AVC every server boot: SELinux is preventing the setxkbmap from using potentially mislabeled files (./.X11-unix).

Richard Chapman rchapman at aardvark.com.au
Wed Aug 12 23:53:43 UTC 2009


I am running Centos 5.3 in permissive mode - and recently I started 
getting 4 avcs every time I boot the server. I am not sure - but I think 
these might have started when I changed my desktop from Gnome to KDE. I 
have tried the relabelling suggested in the AVC - but this hasn't fixed it.
Does it look like I have something set up wrong - or is there a policy 
problem?
Richard.


Summary
SELinux is preventing the setxkbmap from using potentially mislabeled 
files (./.X11-unix).
Detailed Description
[SELinux is in permissive mode, the operation would have been denied but 
was permitted due to permissive mode.]

SELinux has denied setxkbmap access to potentially mislabeled file(s) 
(./.X11-unix). This means that SELinux will not allow setxkbmap to use 
these files. It is common for users to edit files in their home 
directory or tmp directories and then move (mv) them to system 
directories. The problem is that the files end up with the wrong file 
context which confined applications are not allowed to access.

Allowing Access
If you want setxkbmap to access this files, you need to relabel them 
using restorecon -v './.X11-unix'. You might want to relabel the entire 
directory using restorecon -R -v './.X11-unix'.
Additional Information

Source Context:       system_u:system_r:rhgb_t
Target Context:       system_u:object_r:initrc_tmp_t
Target Objects:       ./.X11-unix [ dir ]
Source:       setxkbmap
Source Path:       /usr/bin/setxkbmap
Port:       <Unknown>
Host:       C5.aardvark.com.au
Source RPM Packages:       xorg-x11-xkb-utils-1.0.2-2.1
Target RPM Packages:      
Policy RPM:       selinux-policy-2.4.6-225.el5
Selinux Enabled:       True
Policy Type:       targeted
MLS Enabled:       True
Enforcing Mode:       Permissive
Plugin Name:       home_tmp_bad_labels
Host Name:       C5.aardvark.com.au
Platform:       Linux C5.aardvark.com.au 2.6.18-128.4.1.el5 #1 SMP Tue 
Aug 4 20:19:25 EDT 2009 x86_64 x86_64
Alert Count:       34
First Seen:       Sun Jan 11 17:55:13 2009
Last Seen:       Mon Aug 10 18:13:15 2009
Local ID:       0950df01-cfad-420a-9e84-4996a8d31942
Line Numbers:      

Raw Audit Messages :

host=C5.aardvark.com.au type=AVC msg=audit(1249899195.897:15): avc: 
denied { search } for pid=4022 comm="setxkbmap" name=".X11-unix" 
dev=dm-0 ino=27590701 scontext=system_u:system_r:rhgb_t:s0 
tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir
host=C5.aardvark.com.au type=AVC msg=audit(1249899195.897:15): avc: 
denied { search } for pid=4022 comm="setxkbmap" name=".X11-unix" 
dev=dm-0 ino=27590701 scontext=system_u:system_r:rhgb_t:s0 
tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir
host=C5.aardvark.com.au type=SYSCALL msg=audit(1249899195.897:15): 
arch=c000003e syscall=42 success=no exit=-2 a0=3 a1=7fffd74235b0 a2=13 
a3=3d29351a30 items=0 ppid=4021 pid=4022 auid=4294967295 uid=0 gid=0 
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 
comm="setxkbmap" exe="/usr/bin/setxkbmap" 
subj=system_u:system_r:rhgb_t:s0 key=(null)
host=C5.aardvark.com.au type=SYSCALL msg=audit(1249899195.897:15): 
arch=c000003e syscall=42 success=no exit=-2 a0=3 a1=7fffd74235b0 a2=13 
a3=3d29351a30 items=0 ppid=4021 pid=4022 auid=4294967295 uid=0 gid=0 
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 
comm="setxkbmap" exe="/usr/bin/setxkbmap" 
subj=system_u:system_r:rhgb_t:s0 key=(null)


Summary
SELinux is preventing the setxkbmap from using potentially mislabeled 
files (./.X11-unix).
Detailed Description
[SELinux is in permissive mode, the operation would have been denied but 
was permitted due to permissive mode.]

SELinux has denied setxkbmap access to potentially mislabeled file(s) 
(./.X11-unix). This means that SELinux will not allow setxkbmap to use 
these files. It is common for users to edit files in their home 
directory or tmp directories and then move (mv) them to system 
directories. The problem is that the files end up with the wrong file 
context which confined applications are not allowed to access.

Allowing Access
If you want setxkbmap to access this files, you need to relabel them 
using restorecon -v './.X11-unix'. You might want to relabel the entire 
directory using restorecon -R -v './.X11-unix'.
Additional Information

Source Context:       system_u:system_r:rhgb_t
Target Context:       system_u:object_r:initrc_tmp_t
Target Objects:       ./.X11-unix [ dir ]
Source:       setxkbmap
Source Path:       /usr/bin/setxkbmap
Port:       <Unknown>
Host:       C5.aardvark.com.au
Source RPM Packages:       xorg-x11-xkb-utils-1.0.2-2.1
Target RPM Packages:      
Policy RPM:       selinux-policy-2.4.6-225.el5
Selinux Enabled:       True
Policy Type:       targeted
MLS Enabled:       True
Enforcing Mode:       Permissive
Plugin Name:       home_tmp_bad_labels
Host Name:       C5.aardvark.com.au
Platform:       Linux C5.aardvark.com.au 2.6.18-128.4.1.el5 #1 SMP Tue 
Aug 4 20:19:25 EDT 2009 x86_64 x86_64
Alert Count:       35
First Seen:       Sun Jan 11 17:55:13 2009
Last Seen:       Mon Aug 10 18:13:16 2009
Local ID:       0950df01-cfad-420a-9e84-4996a8d31942
Line Numbers:      

Raw Audit Messages :

host=C5.aardvark.com.au type=AVC msg=audit(1249899196.898:16): avc: 
denied { search } for pid=4022 comm="setxkbmap" name=".X11-unix" 
dev=dm-0 ino=27590701 scontext=system_u:system_r:rhgb_t:s0 
tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir
host=C5.aardvark.com.au type=AVC msg=audit(1249899196.898:16): avc: 
denied { search } for pid=4022 comm="setxkbmap" name=".X11-unix" 
dev=dm-0 ino=27590701 scontext=system_u:system_r:rhgb_t:s0 
tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir
host=C5.aardvark.com.au type=SYSCALL msg=audit(1249899196.898:16): 
arch=c000003e syscall=42 success=no exit=-2 a0=3 a1=7fffd74235b0 a2=13 
a3=8 items=0 ppid=1 pid=4022 auid=4294967295 uid=0 gid=0 euid=0 suid=0 
fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setxkbmap" 
exe="/usr/bin/setxkbmap" subj=system_u:system_r:rhgb_t:s0 key=(null)
host=C5.aardvark.com.au type=SYSCALL msg=audit(1249899196.898:16): 
arch=c000003e syscall=42 success=no exit=-2 a0=3 a1=7fffd74235b0 a2=13 
a3=8 items=0 ppid=1 pid=4022 auid=4294967295 uid=0 gid=0 euid=0 suid=0 
fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setxkbmap" 
exe="/usr/bin/setxkbmap" subj=system_u:system_r:rhgb_t:s0 key=(null)


Summary
SELinux is preventing the setxkbmap from using potentially mislabeled 
files (./.X11-unix).
Detailed Description
[SELinux is in permissive mode, the operation would have been denied but 
was permitted due to permissive mode.]

SELinux has denied setxkbmap access to potentially mislabeled file(s) 
(./.X11-unix). This means that SELinux will not allow setxkbmap to use 
these files. It is common for users to edit files in their home 
directory or tmp directories and then move (mv) them to system 
directories. The problem is that the files end up with the wrong file 
context which confined applications are not allowed to access.

Allowing Access
If you want setxkbmap to access this files, you need to relabel them 
using restorecon -v './.X11-unix'. You might want to relabel the entire 
directory using restorecon -R -v './.X11-unix'.
Additional Information

Source Context:       system_u:system_r:rhgb_t
Target Context:       system_u:object_r:initrc_tmp_t
Target Objects:       ./.X11-unix [ dir ]
Source:       setxkbmap
Source Path:       /usr/bin/setxkbmap
Port:       <Unknown>
Host:       C5.aardvark.com.au
Source RPM Packages:       xorg-x11-xkb-utils-1.0.2-2.1
Target RPM Packages:      
Policy RPM:       selinux-policy-2.4.6-225.el5
Selinux Enabled:       True
Policy Type:       targeted
MLS Enabled:       True
Enforcing Mode:       Permissive
Plugin Name:       home_tmp_bad_labels
Host Name:       C5.aardvark.com.au
Platform:       Linux C5.aardvark.com.au 2.6.18-128.4.1.el5 #1 SMP Tue 
Aug 4 20:19:25 EDT 2009 x86_64 x86_64
Alert Count:       36
First Seen:       Sun Jan 11 17:55:13 2009
Last Seen:       Mon Aug 10 18:13:17 2009
Local ID:       0950df01-cfad-420a-9e84-4996a8d31942
Line Numbers:      

Raw Audit Messages :

host=C5.aardvark.com.au type=AVC msg=audit(1249899197.933:18): avc: 
denied { search } for pid=4041 comm="setxkbmap" name=".X11-unix" 
dev=dm-0 ino=27590701 scontext=system_u:system_r:rhgb_t:s0 
tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir
host=C5.aardvark.com.au type=AVC msg=audit(1249899197.933:18): avc: 
denied { search } for pid=4041 comm="setxkbmap" name=".X11-unix" 
dev=dm-0 ino=27590701 scontext=system_u:system_r:rhgb_t:s0 
tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir
host=C5.aardvark.com.au type=SYSCALL msg=audit(1249899197.933:18): 
arch=c000003e syscall=42 success=no exit=-2 a0=3 a1=7fff31d13e20 a2=13 
a3=8 items=0 ppid=1 pid=4041 auid=4294967295 uid=0 gid=0 euid=0 suid=0 
fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setxkbmap" 
exe="/usr/bin/setxkbmap" subj=system_u:system_r:rhgb_t:s0 key=(null)
host=C5.aardvark.com.au type=SYSCALL msg=audit(1249899197.933:18): 
arch=c000003e syscall=42 success=no exit=-2 a0=3 a1=7fff31d13e20 a2=13 
a3=8 items=0 ppid=1 pid=4041 auid=4294967295 uid=0 gid=0 euid=0 suid=0 
fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setxkbmap" 
exe="/usr/bin/setxkbmap" subj=system_u:system_r:rhgb_t:s0 key=(null)



Summary
SELinux is preventing the setxkbmap from using potentially mislabeled 
files (./.X11-unix).
Detailed Description
[SELinux is in permissive mode, the operation would have been denied but 
was permitted due to permissive mode.]

SELinux has denied setxkbmap access to potentially mislabeled file(s) 
(./.X11-unix). This means that SELinux will not allow setxkbmap to use 
these files. It is common for users to edit files in their home 
directory or tmp directories and then move (mv) them to system 
directories. The problem is that the files end up with the wrong file 
context which confined applications are not allowed to access.

Allowing Access
If you want setxkbmap to access this files, you need to relabel them 
using restorecon -v './.X11-unix'. You might want to relabel the entire 
directory using restorecon -R -v './.X11-unix'.
Additional Information

Source Context:       system_u:system_r:rhgb_t
Target Context:       system_u:object_r:initrc_tmp_t
Target Objects:       ./.X11-unix [ dir ]
Source:       setxkbmap
Source Path:       /usr/bin/setxkbmap
Port:       <Unknown>
Host:       C5.aardvark.com.au
Source RPM Packages:       xorg-x11-xkb-utils-1.0.2-2.1
Target RPM Packages:      
Policy RPM:       selinux-policy-2.4.6-225.el5
Selinux Enabled:       True
Policy Type:       targeted
MLS Enabled:       True
Enforcing Mode:       Permissive
Plugin Name:       home_tmp_bad_labels
Host Name:       C5.aardvark.com.au
Platform:       Linux C5.aardvark.com.au 2.6.18-128.4.1.el5 #1 SMP Tue 
Aug 4 20:19:25 EDT 2009 x86_64 x86_64
Alert Count:       37
First Seen:       Sun Jan 11 17:55:13 2009
Last Seen:       Mon Aug 10 18:13:19 2009
Local ID:       0950df01-cfad-420a-9e84-4996a8d31942
Line Numbers:      

Raw Audit Messages :

host=C5.aardvark.com.au type=AVC msg=audit(1249899199.903:20): avc: 
denied { search } for pid=4022 comm="setxkbmap" name=".X11-unix" 
dev=dm-0 ino=27590701 scontext=system_u:system_r:rhgb_t:s0 
tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir
host=C5.aardvark.com.au type=AVC msg=audit(1249899199.903:20): avc: 
denied { search } for pid=4022 comm="setxkbmap" name=".X11-unix" 
dev=dm-0 ino=27590701 scontext=system_u:system_r:rhgb_t:s0 
tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir
host=C5.aardvark.com.au type=SYSCALL msg=audit(1249899199.903:20): 
arch=c000003e syscall=42 success=no exit=-2 a0=3 a1=7fffd74235b0 a2=13 
a3=8 items=0 ppid=1 pid=4022 auid=4294967295 uid=0 gid=0 euid=0 suid=0 
fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setxkbmap" 
exe="/usr/bin/setxkbmap" subj=system_u:system_r:rhgb_t:s0 key=(null)
host=C5.aardvark.com.au type=SYSCALL msg=audit(1249899199.903:20): 
arch=c000003e syscall=42 success=no exit=-2 a0=3 a1=7fffd74235b0 a2=13 
a3=8 items=0 ppid=1 pid=4022 auid=4294967295 uid=0 gid=0 euid=0 suid=0 
fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setxkbmap" 
exe="/usr/bin/setxkbmap" subj=system_u:system_r:rhgb_t:s0 key=(null)







More information about the fedora-selinux-list mailing list