Re: AVC every server boot: SELinux is preventing the setxkbmap from using potentially mislabeled files (./.X11-unix).

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 08/31/2009 10:53 PM, Richard Chapman wrote:
> Daniel J Walsh wrote:
>> On 08/30/2009 10:17 PM, Richard Chapman wrote:
>>  
>>> Hi Daniel
>>>
>>> FYI: I have just rebooted the system for the first time in ages - and
>>> I'm still using /tmp as opposes to tmpfs - and received 2 more AVCs -
>>> very similar to the previous ones. If I understood correctly - you were
>>> not expecting this to re-occur. I haven't posted the AVCs because I
>>> think they are much the same as the originals - but can do so if you are
>>> interested.
>>>
>>> This is not a major problem - but is one of the issues preventing me
>>> from using "enforcing" mode. Any thoughts why it has re-occurred?
>>>
>>> Richard.
>>>
>>> Daniel J Walsh wrote:
>>>    
>>>> On 08/15/2009 01:05 AM, Richard Chapman wrote:
>>>>  
>>>>      
>>>>> Daniel J Walsh wrote:
>>>>>           
>>>>>> On 08/14/2009 12:19 AM, Richard Chapman wrote:
>>>>>>  
>>>>>>               
>>>>>>> Daniel J Walsh wrote:
>>>>>>>                      
>>>>>>>> On 08/12/2009 07:53 PM, Richard Chapman wrote:
>>>>>>>>  
>>>>>>>>                            
>>>>>>>>> I am running Centos 5.3 in permissive mode - and recently I
>>>>>>>>> started
>>>>>>>>> getting 4 avcs every time I boot the server. I am not sure - but I
>>>>>>>>> think
>>>>>>>>> these might have started when I changed my desktop from Gnome to
>>>>>>>>> KDE. I
>>>>>>>>> have tried the relabelling suggested in the AVC - but this hasn't
>>>>>>>>> fixed it.
>>>>>>>>> Does it look like I have something set up wrong - or is there a
>>>>>>>>> policy
>>>>>>>>> problem?
>>>>>>>>> Richard.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Summary
>>>>>>>>> SELinux is preventing the setxkbmap from using potentially
>>>>>>>>> mislabeled
>>>>>>>>> files (./.X11-unix).
>>>>>>>>> Detailed Description
>>>>>>>>> [SELinux is in permissive mode, the operation would have been
>>>>>>>>> denied but
>>>>>>>>> was permitted due to permissive mode.]
>>>>>>>>>
>>>>>>>>> SELinux has denied setxkbmap access to potentially mislabeled
>>>>>>>>> file(s)
>>>>>>>>> (./.X11-unix). This means that SELinux will not allow setxkbmap
>>>>>>>>> to use
>>>>>>>>> these files. It is common for users to edit files in their home
>>>>>>>>> directory or tmp directories and then move (mv) them to system
>>>>>>>>> directories. The problem is that the files end up with the wrong
>>>>>>>>> file
>>>>>>>>> context which confined applications are not allowed to access.
>>>>>>>>>
>>>>>>>>> Allowing Access
>>>>>>>>> If you want setxkbmap to access this files, you need to relabel
>>>>>>>>> them
>>>>>>>>> using restorecon -v './.X11-unix'. You might want to relabel the
>>>>>>>>> entire
>>>>>>>>> directory using restorecon -R -v './.X11-unix'.
>>>>>>>>> Additional Information
>>>>>>>>>
>>>>>>>>> Source Context:       system_u:system_r:rhgb_t
>>>>>>>>> Target Context:       system_u:object_r:initrc_tmp_t
>>>>>>>>> Target Objects:       ./.X11-unix [ dir ]
>>>>>>>>> Source:       setxkbmap
>>>>>>>>> Source Path:       /usr/bin/setxkbmap
>>>>>>>>> Port:       <Unknown>
>>>>>>>>> Host:       C5.aardvark.com.au
>>>>>>>>> Source RPM Packages:       xorg-x11-xkb-utils-1.0.2-2.1
>>>>>>>>> Target RPM Packages:      Policy RPM:    
>>>>>>>>> selinux-policy-2.4.6-225.el5
>>>>>>>>> Selinux Enabled:       True
>>>>>>>>> Policy Type:       targeted
>>>>>>>>> MLS Enabled:       True
>>>>>>>>> Enforcing Mode:       Permissive
>>>>>>>>> Plugin Name:       home_tmp_bad_labels
>>>>>>>>> Host Name:       C5.aardvark.com.au
>>>>>>>>> Platform:       Linux C5.aardvark.com.au 2.6.18-128.4.1.el5 #1
>>>>>>>>> SMP Tue
>>>>>>>>> Aug 4 20:19:25 EDT 2009 x86_64 x86_64
>>>>>>>>> Alert Count:       34
>>>>>>>>> First Seen:       Sun Jan 11 17:55:13 2009
>>>>>>>>> Last Seen:       Mon Aug 10 18:13:15 2009
>>>>>>>>> Local ID:       0950df01-cfad-420a-9e84-4996a8d31942
>>>>>>>>> Line Numbers:     Raw Audit Messages :
>>>>>>>>>
>>>>>>>>> host=C5.aardvark.com.au type=AVC msg=audit(1249899195.897:15):
>>>>>>>>> avc:
>>>>>>>>> denied { search } for pid=4022 comm="setxkbmap" name=".X11-unix"
>>>>>>>>> dev=dm-0 ino=27590701 scontext=system_u:system_r:rhgb_t:s0
>>>>>>>>> tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir
>>>>>>>>> host=C5.aardvark.com.au type=AVC msg=audit(1249899195.897:15):
>>>>>>>>> avc:
>>>>>>>>> denied { search } for pid=4022 comm="setxkbmap" name=".X11-unix"
>>>>>>>>> dev=dm-0 ino=27590701 scontext=system_u:system_r:rhgb_t:s0
>>>>>>>>> tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir
>>>>>>>>> host=C5.aardvark.com.au type=SYSCALL msg=audit(1249899195.897:15):
>>>>>>>>> arch=c000003e syscall=42 success=no exit=-2 a0=3 a1=7fffd74235b0
>>>>>>>>> a2=13
>>>>>>>>> a3=3d29351a30 items=0 ppid=4021 pid=4022 auid=4294967295 uid=0
>>>>>>>>> gid=0
>>>>>>>>> euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
>>>>>>>>> ses=4294967295
>>>>>>>>> comm="setxkbmap" exe="/usr/bin/setxkbmap"
>>>>>>>>> subj=system_u:system_r:rhgb_t:s0 key=(null)
>>>>>>>>> host=C5.aardvark.com.au type=SYSCALL msg=audit(1249899195.897:15):
>>>>>>>>> arch=c000003e syscall=42 success=no exit=-2 a0=3 a1=7fffd74235b0
>>>>>>>>> a2=13
>>>>>>>>> a3=3d29351a30 items=0 ppid=4021 pid=4022 auid=4294967295 uid=0
>>>>>>>>> gid=0
>>>>>>>>> euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
>>>>>>>>> ses=4294967295
>>>>>>>>> comm="setxkbmap" exe="/usr/bin/setxkbmap"
>>>>>>>>> subj=system_u:system_r:rhgb_t:s0 key=(null)
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Summary
>>>>>>>>> SELinux is preventing the setxkbmap from using potentially
>>>>>>>>> mislabeled
>>>>>>>>> files (./.X11-unix).
>>>>>>>>> Detailed Description
>>>>>>>>> [SELinux is in permissive mode, the operation would have been
>>>>>>>>> denied but
>>>>>>>>> was permitted due to permissive mode.]
>>>>>>>>>
>>>>>>>>> SELinux has denied setxkbmap access to potentially mislabeled
>>>>>>>>> file(s)
>>>>>>>>> (./.X11-unix). This means that SELinux will not allow setxkbmap
>>>>>>>>> to use
>>>>>>>>> these files. It is common for users to edit files in their home
>>>>>>>>> directory or tmp directories and then move (mv) them to system
>>>>>>>>> directories. The problem is that the files end up with the wrong
>>>>>>>>> file
>>>>>>>>> context which confined applications are not allowed to access.
>>>>>>>>>
>>>>>>>>> Allowing Access
>>>>>>>>> If you want setxkbmap to access this files, you need to relabel
>>>>>>>>> them
>>>>>>>>> using restorecon -v './.X11-unix'. You might want to relabel the
>>>>>>>>> entire
>>>>>>>>> directory using restorecon -R -v './.X11-unix'.
