SELinux mystery

Daniel J Walsh dwalsh at
Wed Nov 14 16:15:45 UTC 2007

Hash: SHA1

Joe Smith wrote:
> Last week, I was doing an X server update and I wanted to test the
> config. I wanted to run X as a normal user, so (logged in as root) I did
> this:
> # (su - joe -c "xinit -- :1 > 2>&1")
> Some time after that (I think it was the next day, after a reboot), I
> got a flag from setroubleshoot:
> Nov  6 21:25:09 duros setroubleshoot: SELinux is preventing the
> /sbin/modprobe from using potentially mislabeled files
> (/home/joe/ For complete SELinux messages. run ...
> At the time, I just removed the log file (I didn't need it anymore) and
> forgot about it, but it kept bugging me:
> Why was this flagged as an access problem? The file was not owned by
> root--it was created under a normal user's environment.
> What was modprobe doing (or trying to do) with a file in a user's home
> directory?
> Hmmm...
> <Joe
You redirected stdout/stderr to a file labeled user_home_t and started
the Xserver.  From that point on ever app that starts by default get its
stdout/stderr redirected to user_home_t.  The kernel checks when
confined apps start up whether they have read/write access to all open
file descriptors including stderr/stdout.  So eventually modprobe gets
executed while in your X session.  The kernel sees that you need
read/write to user_home_t, and it says that is not allowed generating
the AVC.  The kernel then closes the file descriptor and reopens
stderr/stdout to /dev/null.  So You can safely ignore this avc.
modprobe was not trying to do anything evil.  This is the most common
source of AVC's in SELinux and something we would like to be able to
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora -


More information about the fedora-list mailing list