AVC every server boot: SELinux is preventing the setxkbmap from using potentially mislabeled files (./.X11-unix).
Daniel J Walsh
dwalsh at redhat.com
Mon Aug 31 12:49:04 UTC 2009
On 08/30/2009 10:17 PM, Richard Chapman wrote:
> Hi Daniel
>
> FYI: I have just rebooted the system for the first time in ages - and
> I'm still using /tmp as opposes to tmpfs - and received 2 more AVCs -
> very similar to the previous ones. If I understood correctly - you were
> not expecting this to re-occur. I haven't posted the AVCs because I
> think they are much the same as the originals - but can do so if you are
> interested.
>
> This is not a major problem - but is one of the issues preventing me
> from using "enforcing" mode. Any thoughts why it has re-occurred?
>
> Richard.
>
> Daniel J Walsh wrote:
>> On 08/15/2009 01:05 AM, Richard Chapman wrote:
>>
>>> Daniel J Walsh wrote:
>>>
>>>> On 08/14/2009 12:19 AM, Richard Chapman wrote:
>>>>
>>>>
>>>>> Daniel J Walsh wrote:
>>>>>
>>>>>> On 08/12/2009 07:53 PM, Richard Chapman wrote:
>>>>>>
>>>>>>
>>>>>>> I am running Centos 5.3 in permissive mode - and recently I started
>>>>>>> getting 4 avcs every time I boot the server. I am not sure - but I
>>>>>>> think
>>>>>>> these might have started when I changed my desktop from Gnome to
>>>>>>> KDE. I
>>>>>>> have tried the relabelling suggested in the AVC - but this hasn't
>>>>>>> fixed it.
>>>>>>> Does it look like I have something set up wrong - or is there a
>>>>>>> policy
>>>>>>> problem?
>>>>>>> Richard.
>>>>>>>
>>>>>>>
>>>>>>> Summary
>>>>>>> SELinux is preventing the setxkbmap from using potentially
>>>>>>> mislabeled
>>>>>>> files (./.X11-unix).
>>>>>>> Detailed Description
>>>>>>> [SELinux is in permissive mode, the operation would have been
>>>>>>> denied but
>>>>>>> was permitted due to permissive mode.]
>>>>>>>
>>>>>>> SELinux has denied setxkbmap access to potentially mislabeled
>>>>>>> file(s)
>>>>>>> (./.X11-unix). This means that SELinux will not allow setxkbmap
>>>>>>> to use
>>>>>>> these files. It is common for users to edit files in their home
>>>>>>> directory or tmp directories and then move (mv) them to system
>>>>>>> directories. The problem is that the files end up with the wrong
>>>>>>> file
>>>>>>> context which confined applications are not allowed to access.
>>>>>>>
>>>>>>> Allowing Access
>>>>>>> If you want setxkbmap to access this files, you need to relabel them
>>>>>>> using restorecon -v './.X11-unix'. You might want to relabel the
>>>>>>> entire
>>>>>>> directory using restorecon -R -v './.X11-unix'.
>>>>>>> Additional Information
>>>>>>>
>>>>>>> Source Context: system_u:system_r:rhgb_t
>>>>>>> Target Context: system_u:object_r:initrc_tmp_t
>>>>>>> Target Objects: ./.X11-unix [ dir ]
>>>>>>> Source: setxkbmap
>>>>>>> Source Path: /usr/bin/setxkbmap
>>>>>>> Port: <Unknown>
>>>>>>> Host: C5.aardvark.com.au
>>>>>>> Source RPM Packages: xorg-x11-xkb-utils-1.0.2-2.1
>>>>>>> Target RPM Packages: Policy RPM:
>>>>>>> selinux-policy-2.4.6-225.el5
>>>>>>> Selinux Enabled: True
>>>>>>> Policy Type: targeted
>>>>>>> MLS Enabled: True
>>>>>>> Enforcing Mode: Permissive
>>>>>>> Plugin Name: home_tmp_bad_labels
>>>>>>> Host Name: C5.aardvark.com.au
>>>>>>> Platform: Linux C5.aardvark.com.au 2.6.18-128.4.1.el5 #1
>>>>>>> SMP Tue
>>>>>>> Aug 4 20:19:25 EDT 2009 x86_64 x86_64
>>>>>>> Alert Count: 34
>>>>>>> First Seen: Sun Jan 11 17:55:13 2009
>>>>>>> Last Seen: Mon Aug 10 18:13:15 2009
>>>>>>> Local ID: 0950df01-cfad-420a-9e84-4996a8d31942
>>>>>>> Line Numbers: Raw Audit Messages :
>>>>>>>
>>>>>>> host=C5.aardvark.com.au type=AVC msg=audit(1249899195.897:15): avc:
>>>>>>> denied { search } for pid=4022 comm="setxkbmap" name=".X11-unix"
>>>>>>> dev=dm-0 ino=27590701 scontext=system_u:system_r:rhgb_t:s0
>>>>>>> tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir
>>>>>>> host=C5.aardvark.com.au type=AVC msg=audit(1249899195.897:15): avc:
>>>>>>> denied { search } for pid=4022 comm="setxkbmap" name=".X11-unix"
>>>>>>> dev=dm-0 ino=27590701 scontext=system_u:system_r:rhgb_t:s0
>>>>>>> tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir
>>>>>>> host=C5.aardvark.com.au type=SYSCALL msg=audit(1249899195.897:15):
>>>>>>> arch=c000003e syscall=42 success=no exit=-2 a0=3 a1=7fffd74235b0
>>>>>>> a2=13
>>>>>>> a3=3d29351a30 items=0 ppid=4021 pid=4022 auid=4294967295 uid=0 gid=0
>>>>>>> euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
>>>>>>> ses=4294967295
>>>>>>> comm="setxkbmap" exe="/usr/bin/setxkbmap"
>>>>>>> subj=system_u:system_r:rhgb_t:s0 key=(null)
>>>>>>> host=C5.aardvark.com.au type=SYSCALL msg=audit(1249899195.897:15):
>>>>>>> arch=c000003e syscall=42 success=no exit=-2 a0=3 a1=7fffd74235b0
>>>>>>> a2=13
>>>>>>> a3=3d29351a30 items=0 ppid=4021 pid=4022 auid=4294967295 uid=0 gid=0
>>>>>>> euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
>>>>>>> ses=4294967295
>>>>>>> comm="setxkbmap" exe="/usr/bin/setxkbmap"
>>>>>>> subj=system_u:system_r:rhgb_t:s0 key=(null)
>>>>>>>
>>>>>>>
>>>>>>> Summary
>>>>>>> SELinux is preventing the setxkbmap from using potentially
>>>>>>> mislabeled
>>>>>>> files (./.X11-unix).
>>>>>>> Detailed Description
>>>>>>> [SELinux is in permissive mode, the operation would have been
>>>>>>> denied but
>>>>>>> was permitted due to permissive mode.]
>>>>>>>
>>>>>>> SELinux has denied setxkbmap access to potentially mislabeled
>>>>>>> file(s)
>>>>>>> (./.X11-unix). This means that SELinux will not allow setxkbmap
>>>>>>> to use
>>>>>>> these files. It is common for users to edit files in their home
>>>>>>> directory or tmp directories and then move (mv) them to system
>>>>>>> directories. The problem is that the files end up with the wrong
>>>>>>> file
>>>>>>> context which confined applications are not allowed to access.
>>>>>>>
>>>>>>> Allowing Access
>>>>>>> If you want setxkbmap to access this files, you need to relabel them
>>>>>>> using restorecon -v './.X11-unix'. You might want to relabel the
>>>>>>> entire
>>>>>>> directory using restorecon -R -v './.X11-unix'.
>>>>>>> Additional Information
>>>>>>>
>>>>>>> Source Context: system_u:system_r:rhgb_t
>>>>>>> Target Context: system_u:object_r:initrc_tmp_t
>>>>>>> Target Objects: ./.X11-unix [ dir ]
>>>>>>> Source: setxkbmap
>>>>>>> Source Path: /usr/bin/setxkbmap
>>>>>>> Port: <Unknown>
>>>>>>> Host: C5.aardvark.com.au
>>>>>>> Source RPM Packages: xorg-x11-xkb-utils-1.0.2-2.1
>>>>>>> Target RPM Packages: Policy RPM:
>>>>>>> selinux-policy-2.4.6-225.el5
>>>>>>> Selinux Enabled: True
>>>>>>> Policy Type: targeted
>>>>>>> MLS Enabled: True
>>>>>>> Enforcing Mode: Permissive
>>>>>>> Plugin Name: home_tmp_bad_labels
>>>>>>> Host Name: C5.aardvark.com.au
>>>>>>> Platform: Linux C5.aardvark.com.au 2.6.18-128.4.1.el5 #1
>>>>>>> SMP Tue
>>>>>>> Aug 4 20:19:25 EDT 2009 x86_64 x86_64
>>>>>>> Alert Count: 35
>>>>>>> First Seen: Sun Jan 11 17:55:13 2009
>>>>>>> Last Seen: Mon Aug 10 18:13:16 2009
>>>>>>> Local ID: 0950df01-cfad-420a-9e84-4996a8d31942
>>>>>>> Line Numbers: Raw Audit Messages :
>>>>>>>
>>>>>>> host=C5.aardvark.com.au type=AVC msg=audit(1249899196.898:16): avc:
>>>>>>> denied { search } for pid=4022 comm="setxkbmap" name=".X11-unix"
>>>>>>> dev=dm-0 ino=27590701 scontext=system_u:system_r:rhgb_t:s0
>>>>>>> tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir
>>>>>>> host=C5.aardvark.com.au type=AVC msg=audit(1249899196.898:16): avc:
>>>>>>> denied { search } for pid=4022 comm="setxkbmap" name=".X11-unix"
>>>>>>> dev=dm-0 ino=27590701 scontext=system_u:system_r:rhgb_t:s0
>>>>>>> tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir
>>>>>>> host=C5.aardvark.com.au type=SYSCALL msg=audit(1249899196.898:16):
>>>>>>> arch=c000003e syscall=42 success=no exit=-2 a0=3 a1=7fffd74235b0
>>>>>>> a2=13
>>>>>>> a3=8 items=0 ppid=1 pid=4022 auid=4294967295 uid=0 gid=0 euid=0
>>>>>>> suid=0
>>>>>>> fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
>>>>>>> comm="setxkbmap"
>>>>>>> exe="/usr/bin/setxkbmap" subj=system_u:system_r:rhgb_t:s0 key=(null)
>>>>>>> host=C5.aardvark.com.au type=SYSCALL msg=audit(1249899196.898:16):
>>>>>>> arch=c000003e syscall=42 success=no exit=-2 a0=3 a1=7fffd74235b0
>>>>>>> a2=13
>>>>>>> a3=8 items=0 ppid=1 pid=4022 auid=4294967295 uid=0 gid=0 euid=0
>>>>>>> suid=0
>>>>>>> fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
>>>>>>> comm="setxkbmap"
>>>>>>> exe="/usr/bin/setxkbmap" subj=system_u:system_r:rhgb_t:s0 key=(null)
>>>>>>>
>>>>>>>
>>>>>>> Summary
>>>>>>> SELinux is preventing the setxkbmap from using potentially
>>>>>>> mislabeled
>>>>>>> files (./.X11-unix).
>>>>>>> Detailed Description
>>>>>>> [SELinux is in permissive mode, the operation would have been
>>>>>>> denied but
>>>>>>> was permitted due to permissive mode.]
>>>>>>>
>>>>>>> SELinux has denied setxkbmap access to potentially mislabeled
>>>>>>> file(s)
>>>>>>> (./.X11-unix). This means that SELinux will not allow setxkbmap
>>>>>>> to use
>>>>>>> these files. It is common for users to edit files in their home
>>>>>>> directory or tmp directories and then move (mv) them to system
>>>>>>> directories. The problem is that the files end up with the wrong
>>>>>>> file
>>>>>>> context which confined applications are not allowed to access.
>>>>>>>
>>>>>>> Allowing Access
>>>>>>> If you want setxkbmap to access this files, you need to relabel them
>>>>>>> using restorecon -v './.X11-unix'. You might want to relabel the
>>>>>>> entire
>>>>>>> directory using restorecon -R -v './.X11-unix'.
>>>>>>> Additional Information
>>>>>>>
>>>>>>> Source Context: system_u:system_r:rhgb_t
>>>>>>> Target Context: system_u:object_r:initrc_tmp_t
>>>>>>> Target Objects: ./.X11-unix [ dir ]
>>>>>>> Source: setxkbmap
>>>>>>> Source Path: /usr/bin/setxkbmap
>>>>>>> Port: <Unknown>
>>>>>>> Host: C5.aardvark.com.au
>>>>>>> Source RPM Packages: xorg-x11-xkb-utils-1.0.2-2.1
>>>>>>> Target RPM Packages: Policy RPM:
>>>>>>> selinux-policy-2.4.6-225.el5
>>>>>>> Selinux Enabled: True
>>>>>>> Policy Type: targeted
>>>>>>> MLS Enabled: True
>>>>>>> Enforcing Mode: Permissive
>>>>>>> Plugin Name: home_tmp_bad_labels
>>>>>>> Host Name: C5.aardvark.com.au
>>>>>>> Platform: Linux C5.aardvark.com.au 2.6.18-128.4.1.el5 #1
>>>>>>> SMP Tue
>>>>>>> Aug 4 20:19:25 EDT 2009 x86_64 x86_64
>>>>>>> Alert Count: 36
>>>>>>> First Seen: Sun Jan 11 17:55:13 2009
>>>>>>> Last Seen: Mon Aug 10 18:13:17 2009
>>>>>>> Local ID: 0950df01-cfad-420a-9e84-4996a8d31942
>>>>>>> Line Numbers: Raw Audit Messages :
>>>>>>>
>>>>>>> host=C5.aardvark.com.au type=AVC msg=audit(1249899197.933:18): avc:
>>>>>>> denied { search } for pid=4041 comm="setxkbmap" name=".X11-unix"
>>>>>>> dev=dm-0 ino=27590701 scontext=system_u:system_r:rhgb_t:s0
>>>>>>> tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir
>>>>>>> host=C5.aardvark.com.au type=AVC msg=audit(1249899197.933:18): avc:
>>>>>>> denied { search } for pid=4041 comm="setxkbmap" name=".X11-unix"
>>>>>>> dev=dm-0 ino=27590701 scontext=system_u:system_r:rhgb_t:s0
>>>>>>> tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir
>>>>>>> host=C5.aardvark.com.au type=SYSCALL msg=audit(1249899197.933:18):
>>>>>>> arch=c000003e syscall=42 success=no exit=-2 a0=3 a1=7fff31d13e20
>>>>>>> a2=13
>>>>>>> a3=8 items=0 ppid=1 pid=4041 auid=4294967295 uid=0 gid=0 euid=0
>>>>>>> suid=0
>>>>>>> fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
>>>>>>> comm="setxkbmap"
>>>>>>> exe="/usr/bin/setxkbmap" subj=system_u:system_r:rhgb_t:s0 key=(null)
>>>>>>> host=C5.aardvark.com.au type=SYSCALL msg=audit(1249899197.933:18):
>>>>>>> arch=c000003e syscall=42 success=no exit=-2 a0=3 a1=7fff31d13e20
>>>>>>> a2=13
>>>>>>> a3=8 items=0 ppid=1 pid=4041 auid=4294967295 uid=0 gid=0 euid=0
>>>>>>> suid=0
>>>>>>> fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
>>>>>>> comm="setxkbmap"
>>>>>>> exe="/usr/bin/setxkbmap" subj=system_u:system_r:rhgb_t:s0 key=(null)
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Summary
>>>>>>> SELinux is preventing the setxkbmap from using potentially
>>>>>>> mislabeled
>>>>>>> files (./.X11-unix).
>>>>>>> Detailed Description
>>>>>>> [SELinux is in permissive mode, the operation would have been
>>>>>>> denied but
>>>>>>> was permitted due to permissive mode.]
>>>>>>>
>>>>>>> SELinux has denied setxkbmap access to potentially mislabeled
>>>>>>> file(s)
>>>>>>> (./.X11-unix). This means that SELinux will not allow setxkbmap
>>>>>>> to use
>>>>>>> these files. It is common for users to edit files in their home
>>>>>>> directory or tmp directories and then move (mv) them to system
>>>>>>> directories. The problem is that the files end up with the wrong
>>>>>>> file
>>>>>>> context which confined applications are not allowed to access.
>>>>>>>
>>>>>>> Allowing Access
>>>>>>> If you want setxkbmap to access this files, you need to relabel them
>>>>>>> using restorecon -v './.X11-unix'. You might want to relabel the
>>>>>>> entire
>>>>>>> directory using restorecon -R -v './.X11-unix'.
>>>>>>> Additional Information
>>>>>>>
>>>>>>> Source Context: system_u:system_r:rhgb_t
>>>>>>> Target Context: system_u:object_r:initrc_tmp_t
>>>>>>> Target Objects: ./.X11-unix [ dir ]
>>>>>>> Source: setxkbmap
>>>>>>> Source Path: /usr/bin/setxkbmap
>>>>>>> Port: <Unknown>
>>>>>>> Host: C5.aardvark.com.au
>>>>>>> Source RPM Packages: xorg-x11-xkb-utils-1.0.2-2.1
>>>>>>> Target RPM Packages: Policy RPM:
>>>>>>> selinux-policy-2.4.6-225.el5
>>>>>>> Selinux Enabled: True
>>>>>>> Policy Type: targeted
>>>>>>> MLS Enabled: True
>>>>>>> Enforcing Mode: Permissive
>>>>>>> Plugin Name: home_tmp_bad_labels
>>>>>>> Host Name: C5.aardvark.com.au
>>>>>>> Platform: Linux C5.aardvark.com.au 2.6.18-128.4.1.el5 #1
>>>>>>> SMP Tue
>>>>>>> Aug 4 20:19:25 EDT 2009 x86_64 x86_64
>>>>>>> Alert Count: 37
>>>>>>> First Seen: Sun Jan 11 17:55:13 2009
>>>>>>> Last Seen: Mon Aug 10 18:13:19 2009
>>>>>>> Local ID: 0950df01-cfad-420a-9e84-4996a8d31942
>>>>>>> Line Numbers: Raw Audit Messages :
>>>>>>>
>>>>>>> host=C5.aardvark.com.au type=AVC msg=audit(1249899199.903:20): avc:
>>>>>>> denied { search } for pid=4022 comm="setxkbmap" name=".X11-unix"
>>>>>>> dev=dm-0 ino=27590701 scontext=system_u:system_r:rhgb_t:s0
>>>>>>> tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir
>>>>>>> host=C5.aardvark.com.au type=AVC msg=audit(1249899199.903:20): avc:
>>>>>>> denied { search } for pid=4022 comm="setxkbmap" name=".X11-unix"
>>>>>>> dev=dm-0 ino=27590701 scontext=system_u:system_r:rhgb_t:s0
>>>>>>> tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir
>>>>>>> host=C5.aardvark.com.au type=SYSCALL msg=audit(1249899199.903:20):
>>>>>>> arch=c000003e syscall=42 success=no exit=-2 a0=3 a1=7fffd74235b0
>>>>>>> a2=13
>>>>>>> a3=8 items=0 ppid=1 pid=4022 auid=4294967295 uid=0 gid=0 euid=0
>>>>>>> suid=0
>>>>>>> fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
>>>>>>> comm="setxkbmap"
>>>>>>> exe="/usr/bin/setxkbmap" subj=system_u:system_r:rhgb_t:s0 key=(null)
>>>>>>> host=C5.aardvark.com.au type=SYSCALL msg=audit(1249899199.903:20):
>>>>>>> arch=c000003e syscall=42 success=no exit=-2 a0=3 a1=7fffd74235b0
>>>>>>> a2=13
>>>>>>> a3=8 items=0 ppid=1 pid=4022 auid=4294967295 uid=0 gid=0 euid=0
>>>>>>> suid=0
>>>>>>> fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
>>>>>>> comm="setxkbmap"
>>>>>>> exe="/usr/bin/setxkbmap" subj=system_u:system_r:rhgb_t:s0 key=(null)
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> fedora-selinux-list mailing list
>>>>>>> fedora-selinux-list at redhat.com
>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>>>>>>
>>>>>> chcon -R -t xserver_tmp_t /tmp/.X11-unix
>>>>>>
>>>>>> I always use tmpfs for /tmp, so I never end up with garbage on a
>>>>>> reboot.
>>>>>>
>>>>>>
>>>>> Thanks Daniel - but this is the response...
>>>>>
>>>>> [root at C5 ~]# chcon -R -t xserver_tmp_t /tmp/.X11-unix
>>>>> chcon: failed to change context of /tmp/.X11-unix to
>>>>> system_u:object_r:xserver_t mp_t: Invalid
>>>>> argument
>>>>> chcon: failed to change context of /tmp/.X11-unix/X0 to
>>>>> system_u:object_r:xserve r_tmp_t: Invalid
>>>>> argument
>>>>> chcon: failed to change context of /tmp/.X11-unix/X1005 to
>>>>> user_u:object_r:xserv er_tmp_t: Invalid
>>>>> argument
>>>>> [root at C5 ~]#
>>>>>
>>>>> Being pretty green - I don't really understand the problem here.
>>>>> Also -
>>>>> if this chcon worked - would this be a permanent solution - or does it
>>>>> need to be executed in a boot script?
>>>>> I like your idea of using tmpfs - but is it ever a problem that
>>>>> tmpfs is
>>>>> relatively small and finite? Also - please excuse my ignorance -
>>>>> but how
>>>>> do I make tmpfs the tmp folder?
>>>>>
>>>>> Richard.
>>>>>
>>>>>
>>>>>
>>>> Must have changed between RHEL5 and F11
>>>>
>>>> Try
>>>> chcon -R -t xdm_xserver_tmp_t /tmp/.X11-unix
>>>>
>>>> Add this line to /etc/fstab
>>>>
>>>> tmpfs /tmp tmpfs
>>>> rootcontext="system_u:object_r:tmp_t:s0",defaults 0 0
>>>>
>>>> And reboot.
>>>>
>>>> I don't tend to store huge abouts of stuff in /tmp. If I want to
>>>> store big stuff I can always use /var/tmp
>>>>
>>>>
>>> Thanks Daniel
>>>
>>> That chcon command worked fine. Should this be a permanent solution - or
>>> will new files appearing there need a chcon too? Should I put this
>>> command into a boot script somewhere?
>>>
>>> I'll try tmpfs and see if it ever overflows in practice. Hopefully I'll
>>> be able to see something in my logwatch if there is ever a problem.
>>> Currently - It's using less than 1/2 its 2 gigs or ram - so there is
>>> some room to spare. Seems your suggestion has sparked quite a bit of
>>> interest...:-)
>>>
>>> Thanks again
>>>
>>> Richard.
>>>
>>>
>>>
>> No the chcon is fine. It was mislabeled at some point and relabeling
>> does not touch /tmp
>>
>>
>
I guess I would need to see the AVC messages, to make sure they are the same.
What is the label on the /tmp/.X11-unix directory?
More information about the fedora-selinux-list
mailing list