Name:       C5.aardvark.com.au
> Platform:       Linux C5.aardvark.com.au 2.6.18-128.4.1.el5 #1 SMP Tue
> Aug 4 20:19:25 EDT 2009 x86_64 x86_64
> Alert Count:       36
> First Seen:       Sun Jan 11 17:55:13 2009
> Last Seen:       Mon Aug 10 18:13:17 2009
> Local ID:       0950df01-cfad-420a-9e84-4996a8d31942
> Line Numbers:     
> Raw Audit Messages :
> 
> host=C5.aardvark.com.au type=AVC msg=audit(1249899197.933:18): avc:
> denied { search } for pid=4041 comm="setxkbmap" name=".X11-unix"
> dev=dm-0 ino=27590701 scontext=system_u:system_r:rhgb_t:s0
> tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir
> host=C5.aardvark.com.au type=AVC msg=audit(1249899197.933:18): avc:
> denied { search } for pid=4041 comm="setxkbmap" name=".X11-unix"
> dev=dm-0 ino=27590701 scontext=system_u:system_r:rhgb_t:s0
> tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir
> host=C5.aardvark.com.au type=SYSCALL msg=audit(1249899197.933:18):
> arch=c000003e syscall=42 success=no exit=-2 a0=3 a1=7fff31d13e20 a2=13
> a3=8 items=0 ppid=1 pid=4041 auid=4294967295 uid=0 gid=0 euid=0 suid=0
> fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setxkbmap"
> exe="/usr/bin/setxkbmap" subj=system_u:system_r:rhgb_t:s0 key=(null)
> host=C5.aardvark.com.au type=SYSCALL msg=audit(1249899197.933:18):
> arch=c000003e syscall=42 success=no exit=-2 a0=3 a1=7fff31d13e20 a2=13
> a3=8 items=0 ppid=1 pid=4041 auid=4294967295 uid=0 gid=0 euid=0 suid=0
> fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setxkbmap"
> exe="/usr/bin/setxkbmap" subj=system_u:system_r:rhgb_t:s0 key=(null)
> 
> 
> 
> Summary
> SELinux is preventing the setxkbmap from using potentially mislabeled
> files (./.X11-unix).
> Detailed Description
> [SELinux is in permissive mode, the operation would have been denied but
> was permitted due to permissive mode.]
> 
> SELinux has denied setxkbmap access to potentially mislabeled file(s)
> (./.X11-unix). This means that SELinux will not allow setxkbmap to use
> these files. It is common for users to edit files in their home
> directory or tmp directories and then move (mv) them to system
> directories. The problem is that the files end up with the wrong file
> context which confined applications are not allowed to access.
> 
> Allowing Access
> If you want setxkbmap to access this files, you need to relabel them
> using restorecon -v './.X11-unix'. You might want to relabel the entire
> directory using restorecon -R -v './.X11-unix'.
> Additional Information
> 
> Source Context:       system_u:system_r:rhgb_t
> Target Context:       system_u:object_r:initrc_tmp_t
> Target Objects:       ./.X11-unix [ dir ]
> Source:       setxkbmap
> Source Path:       /usr/bin/setxkbmap
> Port:       <Unknown>
> Host:       C5.aardvark.com.au
> Source RPM Packages:       xorg-x11-xkb-utils-1.0.2-2.1
> Target RPM Packages:      Policy RPM:       selinux-policy-2.4.6-225.el5
> Selinux Enabled:       True
> Policy Type:       targeted
> MLS Enabled:       True
> Enforcing Mode:       Permissive
> Plugin Name:       home_tmp_bad_labels
> Host Name:       C5.aardvark.com.au
> Platform:       Linux C5.aardvark.com.au 2.6.18-128.4.1.el5 #1 SMP Tue
> Aug 4 20:19:25 EDT 2009 x86_64 x86_64
> Alert Count:       37
> First Seen:       Sun Jan 11 17:55:13 2009
> Last Seen:       Mon Aug 10 18:13:19 2009
> Local ID:       0950df01-cfad-420a-9e84-4996a8d31942
> Line Numbers:     
> Raw Audit Messages :
> 
> host=C5.aardvark.com.au type=AVC msg=audit(1249899199.903:20): avc:
> denied { search } for pid=4022 comm="setxkbmap" name=".X11-unix"
> dev=dm-0 ino=27590701 scontext=system_u:system_r:rhgb_t:s0
> tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir
> host=C5.aardvark.com.au type=AVC msg=audit(1249899199.903:20): avc:
> denied { search } for pid=4022 comm="setxkbmap" name=".X11-unix"
> dev=dm-0 ino=27590701 scontext=system_u:system_r:rhgb_t:s0
> tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir
> host=C5.aardvark.com.au type=SYSCALL msg=audit(1249899199.903:20):
> arch=c000003e syscall=42 success=no exit=-2 a0=3 a1=7fffd74235b0 a2=13
> a3=8 items=0 ppid=1 pid=4022 auid=4294967295 uid=0 gid=0 euid=0 suid=0
> fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setxkbmap"
> exe="/usr/bin/setxkbmap" subj=system_u:system_r:rhgb_t:s0 key=(null)
> host=C5.aardvark.com.au type=SYSCALL msg=audit(1249899199.903:20):
> arch=c000003e syscall=42 success=no exit=-2 a0=3 a1=7fffd74235b0 a2=13
> a3=8 items=0 ppid=1 pid=4022 auid=4294967295 uid=0 gid=0 euid=0 suid=0
> fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setxkbmap"
> exe="/usr/bin/setxkbmap" subj=system_u:system_r:rhgb_t:s0 key=(null)
> 
> 
> 
> 
> -- 
> fedora-selinux-list mailing list
> fedora-selinux-list@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
chcon -R -t xserver_tmp_t /tmp/.X11-unix

I always use tmpfs for /tmp, so I never end up with garbage on a reboot.

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux