Re: Tutorial on setting up SELinux / X Server

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Richard Chapman wrote:
Eamon Walsh wrote:
On 12/03/2009 08:59 PM, Richard Chapman wrote:
I have a Cetos 5.4 system ruining x - and I also have some boot time x related denials. I therefore tried the below setsebool but got the following errors:

setsebool -P xserver_object_manager on

ibsemanage.dbase_llist_set: record not found in the database
libsemanage.dbase_llist_set: could not set record value
Could not change boolean xserver_object_manager
Could not change policy booleans


Is this because Centos is different - or is there a typo in the above command?

Richard.



I don't think that RHEL 5.4 has this boolean.  Look in /selinux/booleans
and see if there is a file called xserver_object_manager.

However, if you are getting boot-time X denials then it's probably not
anything to do with the X object manager.  That sounds like a kernel
policy problem.  What are the denials?


Hi Eamon

I think my previous attempt to send this probably failed. It looks like your mail srver didn't want to talk to mine - so here goes again...

You are right - that there is no such file in /selinux/booleans on my rhel 5.4 system.

I have been getting these for ages - and have discussed with Daniel - but not found the problem: Here is the first - and the others are similar. I have tried the suggested re-labelling, and moved /tmp to a tmpfs volume - but still the errors persist:

Summary
SELinux is preventing the setxkbmap from using potentially mislabeled files (./.X11-unix).
Detailed Description
[SELinux is in permissive mode, the operation would have been denied but was permitted due to permissive mode.]

SELinux has denied setxkbmap access to potentially mislabeled file(s) (./.X11-unix). This means that SELinux will not allow setxkbmap to use these files. It is common for users to edit files in their home directory or tmp directories and then move (mv) them to system directories. The problem is that the files end up with the wrong file context which confined applications are not allowed to access.

Allowing Access
If you want setxkbmap to access this files, you need to relabel them using restorecon -v './.X11-unix'. You might want to relabel the entire directory using restorecon -R -v './.X11-unix'.
Additional Information

Source Context:       system_u:system_r:rhgb_t
Target Context:       system_u:object_r:initrc_tmp_t
Target Objects:       ./.X11-unix [ dir ]
Source:       setxkbmap
Source Path:       /usr/bin/setxkbmap
Port:       <Unknown>
Host:       C5.aardvark.com.au
Source RPM Packages:       xorg-x11-xkb-utils-1.0.2-2.1
Target RPM Packages: Policy RPM: selinux-policy-2.4.6-225.el5
Selinux Enabled:       True
Policy Type:       targeted
MLS Enabled:       True
Enforcing Mode:       Permissive
Plugin Name:       home_tmp_bad_labels
Host Name:       C5.aardvark.com.au
Platform: Linux C5.aardvark.com.au 2.6.18-164.el5 #1 SMP Thu Sep 3 03:28:30 EDT 2009 x86_64 x86_64
Alert Count:       43
First Seen:       Sun Jan 11 17:55:13 2009
Last Seen:       Tue Sep 29 12:03:49 2009
Local ID:       0950df01-cfad-420a-9e84-4996a8d31942
Line Numbers:
Raw Audit Messages :

host=C5.aardvark.com.au type=AVC msg=audit(1254197029.941:12): avc: denied { search } for pid=4172 comm="setxkbmap" name=".X11-unix" dev=tmpfs ino=13452 scontext=system_u:system_r:rhgb_t:s0 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir host=C5.aardvark.com.au type=AVC msg=audit(1254197029.941:12): avc: denied { search } for pid=4172 comm="setxkbmap" name=".X11-unix" dev=tmpfs ino=13452 scontext=system_u:system_r:rhgb_t:s0 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir host=C5.aardvark.com.au type=SYSCALL msg=audit(1254197029.941:12): arch=c000003e syscall=42 success=no exit=-2 a0=3 a1=7fffd604c2a0 a2=13 a3=3be2b51a30 items=0 ppid=4171 pid=4172 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setxkbmap" exe="/usr/bin/setxkbmap" subj=system_u:system_r:rhgb_t:s0 key=(null) host=C5.aardvark.com.au type=SYSCALL msg=audit(1254197029.941:12): arch=c000003e syscall=42 success=no exit=-2 a0=3 a1=7fffd604c2a0 a2=13 a3=3be2b51a30 items=0 ppid=4171 pid=4172 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setxkbmap" exe="/usr/bin/setxkbmap" subj=system_u:system_r:rhgb_t:s0 key=(null)


Richard

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux