two denials one for ck-get-x11-serv and one for wine
Daniel J Walsh
dwalsh at redhat.com
Thu Aug 13 17:42:08 UTC 2009
On 08/12/2009 06:23 PM, Antonio Olivares wrote:
> Dear fellow selinux experts and users,
>
> I had problems updating a rawhide machine and I used xfce spin to get back in the saddle. I encountered two denials and I post them here for guidance.
>
> Thanks in Advance,
>
> Antonio
>
> Summary:
>
> SELinux is preventing the ck-get-x11-serv from using potentially mislabeled
> files (.Xauthority).
>
> Detailed Description:
>
> SELinux has denied ck-get-x11-serv access to potentially mislabeled file(s)
> (.Xauthority). This means that SELinux will not allow ck-get-x11-serv to use
> these files. It is common for users to edit files in their home directory or tmp
> directories and then move (mv) them to system directories. The problem is that
> the files end up with the wrong file context which confined applications are not
> allowed to access.
>
> Allowing Access:
>
> If you want ck-get-x11-serv to access this files, you need to relabel them using
> restorecon -v '.Xauthority'. You might want to relabel the entire directory
> using restorecon -R -v ''.
>
> Additional Information:
>
> Source Context system_u:system_r:consolekit_t:s0-s0:c0.c1023
> Target Context unconfined_u:object_r:admin_home_t:s0
> Target Objects .Xauthority [ file ]
> Source ck-get-x11-serv
> Source Path /usr/libexec/ck-get-x11-server-pid
> Port <Unknown>
> Host (removed)
> Source RPM Packages ConsoleKit-x11-0.3.1-2.fc12
> Target RPM Packages
> Policy RPM selinux-policy-3.6.26-8.fc12
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Enforcing
> Plugin Name home_tmp_bad_labels
> Host Name (removed)
> Platform Linux localhost.localdomain
> 2.6.31-0.125.rc5.git2.fc12.i686 #1 SMP Tue Aug 4
> 03:18:57 EDT 2009 i686 i686
> Alert Count 1
> First Seen Wed 12 Aug 2009 02:42:54 AM CDT
> Last Seen Wed 12 Aug 2009 02:42:54 AM CDT
> Local ID ffd20bb6-e1cf-466f-b51e-9de4c94b4991
> Line Numbers
>
> Raw Audit Messages
>
> node=localhost.localdomain type=AVC msg=audit(1250062974.438:22): avc: denied { read } for pid=1325 comm="ck-get-x11-serv" name=".Xauthority" dev=dm-0 ino=78946 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file
>
> node=localhost.localdomain type=SYSCALL msg=audit(1250062974.438:22): arch=40000003 syscall=33 success=no exit=-13 a0=bffedfbc a1=4 a2=18ab18 a3=bffedfbc items=0 ppid=1324 pid=1325 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ck-get-x11-serv" exe="/usr/libexec/ck-get-x11-server-pid" subj=system_u:system_r:consolekit_t:s0-s0:c0.c1023 key=(null)
>
>
> Can't copy the wine and can't submit the above one to bugzilla. The wine one looks serious as I try to run some windows programs that worked before without problems. Will see how I can capture them?
>
>
>
>
>
>
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Mislabled file. chcon -t xauth_home_t /root/.Xauthority
should fix.
Fixing labeling in
selinux-policy-3.6.26-11.fc12.src.rpm
More information about the fedora-selinux-list
mailing list