AVC every server boot: SELinux is preventing the setxkbmap from using potentially mislabeled files (./.X11-unix).
Daniel J Walsh
dwalsh at redhat.com
Fri Aug 14 12:25:06 UTC 2009
On 08/14/2009 12:19 AM, Richard Chapman wrote:
> Daniel J Walsh wrote:
>> On 08/12/2009 07:53 PM, Richard Chapman wrote:
>>
>>> I am running Centos 5.3 in permissive mode - and recently I started
>>> getting 4 avcs every time I boot the server. I am not sure - but I think
>>> these might have started when I changed my desktop from Gnome to KDE. I
>>> have tried the relabelling suggested in the AVC - but this hasn't
>>> fixed it.
>>> Does it look like I have something set up wrong - or is there a policy
>>> problem?
>>> Richard.
>>>
>>>
>>> Summary
>>> SELinux is preventing the setxkbmap from using potentially mislabeled
>>> files (./.X11-unix).
>>> Detailed Description
>>> [SELinux is in permissive mode, the operation would have been denied but
>>> was permitted due to permissive mode.]
>>>
>>> SELinux has denied setxkbmap access to potentially mislabeled file(s)
>>> (./.X11-unix). This means that SELinux will not allow setxkbmap to use
>>> these files. It is common for users to edit files in their home
>>> directory or tmp directories and then move (mv) them to system
>>> directories. The problem is that the files end up with the wrong file
>>> context which confined applications are not allowed to access.
>>>
>>> Allowing Access
>>> If you want setxkbmap to access this files, you need to relabel them
>>> using restorecon -v './.X11-unix'. You might want to relabel the entire
>>> directory using restorecon -R -v './.X11-unix'.
>>> Additional Information
>>>
>>> Source Context: system_u:system_r:rhgb_t
>>> Target Context: system_u:object_r:initrc_tmp_t
>>> Target Objects: ./.X11-unix [ dir ]
>>> Source: setxkbmap
>>> Source Path: /usr/bin/setxkbmap
>>> Port: <Unknown>
>>> Host: C5.aardvark.com.au
>>> Source RPM Packages: xorg-x11-xkb-utils-1.0.2-2.1
>>> Target RPM Packages: Policy RPM: selinux-policy-2.4.6-225.el5
>>> Selinux Enabled: True
>>> Policy Type: targeted
>>> MLS Enabled: True
>>> Enforcing Mode: Permissive
>>> Plugin Name: home_tmp_bad_labels
>>> Host Name: C5.aardvark.com.au
>>> Platform: Linux C5.aardvark.com.au 2.6.18-128.4.1.el5 #1 SMP Tue
>>> Aug 4 20:19:25 EDT 2009 x86_64 x86_64
>>> Alert Count: 34
>>> First Seen: Sun Jan 11 17:55:13 2009
>>> Last Seen: Mon Aug 10 18:13:15 2009
>>> Local ID: 0950df01-cfad-420a-9e84-4996a8d31942
>>> Line Numbers: Raw Audit Messages :
>>>
>>> host=C5.aardvark.com.au type=AVC msg=audit(1249899195.897:15): avc:
>>> denied { search } for pid=4022 comm="setxkbmap" name=".X11-unix"
>>> dev=dm-0 ino=27590701 scontext=system_u:system_r:rhgb_t:s0
>>> tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir
>>> host=C5.aardvark.com.au type=AVC msg=audit(1249899195.897:15): avc:
>>> denied { search } for pid=4022 comm="setxkbmap" name=".X11-unix"
>>> dev=dm-0 ino=27590701 scontext=system_u:system_r:rhgb_t:s0
>>> tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir
>>> host=C5.aardvark.com.au type=SYSCALL msg=audit(1249899195.897:15):
>>> arch=c000003e syscall=42 success=no exit=-2 a0=3 a1=7fffd74235b0 a2=13
>>> a3=3d29351a30 items=0 ppid=4021 pid=4022 auid=4294967295 uid=0 gid=0
>>> euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
>>> comm="setxkbmap" exe="/usr/bin/setxkbmap"
>>> subj=system_u:system_r:rhgb_t:s0 key=(null)
>>> host=C5.aardvark.com.au type=SYSCALL msg=audit(1249899195.897:15):
>>> arch=c000003e syscall=42 success=no exit=-2 a0=3 a1=7fffd74235b0 a2=13
>>> a3=3d29351a30 items=0 ppid=4021 pid=4022 auid=4294967295 uid=0 gid=0
>>> euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
>>> comm="setxkbmap" exe="/usr/bin/setxkbmap"
>>> subj=system_u:system_r:rhgb_t:s0 key=(null)
>>>
>>>
>>> Summary
>>> SELinux is preventing the setxkbmap from using potentially mislabeled
>>> files (./.X11-unix).
>>> Detailed Description
>>> [SELinux is in permissive mode, the operation would have been denied but
>>> was permitted due to permissive mode.]
>>>
>>> SELinux has denied setxkbmap access to potentially mislabeled file(s)
>>> (./.X11-unix). This means that SELinux will not allow setxkbmap to use
>>> these files. It is common for users to edit files in their home
>>> directory or tmp directories and then move (mv) them to system
>>> directories. The problem is that the files end up with the wrong file
>>> context which confined applications are not allowed to access.
>>>
>>> Allowing Access
>>> If you want setxkbmap to access this files, you need to relabel them
>>> using restorecon -v './.X11-unix'. You might want to relabel the entire
>>> directory using restorecon -R -v './.X11-unix'.
>>> Additional Information
>>>
>>> Source Context: system_u:system_r:rhgb_t
>>> Target Context: system_u:object_r:initrc_tmp_t
>>> Target Objects: ./.X11-unix [ dir ]
>>> Source: setxkbmap
>>> Source Path: /usr/bin/setxkbmap
>>> Port: <Unknown>
>>> Host: C5.aardvark.com.au
>>> Source RPM Packages: xorg-x11-xkb-utils-1.0.2-2.1
>>> Target RPM Packages: Policy RPM: selinux-policy-2.4.6-225.el5
>>> Selinux Enabled: True
>>> Policy Type: targeted
>>> MLS Enabled: True
>>> Enforcing Mode: Permissive
>>> Plugin Name: home_tmp_bad_labels
>>> Host Name: C5.aardvark.com.au
>>> Platform: Linux C5.aardvark.com.au 2.6.18-128.4.1.el5 #1 SMP Tue
>>> Aug 4 20:19:25 EDT 2009 x86_64 x86_64
>>> Alert Count: 35
>>> First Seen: Sun Jan 11 17:55:13 2009
>>> Last Seen: Mon Aug 10 18:13:16 2009
>>> Local ID: 0950df01-cfad-420a-9e84-4996a8d31942
>>> Line Numbers: Raw Audit Messages :
>>>
>>> host=C5.aardvark.com.au type=AVC msg=audit(1249899196.898:16): avc:
>>> denied { search } for pid=4022 comm="setxkbmap" name=".X11-unix"
>>> dev=dm-0 ino=27590701 scontext=system_u:system_r:rhgb_t:s0
>>> tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir
>>> host=C5.aardvark.com.au type=AVC msg=audit(1249899196.898:16): avc:
>>> denied { search } for pid=4022 comm="setxkbmap" name=".X11-unix"
>>> dev=dm-0 ino=27590701 scontext=system_u:system_r:rhgb_t:s0
>>> tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir
>>> host=C5.aardvark.com.au type=SYSCALL msg=audit(1249899196.898:16):
>>> arch=c000003e syscall=42 success=no exit=-2 a0=3 a1=7fffd74235b0 a2=13
>>> a3=8 items=0 ppid=1 pid=4022 auid=4294967295 uid=0 gid=0 euid=0 suid=0
>>> fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setxkbmap"
>>> exe="/usr/bin/setxkbmap" subj=system_u:system_r:rhgb_t:s0 key=(null)
>>> host=C5.aardvark.com.au type=SYSCALL msg=audit(1249899196.898:16):
>>> arch=c000003e syscall=42 success=no exit=-2 a0=3 a1=7fffd74235b0 a2=13
>>> a3=8 items=0 ppid=1 pid=4022 auid=4294967295 uid=0 gid=0 euid=0 suid=0
>>> fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setxkbmap"
>>> exe="/usr/bin/setxkbmap" subj=system_u:system_r:rhgb_t:s0 key=(null)
>>>
>>>
>>> Summary
>>> SELinux is preventing the setxkbmap from using potentially mislabeled
>>> files (./.X11-unix).
>>> Detailed Description
>>> [SELinux is in permissive mode, the operation would have been denied but
>>> was permitted due to permissive mode.]
>>>
>>> SELinux has denied setxkbmap access to potentially mislabeled file(s)
>>> (./.X11-unix). This means that SELinux will not allow setxkbmap to use
>>> these files. It is common for users to edit files in their home
>>> directory or tmp directories and then move (mv) them to system
>>> directories. The problem is that the files end up with the wrong file
>>> context which confined applications are not allowed to access.
>>>
>>> Allowing Access
>>> If you want setxkbmap to access this files, you need to relabel them
>>> using restorecon -v './.X11-unix'. You might want to relabel the entire
>>> directory using restorecon -R -v './.X11-unix'.
>>> Additional Information
>>>
>>> Source Context: system_u:system_r:rhgb_t
>>> Target Context: system_u:object_r:initrc_tmp_t
>>> Target Objects: ./.X11-unix [ dir ]
>>> Source: setxkbmap
>>> Source Path: /usr/bin/setxkbmap
>>> Port: <Unknown>
>>> Host: C5.aardvark.com.au
>>> Source RPM Packages: xorg-x11-xkb-utils-1.0.2-2.1
>>> Target RPM Packages: Policy RPM: selinux-policy-2.4.6-225.el5
>>> Selinux Enabled: True
>>> Policy Type: targeted
>>> MLS Enabled: True
>>> Enforcing Mode: Permissive
>>> Plugin Name: home_tmp_bad_labels
>>> Host Name: C5.aardvark.com.au
>>> Platform: Linux C5.aardvark.com.au 2.6.18-128.4.1.el5 #1 SMP Tue
>>> Aug 4 20:19:25 EDT 2009 x86_64 x86_64
>>> Alert Count: 36
>>> First Seen: Sun Jan 11 17:55:13 2009
>>> Last Seen: Mon Aug 10 18:13:17 2009
>>> Local ID: 0950df01-cfad-420a-9e84-4996a8d31942
>>> Line Numbers: Raw Audit Messages :
>>>
>>> host=C5.aardvark.com.au type=AVC msg=audit(1249899197.933:18): avc:
>>> denied { search } for pid=4041 comm="setxkbmap" name=".X11-unix"
>>> dev=dm-0 ino=27590701 scontext=system_u:system_r:rhgb_t:s0
>>> tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir
>>> host=C5.aardvark.com.au type=AVC msg=audit(1249899197.933:18): avc:
>>> denied { search } for pid=4041 comm="setxkbmap" name=".X11-unix"
>>> dev=dm-0 ino=27590701 scontext=system_u:system_r:rhgb_t:s0
>>> tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir
>>> host=C5.aardvark.com.au type=SYSCALL msg=audit(1249899197.933:18):
>>> arch=c000003e syscall=42 success=no exit=-2 a0=3 a1=7fff31d13e20 a2=13
>>> a3=8 items=0 ppid=1 pid=4041 auid=4294967295 uid=0 gid=0 euid=0 suid=0
>>> fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setxkbmap"
>>> exe="/usr/bin/setxkbmap" subj=system_u:system_r:rhgb_t:s0 key=(null)
>>> host=C5.aardvark.com.au type=SYSCALL msg=audit(1249899197.933:18):
>>> arch=c000003e syscall=42 success=no exit=-2 a0=3 a1=7fff31d13e20 a2=13
>>> a3=8 items=0 ppid=1 pid=4041 auid=4294967295 uid=0 gid=0 euid=0 suid=0
>>> fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setxkbmap"
>>> exe="/usr/bin/setxkbmap" subj=system_u:system_r:rhgb_t:s0 key=(null)
>>>
>>>
>>>
>>> Summary
>>> SELinux is preventing the setxkbmap from using potentially mislabeled
>>> files (./.X11-unix).
>>> Detailed Description
>>> [SELinux is in permissive mode, the operation would have been denied but
>>> was permitted due to permissive mode.]
>>>
>>> SELinux has denied setxkbmap access to potentially mislabeled file(s)
>>> (./.X11-unix). This means that SELinux will not allow setxkbmap to use
>>> these files. It is common for users to edit files in their home
>>> directory or tmp directories and then move (mv) them to system
>>> directories. The problem is that the files end up with the wrong file
>>> context which confined applications are not allowed to access.
>>>
>>> Allowing Access
>>> If you want setxkbmap to access this files, you need to relabel them
>>> using restorecon -v './.X11-unix'. You might want to relabel the entire
>>> directory using restorecon -R -v './.X11-unix'.
>>> Additional Information
>>>
>>> Source Context: system_u:system_r:rhgb_t
>>> Target Context: system_u:object_r:initrc_tmp_t
>>> Target Objects: ./.X11-unix [ dir ]
>>> Source: setxkbmap
>>> Source Path: /usr/bin/setxkbmap
>>> Port: <Unknown>
>>> Host: C5.aardvark.com.au
>>> Source RPM Packages: xorg-x11-xkb-utils-1.0.2-2.1
>>> Target RPM Packages: Policy RPM: selinux-policy-2.4.6-225.el5
>>> Selinux Enabled: True
>>> Policy Type: targeted
>>> MLS Enabled: True
>>> Enforcing Mode: Permissive
>>> Plugin Name: home_tmp_bad_labels
>>> Host Name: C5.aardvark.com.au
>>> Platform: Linux C5.aardvark.com.au 2.6.18-128.4.1.el5 #1 SMP Tue
>>> Aug 4 20:19:25 EDT 2009 x86_64 x86_64
>>> Alert Count: 37
>>> First Seen: Sun Jan 11 17:55:13 2009
>>> Last Seen: Mon Aug 10 18:13:19 2009
>>> Local ID: 0950df01-cfad-420a-9e84-4996a8d31942
>>> Line Numbers: Raw Audit Messages :
>>>
>>> host=C5.aardvark.com.au type=AVC msg=audit(1249899199.903:20): avc:
>>> denied { search } for pid=4022 comm="setxkbmap" name=".X11-unix"
>>> dev=dm-0 ino=27590701 scontext=system_u:system_r:rhgb_t:s0
>>> tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir
>>> host=C5.aardvark.com.au type=AVC msg=audit(1249899199.903:20): avc:
>>> denied { search } for pid=4022 comm="setxkbmap" name=".X11-unix"
>>> dev=dm-0 ino=27590701 scontext=system_u:system_r:rhgb_t:s0
>>> tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir
>>> host=C5.aardvark.com.au type=SYSCALL msg=audit(1249899199.903:20):
>>> arch=c000003e syscall=42 success=no exit=-2 a0=3 a1=7fffd74235b0 a2=13
>>> a3=8 items=0 ppid=1 pid=4022 auid=4294967295 uid=0 gid=0 euid=0 suid=0
>>> fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setxkbmap"
>>> exe="/usr/bin/setxkbmap" subj=system_u:system_r:rhgb_t:s0 key=(null)
>>> host=C5.aardvark.com.au type=SYSCALL msg=audit(1249899199.903:20):
>>> arch=c000003e syscall=42 success=no exit=-2 a0=3 a1=7fffd74235b0 a2=13
>>> a3=8 items=0 ppid=1 pid=4022 auid=4294967295 uid=0 gid=0 euid=0 suid=0
>>> fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setxkbmap"
>>> exe="/usr/bin/setxkbmap" subj=system_u:system_r:rhgb_t:s0 key=(null)
>>>
>>>
>>>
>>>
>>> --
>>> fedora-selinux-list mailing list
>>> fedora-selinux-list at redhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>>
>> chcon -R -t xserver_tmp_t /tmp/.X11-unix
>>
>> I always use tmpfs for /tmp, so I never end up with garbage on a reboot.
>>
>>
> Thanks Daniel - but this is the response...
>
> [root at C5 ~]# chcon -R -t xserver_tmp_t /tmp/.X11-unix
> chcon: failed to change context of /tmp/.X11-unix to
> system_u:object_r:xserver_t mp_t: Invalid
> argument
> chcon: failed to change context of /tmp/.X11-unix/X0 to
> system_u:object_r:xserve r_tmp_t: Invalid
> argument
> chcon: failed to change context of /tmp/.X11-unix/X1005 to
> user_u:object_r:xserv er_tmp_t: Invalid
> argument
> [root at C5 ~]#
>
> Being pretty green - I don't really understand the problem here. Also -
> if this chcon worked - would this be a permanent solution - or does it
> need to be executed in a boot script?
> I like your idea of using tmpfs - but is it ever a problem that tmpfs is
> relatively small and finite? Also - please excuse my ignorance - but how
> do I make tmpfs the tmp folder?
>
> Richard.
>
>
Must have changed between RHEL5 and F11
Try
chcon -R -t xdm_xserver_tmp_t /tmp/.X11-unix
Add this line to /etc/fstab
tmpfs /tmp tmpfs rootcontext="system_u:object_r:tmp_t:s0",defaults 0 0
And reboot.
I don't tend to store huge abouts of stuff in /tmp. If I want to store big stuff I can always use /var/tmp
More information about the fedora-selinux-list
mailing list