>>>>>>>>> Additional Information
>>>>>>>>>
>>>>>>>>> Source Context:       system_u:system_r:rhgb_t
>>>>>>>>> Target Context:       system_u:object_r:initrc_tmp_t
>>>>>>>>> Target Objects:       ./.X11-unix [ dir ]
>>>>>>>>> Source:       setxkbmap
>>>>>>>>> Source Path:       /usr/bin/setxkbmap
>>>>>>>>> Port:       <Unknown>
>>>>>>>>> Host:       C5.aardvark.com.au
>>>>>>>>> Source RPM Packages:       xorg-x11-xkb-utils-1.0.2-2.1
>>>>>>>>> Target RPM Packages:      Policy RPM:    
>>>>>>>>> selinux-policy-2.4.6-225.el5
>>>>>>>>> Selinux Enabled:       True
>>>>>>>>> Policy Type:       targeted
>>>>>>>>> MLS Enabled:       True
>>>>>>>>> Enforcing Mode:       Permissive
>>>>>>>>> Plugin Name:       home_tmp_bad_labels
>>>>>>>>> Host Name:       C5.aardvark.com.au
>>>>>>>>> Platform:       Linux C5.aardvark.com.au 2.6.18-128.4.1.el5 #1
>>>>>>>>> SMP Tue
>>>>>>>>> Aug 4 20:19:25 EDT 2009 x86_64 x86_64
>>>>>>>>> Alert Count:       35
>>>>>>>>> First Seen:       Sun Jan 11 17:55:13 2009
>>>>>>>>> Last Seen:       Mon Aug 10 18:13:16 2009
>>>>>>>>> Local ID:       0950df01-cfad-420a-9e84-4996a8d31942
>>>>>>>>> Line Numbers:     Raw Audit Messages :
>>>>>>>>>
>>>>>>>>> host=C5.aardvark.com.au type=AVC msg=audit(1249899196.898:16):
>>>>>>>>> avc:
>>>>>>>>> denied { search } for pid=4022 comm="setxkbmap" name=".X11-unix"
>>>>>>>>> dev=dm-0 ino=27590701 scontext=system_u:system_r:rhgb_t:s0
>>>>>>>>> tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir
>>>>>>>>> host=C5.aardvark.com.au type=AVC msg=audit(1249899196.898:16):
>>>>>>>>> avc:
>>>>>>>>> denied { search } for pid=4022 comm="setxkbmap" name=".X11-unix"
>>>>>>>>> dev=dm-0 ino=27590701 scontext=system_u:system_r:rhgb_t:s0
>>>>>>>>> tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir
>>>>>>>>> host=C5.aardvark.com.au type=SYSCALL msg=audit(1249899196.898:16):
>>>>>>>>> arch=c000003e syscall=42 success=no exit=-2 a0=3 a1=7fffd74235b0
>>>>>>>>> a2=13
>>>>>>>>> a3=8 items=0 ppid=1 pid=4022 auid=4294967295 uid=0 gid=0 euid=0
>>>>>>>>> suid=0
>>>>>>>>> fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
>>>>>>>>> comm="setxkbmap"
>>>>>>>>> exe="/usr/bin/setxkbmap" subj=system_u:system_r:rhgb_t:s0
>>>>>>>>> key=(null)
>>>>>>>>> host=C5.aardvark.com.au type=SYSCALL msg=audit(1249899196.898:16):
>>>>>>>>> arch=c000003e syscall=42 success=no exit=-2 a0=3 a1=7fffd74235b0
>>>>>>>>> a2=13
>>>>>>>>> a3=8 items=0 ppid=1 pid=4022 auid=4294967295 uid=0 gid=0 euid=0
>>>>>>>>> suid=0
>>>>>>>>> fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
>>>>>>>>> comm="setxkbmap"
>>>>>>>>> exe="/usr/bin/setxkbmap" subj=system_u:system_r:rhgb_t:s0
>>>>>>>>> key=(null)
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Summary
>>>>>>>>> SELinux is preventing the setxkbmap from using potentially
>>>>>>>>> mislabeled
>>>>>>>>> files (./.X11-unix).
>>>>>>>>> Detailed Description
>>>>>>>>> [SELinux is in permissive mode, the operation would have been
>>>>>>>>> denied but
>>>>>>>>> was permitted due to permissive mode.]
>>>>>>>>>
>>>>>>>>> SELinux has denied setxkbmap access to potentially mislabeled
>>>>>>>>> file(s)
>>>>>>>>> (./.X11-unix). This means that SELinux will not allow setxkbmap
>>>>>>>>> to use
>>>>>>>>> these files. It is common for users to edit files in their home
>>>>>>>>> directory or tmp directories and then move (mv) them to system
>>>>>>>>> directories. The problem is that the files end up with the wrong
>>>>>>>>> file
>>>>>>>>> context which confined applications are not allowed to access.
>>>>>>>>>
>>>>>>>>> Allowing Access
>>>>>>>>> If you want setxkbmap to access this files, you need to relabel
>>>>>>>>> them
>>>>>>>>> using restorecon -v './.X11-unix'. You might want to relabel the
>>>>>>>>> entire
>>>>>>>>> directory using restorecon -R -v './.X11-unix'.
>>>>>>>>> Additional Information
>>>>>>>>>
>>>>>>>>> Source Context:       system_u:system_r:rhgb_t
>>>>>>>>> Target Context:       system_u:object_r:initrc_tmp_t
>>>>>>>>> Target Objects:       ./.X11-unix [ dir ]
>>>>>>>>> Source:       setxkbmap
>>>>>>>>> Source Path:       /usr/bin/setxkbmap
>>>>>>>>> Port:       <Unknown>
>>>>>>>>> Host:       C5.aardvark.com.au
>>>>>>>>> Source RPM Packages:       xorg-x11-xkb-utils-1.0.2-2.1
>>>>>>>>> Target RPM Packages:      Policy RPM:    
>>>>>>>>> selinux-policy-2.4.6-225.el5
>>>>>>>>> Selinux Enabled:       True
>>>>>>>>> Policy Type:       targeted
>>>>>>>>> MLS Enabled:       True
>>>>>>>>> Enforcing Mode:       Permissive
>>>>>>>>> Plugin Name:       home_tmp_bad_labels
>>>>>>>>> Host Name:       C5.aardvark.com.au
>>>>>>>>> Platform:       Linux C5.aardvark.com.au 2.6.18-128.4.1.el5 #1
>>>>>>>>> SMP Tue
>>>>>>>>> Aug 4 20:19:25 EDT 2009 x86_64 x86_64
>>>>>>>>> Alert Count:       36
>>>>>>>>> First Seen:       Sun Jan 11 17:55:13 2009
>>>>>>>>> Last Seen:       Mon Aug 10 18:13:17 2009
>>>>>>>>> Local ID:       0950df01-cfad-420a-9e84-4996a8d31942
>>>>>>>>> Line Numbers:     Raw Audit Messages :
>>>>>>>>>
>>>>>>>>> host=C5.aardvark.com.au type=AVC msg=audit(1249899197.933:18):
>>>>>>>>> avc:
>>>>>>>>> denied { search } for pid=4041 comm="setxkbmap" name=".X11-unix"
>>>>>>>>> dev=dm-0 ino=27590701 scontext=system_u:system_r:rhgb_t:s0
>>>>>>>>> tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir
>>>>>>>>> host=C5.aardvark.com.au type=AVC msg=audit(1249899197.933:18):
>>>>>>>>> avc:
>>>>>>>>> denied { search } for pid=4041 comm="setxkbmap" name=".X11-unix"
>>>>>>>>> dev=dm-0 ino=27590701 scontext=system_u:system_r:rhgb_t:s0
>>>>>>>>> tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir
>>>>>>>>> host=C5.aardvark.com.au type=SYSCALL msg=audit(1249899197.933:18):
>>>>>>>>> arch=c000003e syscall=42 success=no exit=-2 a0=3 a1=7fff31d13e20
>>>>>>>>> a2=13
>>>>>>>>> a3=8 items=0 ppid=1 pid=4041 auid=4294967295 uid=0 gid=0 euid=0
>>>>>>>>> suid=0
>>>>>>>>> fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
>>>>>>>>> comm="setxkbmap"
>>>>>>>>> exe="/usr/bin/setxkbmap" subj=system_u:system_r:rhgb_t:s0
>>>>>>>>> key=(null)
>>>>>>>>> host=C5.aardvark.com.au type=SYSCALL msg=audit(1249899197.933:18):
>>>>>>>>> arch=c000003e syscall=42 success=no exit=-2 a0=3 a1=7fff31d13e20
>>>>>>>>> a2=13
>>>>>>>>> a3=8 items=0 ppid=1 pid=4041 auid=4294967295 uid=0 gid=0 euid=0
>>>>>>>>> suid=0
>>>>>>>>> fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
>>>>>>>>> comm="setxkbmap"
>>>>>>>>> exe="/usr/bin/setxkbmap" subj=system_u:system_r:rhgb_t:s0
>>>>>>>>> key=(null)
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Summary
>>>>>>>>> SELinux is preventing the setxkbmap from using potentially
>>>>>>>>> mislabeled
>>>>>>>>> files (./.X11-unix).
>>>>>>>>> Detailed Description
>>>>>>>>> [SELinux is in permissive mode, the operation would have been
>>>>>>>>> denied but
>>>>>>>>> was permitted due to permissive mode.]
>>>>>>>>>
>>>>>>>>> SELinux has denied setxkbmap access to potentially mislabeled
>>>>>>>>> file(s)
>>>>>>>>> (./.X11-unix). This means that SELinux will not allow setxkbmap
>>>>>>>>> to use
>>>>>>>>> these files. It is common for users to edit files in their home
>>>>>>>>> directory or tmp directories and then move (mv) them to system
>>>>>>>>> directories. The problem is that the files end up with the wrong
>>>>>>>>> file
>>>>>>>>> context which confined applications are not allowed to access.
>>>>>>>>>
>>>>>>>>> Allowing Access
>>>>>>>>> If you want setxkbmap to access this files, you need to relabel
>>>>>>>>> them
>>>>>>>>> using restorecon -v './.X11-unix'. You might want to relabel the
>>>>>>>>> entire
>>>>>>>>> directory using restorecon -R -v './.X11-unix'.
>>>>>>>>> Additional Information
>>>>>>>>>
>>>>>>>>> Source Context:       system_u:system_r:rhgb_t
>>>>>>>>> Target Context:       system_u:object_r:initrc_tmp_t
>>>>>>>>> Target Objects:       ./.X11-unix [ dir ]
>>>>>>>>> Source:       setxkbmap
>>>>>>>>> Source Path:       /usr/bin/setxkbmap
>>>>>>>>> Port:       <Unknown>
>>>>>>>>> Host:       C5.aardvark.com.au
>>>>>>>>> Source RPM Packages:       xorg-x11-xkb-utils-1.0.2-2.1
>>>>>>>>> Target RPM Packages:      Policy RPM:    
>>>>>>>>> selinux-policy-2.4.6-225.el5
>>>>>>>>> Selinux Enabled:       True
>>>>>>>>> Policy Type:       targeted
>>>>>>>>> MLS Enabled:       True
>>>>>>>>> Enforcing Mode:       Permissive
>>>>>>>>> Plugin Name:       home_tmp_bad_labels
>>>>>>>>> Host Name:       C5.aardvark.com.au
>>>>>>>>> Platform:       Linux C5.aardvark.com.au 2.6.18-128.4.1.el5 #1
>>>>>>>>> SMP Tue
>>>>>>>>> Aug 4 20:19:25 EDT 2009 x86_64 x86_64
>>>>>>>>> Alert Count:       37
>>>>>>>>> First Seen:       Sun Jan 11 17:55:13 2009
>>>>>>>>> Last Seen:       Mon Aug 10 18:13:19 2009
>>>>>>>>> Local ID:       0950df01-cfad-420a-9e84-4996a8d31942
>>>>>>>>> Line Numbers:     Raw Audit Messages :
>>>>>>>>>
>>>>>>>>> host=C5.aardvark.com.au type=AVC msg=audit(1249899199.903:20):
>>>>>>>>> avc:
>>>>>>>>> denied { search } for pid=4022 comm="setxkbmap" name=".X11-unix"
>>>>>>>>> dev=dm-0 ino=27590701 scontext=system_u:system_r:rhgb_t:s0
>>>>>>>>> tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir
>>>>>>>>> host=C5.aardvark.com.au type=AVC msg=audit(1249899199.903:20):
>>>>>>>>> avc:
>>>>>>>>> denied { search } for pid=4022 comm="setxkbmap" name=".X11-unix"
>>>>>>>>> dev=dm-0 ino=27590701 scontext=system_u:system_r:rhgb_t:s0
>>>>>>>>> tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir
>>>>>>>>> host=C5.aardvark.com.au type=SYSCALL msg=audit(1249899199.903:20):
>>>>>>>>> arch=c000003e syscall=42 success=no exit=-2 a0=3 a1=7fffd74235b0
>>>>>>>>> a2=13
>>>>>>>>> a3=8 items=0 ppid=1 pid=4022 auid=4294967295 uid=0 gid=0 euid=0
>>>>>>>>> suid=0
>>>>>>>>> fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
>>>>>>>>> comm="setxkbmap"
>>>>>>>>> exe="/usr/bin/setxkbmap" subj=system_u:system_r:rhgb_t:s0
>>>>>>>>> key=(null)
>>>>>>>>> host=C5.aardvark.com.au type=SYSCALL msg=audit(1249899199.903:20):
>>>>>>>>> arch=c000003e syscall=42 success=no exit=-2 a0=3 a1=7fffd74235b0
>>>>>>>>> a2=13
>>>>>>>>> a3=8 items=0 ppid=1 pid=4022 auid=4294967295 uid=0 gid=0 euid=0
>>>>>>>>> suid=0
>>>>>>>>> fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
>>>>>>>>> comm="setxkbmap"
>>>>>>>>> exe="/usr/bin/setxkbmap" subj=system_u:system_r:rhgb_t:s0
>>>>>>>>> key=(null)
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> -- 
>>>>>>>>> fedora-selinux-list mailing list
>>>>>>>>> fedora-selinux-list@xxxxxxxxxx
>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>>>>>>>>                                         
>>>>>>>> chcon -R -t xserver_tmp_t /tmp/.X11-unix
>>>>>>>>
>>>>>>>> I always use tmpfs for /tmp, so I never end up with garbage on a
>>>>>>>> reboot.
