two denials one for ck-get-x11-serv and one for wine

Daniel J Walsh dwalsh at redhat.com
Thu Aug 13 17:42:08 UTC 2009


On 08/12/2009 06:23 PM, Antonio Olivares wrote:
> Dear fellow selinux experts and users,
> 
> I had problems updating a rawhide machine and I used xfce spin to get back in the saddle.  I encountered two denials and I post them here for guidance.  
> 
> Thanks in Advance,
> 
> Antonio 
> 
> Summary:
> 
> SELinux is preventing the ck-get-x11-serv from using potentially mislabeled
> files (.Xauthority).
> 
> Detailed Description:
> 
> SELinux has denied ck-get-x11-serv access to potentially mislabeled file(s)
> (.Xauthority). This means that SELinux will not allow ck-get-x11-serv to use
> these files. It is common for users to edit files in their home directory or tmp
> directories and then move (mv) them to system directories. The problem is that
> the files end up with the wrong file context which confined applications are not
> allowed to access.
> 
> Allowing Access:
> 
> If you want ck-get-x11-serv to access this files, you need to relabel them using
> restorecon -v '.Xauthority'. You might want to relabel the entire directory
> using restorecon -R -v ''.
> 
> Additional Information:
> 
> Source Context                system_u:system_r:consolekit_t:s0-s0:c0.c1023
> Target Context                unconfined_u:object_r:admin_home_t:s0
> Target Objects                .Xauthority [ file ]
> Source                        ck-get-x11-serv
> Source Path                   /usr/libexec/ck-get-x11-server-pid
> Port                          <Unknown>
> Host                          (removed)
> Source RPM Packages           ConsoleKit-x11-0.3.1-2.fc12
> Target RPM Packages           
> Policy RPM                    selinux-policy-3.6.26-8.fc12
> Selinux Enabled               True
> Policy Type                   targeted
> MLS Enabled                   True
> Enforcing Mode                Enforcing
> Plugin Name                   home_tmp_bad_labels
> Host Name                     (removed)
> Platform                      Linux localhost.localdomain
>                               2.6.31-0.125.rc5.git2.fc12.i686 #1 SMP Tue Aug 4
>                               03:18:57 EDT 2009 i686 i686
> Alert Count                   1
> First Seen                    Wed 12 Aug 2009 02:42:54 AM CDT
> Last Seen                     Wed 12 Aug 2009 02:42:54 AM CDT
> Local ID                      ffd20bb6-e1cf-466f-b51e-9de4c94b4991
> Line Numbers                  
> 
> Raw Audit Messages            
> 
> node=localhost.localdomain type=AVC msg=audit(1250062974.438:22): avc:  denied  { read } for  pid=1325 comm="ck-get-x11-serv" name=".Xauthority" dev=dm-0 ino=78946 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file
> 
> node=localhost.localdomain type=SYSCALL msg=audit(1250062974.438:22): arch=40000003 syscall=33 success=no exit=-13 a0=bffedfbc a1=4 a2=18ab18 a3=bffedfbc items=0 ppid=1324 pid=1325 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ck-get-x11-serv" exe="/usr/libexec/ck-get-x11-server-pid" subj=system_u:system_r:consolekit_t:s0-s0:c0.c1023 key=(null)
> 
> 
> Can't copy the wine and can't submit the above one to bugzilla.  The wine one looks serious as I try to run some windows programs that worked before without problems.  Will see how I can capture them?
> 
> 
> 
> 
> 
>       
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list



Mislabled file.  chcon -t xauth_home_t /root/.Xauthority 

should fix.

Fixing labeling in 

selinux-policy-3.6.26-11.fc12.src.rpm




More information about the fedora-selinux-list mailing list