>>>>>>>>
>>>>>>>>                                 
>>>>>>> Thanks Daniel - but this is the response...
>>>>>>>
>>>>>>> [root@C5 ~]# chcon -R -t xserver_tmp_t /tmp/.X11-unix
>>>>>>> chcon: failed to change context of /tmp/.X11-unix to
>>>>>>> system_u:object_r:xserver_t                             mp_t:
>>>>>>> Invalid
>>>>>>> argument
>>>>>>> chcon: failed to change context of /tmp/.X11-unix/X0 to
>>>>>>> system_u:object_r:xserve                             r_tmp_t:
>>>>>>> Invalid
>>>>>>> argument
>>>>>>> chcon: failed to change context of /tmp/.X11-unix/X1005 to
>>>>>>> user_u:object_r:xserv                             er_tmp_t: Invalid
>>>>>>> argument
>>>>>>> [root@C5 ~]#
>>>>>>>
>>>>>>> Being pretty green - I don't really understand the problem here.
>>>>>>> Also -
>>>>>>> if this chcon worked - would this be a permanent solution - or
>>>>>>> does it
>>>>>>> need to be executed in a boot script?
>>>>>>> I like your idea of using tmpfs - but is it ever a problem that
>>>>>>> tmpfs is
>>>>>>> relatively small and finite? Also - please excuse my ignorance -
>>>>>>> but how
>>>>>>> do I make tmpfs the tmp folder?
>>>>>>>
>>>>>>> Richard.
>>>>>>>
>>>>>>>
>>>>>>>                         
>>>>>> Must have changed between RHEL5 and F11
>>>>>>
>>>>>> Try
>>>>>> chcon -R -t xdm_xserver_tmp_t /tmp/.X11-unix
>>>>>>
>>>>>> Add this line to /etc/fstab
>>>>>>
>>>>>> tmpfs                   /tmp                    tmpfs
>>>>>> rootcontext="system_u:object_r:tmp_t:s0",defaults        0 0
>>>>>>
>>>>>> And reboot.
>>>>>>
>>>>>> I don't tend to store huge abouts of stuff in /tmp.  If I want to
>>>>>> store big stuff I can always use /var/tmp
>>>>>>
>>>>>>                   
>>>>> Thanks Daniel
>>>>>
>>>>> That chcon command worked fine. Should this be a permanent solution
>>>>> - or
>>>>> will new files appearing there need a chcon too? Should I put this
>>>>> command into a boot script somewhere?
>>>>>
>>>>> I'll try tmpfs and see if it ever overflows in practice. Hopefully
>>>>> I'll
>>>>> be able to see something in my logwatch if there is ever a problem.
>>>>> Currently - It's using less than 1/2 its 2 gigs or ram - so there is
>>>>> some room to spare. Seems your suggestion has sparked quite a bit of
>>>>> interest...:-)
>>>>>
>>>>> Thanks again
>>>>>
>>>>> Richard.
>>>>>
>>>>>
>>>>>             
>>>> No the chcon is fine.  It was mislabeled at some point and relabeling
>>>> does not touch /tmp
>>>>
>>>>         
>>
>> I guess I would need to see the AVC messages, to make sure they are
>> the same.
>>
>> What is the label on the /tmp/.X11-unix directory?
>>
>>   
> Hi Daniel
> Does this answer your question?
> 
> *> ls -Za /tmp*
> drwxrwxrwt  root root system_u:object_r:tmp_t          .
> drwxr-xr-x  root root system_u:object_r:root_t         ..
> drwxrwxrwt  root root system_u:object_r:xdm_tmp_t      .ICE-unix
> -r--r--r--  root root system_u:object_r:xdm_tmp_t      .X0-lock
> drwxrwxrwt  root root system_u:object_r:initrc_tmp_t   .X11-unix
> drwxrwxrwt  root root system_u:object_r:xfs_tmp_t      .font-unix
> srw-rw-rw-  root root system_u:object_r:xdm_tmp_t      .gdm_socket
> -rw-------  nx   nx   user_u:object_r:tmp_t            .nX1000-lock
> drwxr-xr-x  root root root:object_r:initrc_tmp_t       .webmin
> drwx------  root root user_u:object_r:tmp_t            gconfd-root
> srwxr-xr-x  root root user_u:object_r:tmp_t           
> gedit.root.3537314166
> srwxr-xr-x  root root user_u:object_r:tmp_t            mapping-root
> -rw-r--r--  root root user_u:object_r:tmp_t            sarg-file.in
>                 
> 
> 
> And just in case it is useful:
> 
> *> ls -Za /tmp/.X11-unix*
> drwxrwxrwt  root root system_u:object_r:initrc_tmp_t   .
> drwxrwxrwt  root root system_u:object_r:tmp_t          ..
> srwxrwxrwx  root root system_u:object_r:initrc_tmp_t   X0
>                 
> 
> Here are the recent AVCs:
> 
> Summary
> SELinux is preventing the setxkbmap from using potentially mislabeled
> files (./.X11-unix).
> Detailed Description
> [SELinux is in permissive mode, the operation would have been denied but
> was permitted due to permissive mode.]
> 
> SELinux has denied setxkbmap access to potentially mislabeled file(s)
> (./.X11-unix). This means that SELinux will not allow setxkbmap to use
> these files. It is common for users to edit files in their home
> directory or tmp directories and then move (mv) them to system
> directories. The problem is that the files end up with the wrong file
> context which confined applications are not allowed to access.
> 
> Allowing Access
> If you want setxkbmap to access this files, you need to relabel them
> using restorecon -v './.X11-unix'. You might want to relabel the entire
> directory using restorecon -R -v './.X11-unix'.
> Additional Information
> 
> Source Context:       system_u:system_r:rhgb_t
> Target Context:       system_u:object_r:initrc_tmp_t
> Target Objects:       ./.X11-unix [ dir ]
> Source:       setxkbmap
> Source Path:       /usr/bin/setxkbmap
> Port:       <Unknown>
> Host:       C5.aardvark.com.au
> Source RPM Packages:       xorg-x11-xkb-utils-1.0.2-2.1
> Target RPM Packages:      
> Policy RPM:       selinux-policy-2.4.6-225.el5
> Selinux Enabled:       True
> Policy Type:       targeted
> MLS Enabled:       True
> Enforcing Mode:       Permissive
> Plugin Name:       home_tmp_bad_labels
> Host Name:       C5.aardvark.com.au
> Platform:       Linux C5.aardvark.com.au 2.6.18-128.7.1.el5 #1 SMP Mon
> Aug 24 08:21:56 EDT 2009 x86_64 x86_64
> Alert Count:       38
> First Seen:       Sun Jan 11 17:55:13 2009
> Last Seen:       Mon Aug 31 09:24:11 2009
> Local ID:       0950df01-cfad-420a-9e84-4996a8d31942
> Line Numbers:      
> 
> Raw Audit Messages :
> 
> host=C5.aardvark.com.au type=AVC msg=audit(1251681851.968:15): avc:
> denied { search } for pid=4135 comm="setxkbmap" name=".X11-unix"
> dev=dm-0 ino=27590701 scontext=system_u:system_r:rhgb_t:s0
> tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir
> host=C5.aardvark.com.au type=AVC msg=audit(1251681851.968:15): avc:
> denied { search } for pid=4135 comm="setxkbmap" name=".X11-unix"
> dev=dm-0 ino=27590701 scontext=system_u:system_r:rhgb_t:s0
> tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir
> host=C5.aardvark.com.au type=SYSCALL msg=audit(1251681851.968:15):
> arch=c000003e syscall=42 success=no exit=-2 a0=3 a1=7fff95f931b0 a2=13
> a3=0 items=0 ppid=1 pid=4135 auid=4294967295 uid=0 gid=0 euid=0 suid=0
> fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setxkbmap"
> exe="/usr/bin/setxkbmap" subj=system_u:system_r:rhgb_t:s0 key=(null)
> host=C5.aardvark.com.au type=SYSCALL msg=audit(1251681851.968:15):
> arch=c000003e syscall=42 success=no exit=-2 a0=3 a1=7fff95f931b0 a2=13
> a3=0 items=0 ppid=1 pid=4135 auid=4294967295 uid=0 gid=0 euid=0 suid=0
> fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setxkbmap"
> exe="/usr/bin/setxkbmap" subj=system_u:system_r:rhgb_t:s0 key=(null)
> 
> 
> Summary
> SELinux is preventing the setxkbmap from using potentially mislabeled
> files (./.X11-unix).
> Detailed Description
> [SELinux is in permissive mode, the operation would have been denied but
> was permitted due to permissive mode.]
> 
> SELinux has denied setxkbmap access to potentially mislabeled file(s)
> (./.X11-unix). This means that SELinux will not allow setxkbmap to use
> these files. It is common for users to edit files in their home
> directory or tmp directories and then move (mv) them to system
> directories. The problem is that the files end up with the wrong file
> context which confined applications are not allowed to access.
> 
> Allowing Access
> If you want setxkbmap to access this files, you need to relabel them
> using restorecon -v './.X11-unix'. You might want to relabel the entire
> directory using restorecon -R -v './.X11-unix'.
> Additional Information
> 
> Source Context:       system_u:system_r:rhgb_t
> Target Context:       system_u:object_r:initrc_tmp_t
> Target Objects:       ./.X11-unix [ dir ]
> Source:       setxkbmap
> Source Path:       /usr/bin/setxkbmap
> Port:       <Unknown>
> Host:       C5.aardvark.com.au
> Source RPM Packages:       xorg-x11-xkb-utils-1.0.2-2.1
> Target RPM Packages:      
> Policy RPM:       selinux-policy-2.4.6-225.el5
> Selinux Enabled:       True
> Policy Type:       targeted
> MLS Enabled:       True
> Enforcing Mode:       Permissive
> Plugin Name:       home_tmp_bad_labels
> Host Name:       C5.aardvark.com.au
> Platform:       Linux C5.aardvark.com.au 2.6.18-128.7.1.el5 #1 SMP Mon
> Aug 24 08:21:56 EDT 2009 x86_64 x86_64
> Alert Count:       39
> First Seen:       Sun Jan 11 17:55:13 2009
> Last Seen:       Mon Aug 31 09:24:13 2009
> Local ID:       0950df01-cfad-420a-9e84-4996a8d31942
> Line Numbers:      
> 
> Raw Audit Messages :
> 
> host=C5.aardvark.com.au type=AVC msg=audit(1251681853.972:16): avc:
> denied { search } for pid=4135 comm="setxkbmap" name=".X11-unix"
> dev=dm-0 ino=27590701 scontext=system_u:system_r:rhgb_t:s0
> tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir
> host=C5.aardvark.com.au type=AVC msg=audit(1251681853.972:16): avc:
> denied { search } for pid=4135 comm="setxkbmap" name=".X11-unix"
> dev=dm-0 ino=27590701 scontext=system_u:system_r:rhgb_t:s0
> tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir
> host=C5.aardvark.com.au type=SYSCALL msg=audit(1251681853.972:16):
> arch=c000003e syscall=42 success=no exit=-2 a0=3 a1=7fff95f931b0 a2=13
> a3=8 items=0 ppid=1 pid=4135 auid=4294967295 uid=0 gid=0 euid=0 suid=0
> fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setxkbmap"
> exe="/usr/bin/setxkbmap" subj=system_u:system_r:rhgb_t:s0 key=(null)
> host=C5.aardvark.com.au type=SYSCALL msg=audit(1251681853.972:16):
> arch=c000003e syscall=42 success=no exit=-2 a0=3 a1=7fff95f931b0 a2=13
> a3=8 items=0 ppid=1 pid=4135 auid=4294967295 uid=0 gid=0 euid=0 suid=0
> fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setxkbmap"
> exe="/usr/bin/setxkbmap" subj=system_u:system_r:rhgb_t:s0 key=(null)
> 


The AVC messages that you attached do not show /tmp on a tmpfs file system, they look like they are still on an ext file system.

Could you either switch to using /tmp on tmpfs or just execute

mv /tmp/.X11-unix /tmp/.X11-unix.bad
reboot

And see what context the dirctory and its contents come up with.

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux