AVC every server boot: SELinux is preventing the setxkbmap from using potentially mislabeled files (./.X11-unix).
Richard Chapman
rchapman at aardvark.com.au
Tue Sep 1 02:53:00 UTC 2009
Daniel J Walsh wrote:
> On 08/30/2009 10:17 PM, Richard Chapman wrote:
>
>> Hi Daniel
>>
>> FYI: I have just rebooted the system for the first time in ages - and
>> I'm still using /tmp as opposes to tmpfs - and received 2 more AVCs -
>> very similar to the previous ones. If I understood correctly - you were
>> not expecting this to re-occur. I haven't posted the AVCs because I
>> think they are much the same as the originals - but can do so if you are
>> interested.
>>
>> This is not a major problem - but is one of the issues preventing me
>> from using "enforcing" mode. Any thoughts why it has re-occurred?
>>
>> Richard.
>>
>> Daniel J Walsh wrote:
>>
>>> On 08/15/2009 01:05 AM, Richard Chapman wrote:
>>>
>>>
>>>> Daniel J Walsh wrote:
>>>>
>>>>
>>>>> On 08/14/2009 12:19 AM, Richard Chapman wrote:
>>>>>
>>>>>
>>>>>
>>>>>> Daniel J Walsh wrote:
>>>>>>
>>>>>>
>>>>>>> On 08/12/2009 07:53 PM, Richard Chapman wrote:
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> I am running Centos 5.3 in permissive mode - and recently I started
>>>>>>>> getting 4 avcs every time I boot the server. I am not sure - but I
>>>>>>>> think
>>>>>>>> these might have started when I changed my desktop from Gnome to
>>>>>>>> KDE. I
>>>>>>>> have tried the relabelling suggested in the AVC - but this hasn't
>>>>>>>> fixed it.
>>>>>>>> Does it look like I have something set up wrong - or is there a
>>>>>>>> policy
>>>>>>>> problem?
>>>>>>>> Richard.
>>>>>>>>
>>>>>>>>
>>>>>>>> Summary
>>>>>>>> SELinux is preventing the setxkbmap from using potentially
>>>>>>>> mislabeled
>>>>>>>> files (./.X11-unix).
>>>>>>>> Detailed Description
>>>>>>>> [SELinux is in permissive mode, the operation would have been
>>>>>>>> denied but
>>>>>>>> was permitted due to permissive mode.]
>>>>>>>>
>>>>>>>> SELinux has denied setxkbmap access to potentially mislabeled
>>>>>>>> file(s)
>>>>>>>> (./.X11-unix). This means that SELinux will not allow setxkbmap
>>>>>>>> to use
>>>>>>>> these files. It is common for users to edit files in their home
>>>>>>>> directory or tmp directories and then move (mv) them to system
>>>>>>>> directories. The problem is that the files end up with the wrong
>>>>>>>> file
>>>>>>>> context which confined applications are not allowed to access.
>>>>>>>>
>>>>>>>> Allowing Access
>>>>>>>> If you want setxkbmap to access this files, you need to relabel them
>>>>>>>> using restorecon -v './.X11-unix'. You might want to relabel the
>>>>>>>> entire
>>>>>>>> directory using restorecon -R -v './.X11-unix'.
>>>>>>>> Additional Information
>>>>>>>>
>>>>>>>> Source Context: system_u:system_r:rhgb_t
>>>>>>>> Target Context: system_u:object_r:initrc_tmp_t
>>>>>>>> Target Objects: ./.X11-unix [ dir ]
>>>>>>>> Source: setxkbmap
>>>>>>>> Source Path: /usr/bin/setxkbmap
>>>>>>>> Port: <Unknown>
>>>>>>>> Host: C5.aardvark.com.au
>>>>>>>> Source RPM Packages: xorg-x11-xkb-utils-1.0.2-2.1
>>>>>>>> Target RPM Packages: Policy RPM:
>>>>>>>> selinux-policy-2.4.6-225.el5
>>>>>>>> Selinux Enabled: True
>>>>>>>> Policy Type: targeted
>>>>>>>> MLS Enabled: True
>>>>>>>> Enforcing Mode: Permissive
>>>>>>>> Plugin Name: home_tmp_bad_labels
>>>>>>>> Host Name: C5.aardvark.com.au
>>>>>>>> Platform: Linux C5.aardvark.com.au 2.6.18-128.4.1.el5 #1
>>>>>>>> SMP Tue
>>>>>>>> Aug 4 20:19:25 EDT 2009 x86_64 x86_64
>>>>>>>> Alert Count: 34
>>>>>>>> First Seen: Sun Jan 11 17:55:13 2009
>>>>>>>> Last Seen: Mon Aug 10 18:13:15 2009
>>>>>>>> Local ID: 0950df01-cfad-420a-9e84-4996a8d31942
>>>>>>>> Line Numbers: Raw Audit Messages :
>>>>>>>>
>>>>>>>> host=C5.aardvark.com.au type=AVC msg=audit(1249899195.897:15): avc:
>>>>>>>> denied { search } for pid=4022 comm="setxkbmap" name=".X11-unix"
>>>>>>>> dev=dm-0 ino=27590701 scontext=system_u:system_r:rhgb_t:s0
>>>>>>>> tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir
>>>>>>>> host=C5.aardvark.com.au type=AVC msg=audit(1249899195.897:15): avc:
>>>>>>>> denied { search } for pid=4022 comm="setxkbmap" name=".X11-unix"
>>>>>>>> dev=dm-0 ino=27590701 scontext=system_u:system_r:rhgb_t:s0
>>>>>>>> tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir
>>>>>>>> host=C5.aardvark.com.au type=SYSCALL msg=audit(1249899195.897:15):
>>>>>>>> arch=c000003e syscall=42 success=no exit=-2 a0=3 a1=7fffd74235b0
>>>>>>>> a2=13
>>>>>>>> a3=3d29351a30 items=0 ppid=4021 pid=4022 auid=4294967295 uid=0 gid=0
>>>>>>>> euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
>>>>>>>> ses=4294967295
>>>>>>>> comm="setxkbmap" exe="/usr/bin/setxkbmap"
>>>>>>>> subj=system_u:system_r:rhgb_t:s0 key=(null)
>>>>>>>> host=C5.aardvark.com.au type=SYSCALL msg=audit(1249899195.897:15):
>>>>>>>> arch=c000003e syscall=42 success=no exit=-2 a0=3 a1=7fffd74235b0
>>>>>>>> a2=13
>>>>>>>> a3=3d29351a30 items=0 ppid=4021 pid=4022 auid=4294967295 uid=0 gid=0
>>>>>>>> euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
>>>>>>>> ses=4294967295
>>>>>>>> comm="setxkbmap" exe="/usr/bin/setxkbmap"
>>>>>>>> subj=system_u:system_r:rhgb_t:s0 key=(null)
>>>>>>>>
>>>>>>>>
>>>>>>>> Summary
>>>>>>>> SELinux is preventing the setxkbmap from using potentially
>>>>>>>> mislabeled
>>>>>>>> files (./.X11-unix).
>>>>>>>> Detailed Description
>>>>>>>> [SELinux is in permissive mode, the operation would have been
>>>>>>>> denied but
>>>>>>>> was permitted due to permissive mode.]
>>>>>>>>
>>>>>>>> SELinux has denied setxkbmap access to potentially mislabeled
>>>>>>>> file(s)
>>>>>>>> (./.X11-unix). This means that SELinux will not allow setxkbmap
>>>>>>>> to use
>>>>>>>> these files. It is common for users to edit files in their home
>>>>>>>> directory or tmp directories and then move (mv) them to system
>>>>>>>> directories. The problem is that the files end up with the wrong
>>>>>>>> file
>>>>>>>> context which confined applications are not allowed to access.
>>>>>>>>
>>>>>>>> Allowing Access
>>>>>>>> If you want setxkbmap to access this files, you need to relabel them
>>>>>>>> using restorecon -v './.X11-unix'. You might want to relabel the
>>>>>>>> entire
>>>>>>>> directory using restorecon -R -v './.X11-unix'.
>>>>>>>> Additional Information
>>>>>>>>
>>>>>>>> Source Context: system_u:system_r:rhgb_t
>>>>>>>> Target Context: system_u:object_r:initrc_tmp_t
>>>>>>>> Target Objects: ./.X11-unix [ dir ]
>>>>>>>> Source: setxkbmap
>>>>>>>> Source Path: /usr/bin/setxkbmap
>>>>>>>> Port: <Unknown>
>>>>>>>> Host: C5.aardvark.com.au
>>>>>>>> Source RPM Packages: xorg-x11-xkb-utils-1.0.2-2.1
>>>>>>>> Target RPM Packages: Policy RPM:
>>>>>>>> selinux-policy-2.4.6-225.el5
>>>>>>>> Selinux Enabled: True
>>>>>>>> Policy Type: targeted
>>>>>>>> MLS Enabled: True
>>>>>>>> Enforcing Mode: Permissive
>>>>>>>> Plugin Name: home_tmp_bad_labels
>>>>>>>> Host Name: C5.aardvark.com.au
>>>>>>>> Platform: Linux C5.aardvark.com.au 2.6.18-128.4.1.el5 #1
>>>>>>>> SMP Tue
>>>>>>>> Aug 4 20:19:25 EDT 2009 x86_64 x86_64
>>>>>>>> Alert Count: 35
>>>>>>>> First Seen: Sun Jan 11 17:55:13 2009
>>>>>>>> Last Seen: Mon Aug 10 18:13:16 2009
>>>>>>>> Local ID: 0950df01-cfad-420a-9e84-4996a8d31942
>>>>>>>> Line Numbers: Raw Audit Messages :
>>>>>>>>
>>>>>>>> host=C5.aardvark.com.au type=AVC msg=audit(1249899196.898:16): avc:
>>>>>>>> denied { search } for pid=4022 comm="setxkbmap" name=".X11-unix"
>>>>>>>> dev=dm-0 ino=27590701 scontext=system_u:system_r:rhgb_t:s0
>>>>>>>> tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir
>>>>>>>> host=C5.aardvark.com.au type=AVC msg=audit(1249899196.898:16): avc:
>>>>>>>> denied { search } for pid=4022 comm="setxkbmap" name=".X11-unix"
>>>>>>>> dev=dm-0 ino=27590701 scontext=system_u:system_r:rhgb_t:s0
>>>>>>>> tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir
>>>>>>>> host=C5.aardvark.com.au type=SYSCALL msg=audit(1249899196.898:16):
>>>>>>>> arch=c000003e syscall=42 success=no exit=-2 a0=3 a1=7fffd74235b0
>>>>>>>> a2=13
>>>>>>>> a3=8 items=0 ppid=1 pid=4022 auid=4294967295 uid=0 gid=0 euid=0
>>>>>>>> suid=0
>>>>>>>> fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
>>>>>>>> comm="setxkbmap"
>>>>>>>> exe="/usr/bin/setxkbmap" subj=system_u:system_r:rhgb_t:s0 key=(null)
>>>>>>>> host=C5.aardvark.com.au type=SYSCALL msg=audit(1249899196.898:16):
>>>>>>>> arch=c000003e syscall=42 success=no exit=-2 a0=3 a1=7fffd74235b0
>>>>>>>> a2=13
>>>>>>>> a3=8 items=0 ppid=1 pid=4022 auid=4294967295 uid=0 gid=0 euid=0
>>>>>>>> suid=0
>>>>>>>> fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
>>>>>>>> comm="setxkbmap"
>>>>>>>> exe="/usr/bin/setxkbmap" subj=system_u:system_r:rhgb_t:s0 key=(null)
>>>>>>>>
>>>>>>>>
>>>>>>>> Summary
>>>>>>>> SELinux is preventing the setxkbmap from using potentially
>>>>>>>> mislabeled
>>>>>>>> files (./.X11-unix).
>>>>>>>> Detailed Description
>>>>>>>> [SELinux is in permissive mode, the operation would have been
>>>>>>>> denied but
>>>>>>>> was permitted due to permissive mode.]
>>>>>>>>
>>>>>>>> SELinux has denied setxkbmap access to potentially mislabeled
>>>>>>>> file(s)
>>>>>>>> (./.X11-unix). This means that SELinux will not allow setxkbmap
>>>>>>>> to use
>>>>>>>> these files. It is common for users to edit files in their home
>>>>>>>> directory or tmp directories and then move (mv) them to system
>>>>>>>> directories. The problem is that the files end up with the wrong
>>>>>>>> file
>>>>>>>> context which confined applications are not allowed to access.
>>>>>>>>
>>>>>>>> Allowing Access
>>>>>>>> If you want setxkbmap to access this files, you need to relabel them
>>>>>>>> using restorecon -v './.X11-unix'. You might want to relabel the
>>>>>>>> entire
>>>>>>>> directory using restorecon -R -v './.X11-unix'.
>>>>>>>> Additional Information
>>>>>>>>
>>>>>>>> Source Context: system_u:system_r:rhgb_t
>>>>>>>> Target Context: system_u:object_r:initrc_tmp_t
>>>>>>>> Target Objects: ./.X11-unix [ dir ]
>>>>>>>> Source: setxkbmap
>>>>>>>> Source Path: /usr/bin/setxkbmap
>>>>>>>> Port: <Unknown>
>>>>>>>> Host: C5.aardvark.com.au
>>>>>>>> Source RPM Packages: xorg-x11-xkb-utils-1.0.2-2.1
>>>>>>>> Target RPM Packages: Policy RPM:
>>>>>>>> selinux-policy-2.4.6-225.el5
>>>>>>>> Selinux Enabled: True
>>>>>>>> Policy Type: targeted
>>>>>>>> MLS Enabled: True
>>>>>>>> Enforcing Mode: Permissive
>>>>>>>> Plugin Name: home_tmp_bad_labels
>>>>>>>> Host Name: C5.aardvark.com.au
>>>>>>>> Platform: Linux C5.aardvark.com.au 2.6.18-128.4.1.el5 #1
>>>>>>>> SMP Tue
>>>>>>>> Aug 4 20:19:25 EDT 2009 x86_64 x86_64
>>>>>>>> Alert Count: 36
>>>>>>>> First Seen: Sun Jan 11 17:55:13 2009
>>>>>>>> Last Seen: Mon Aug 10 18:13:17 2009
>>>>>>>> Local ID: 0950df01-cfad-420a-9e84-4996a8d31942
>>>>>>>> Line Numbers: Raw Audit Messages :
>>>>>>>>
>>>>>>>> host=C5.aardvark.com.au type=AVC msg=audit(1249899197.933:18): avc:
>>>>>>>> denied { search } for pid=4041 comm="setxkbmap" name=".X11-unix"
>>>>>>>> dev=dm-0 ino=27590701 scontext=system_u:system_r:rhgb_t:s0
>>>>>>>> tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir
>>>>>>>> host=C5.aardvark.com.au type=AVC msg=audit(1249899197.933:18): avc:
>>>>>>>> denied { search } for pid=4041 comm="setxkbmap" name=".X11-unix"
>>>>>>>> dev=dm-0 ino=27590701 scontext=system_u:system_r:rhgb_t:s0
>>>>>>>> tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir
>>>>>>>> host=C5.aardvark.com.au type=SYSCALL msg=audit(1249899197.933:18):
>>>>>>>> arch=c000003e syscall=42 success=no exit=-2 a0=3 a1=7fff31d13e20
>>>>>>>> a2=13
>>>>>>>> a3=8 items=0 ppid=1 pid=4041 auid=4294967295 uid=0 gid=0 euid=0
>>>>>>>> suid=0
>>>>>>>> fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
>>>>>>>> comm="setxkbmap"
>>>>>>>> exe="/usr/bin/setxkbmap" subj=system_u:system_r:rhgb_t:s0 key=(null)
>>>>>>>> host=C5.aardvark.com.au type=SYSCALL msg=audit(1249899197.933:18):
>>>>>>>> arch=c000003e syscall=42 success=no exit=-2 a0=3 a1=7fff31d13e20
>>>>>>>> a2=13
>>>>>>>> a3=8 items=0 ppid=1 pid=4041 auid=4294967295 uid=0 gid=0 euid=0
>>>>>>>> suid=0
>>>>>>>> fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
>>>>>>>> comm="setxkbmap"
>>>>>>>> exe="/usr/bin/setxkbmap" subj=system_u:system_r:rhgb_t:s0 key=(null)
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> Summary
>>>>>>>> SELinux is preventing the setxkbmap from using potentially
>>>>>>>> mislabeled
>>>>>>>> files (./.X11-unix).
>>>>>>>> Detailed Description
>>>>>>>> [SELinux is in permissive mode, the operation would have been
>>>>>>>> denied but
>>>>>>>> was permitted due to permissive mode.]
>>>>>>>>
>>>>>>>> SELinux has denied setxkbmap access to potentially mislabeled
>>>>>>>> file(s)
>>>>>>>> (./.X11-unix). This means that SELinux will not allow setxkbmap
>>>>>>>> to use
>>>>>>>> these files. It is common for users to edit files in their home
>>>>>>>> directory or tmp directories and then move (mv) them to system
>>>>>>>> directories. The problem is that the files end up with the wrong
>>>>>>>> file
>>>>>>>> context which confined applications are not allowed to access.
>>>>>>>>
>>>>>>>> Allowing Access
>>>>>>>> If you want setxkbmap to access this files, you need to relabel them
>>>>>>>> using restorecon -v './.X11-unix'. You might want to relabel the
>>>>>>>> entire
>>>>>>>> directory using restorecon -R -v './.X11-unix'.
>>>>>>>> Additional Information
>>>>>>>>
>>>>>>>> Source Context: system_u:system_r:rhgb_t
>>>>>>>> Target Context: system_u:object_r:initrc_tmp_t
>>>>>>>> Target Objects: ./.X11-unix [ dir ]
>>>>>>>> Source: setxkbmap
>>>>>>>> Source Path: /usr/bin/setxkbmap
>>>>>>>> Port: <Unknown>
>>>>>>>> Host: C5.aardvark.com.au
>>>>>>>> Source RPM Packages: xorg-x11-xkb-utils-1.0.2-2.1
>>>>>>>> Target RPM Packages: Policy RPM:
>>>>>>>> selinux-policy-2.4.6-225.el5
>>>>>>>> Selinux Enabled: True
>>>>>>>> Policy Type: targeted
>>>>>>>> MLS Enabled: True
>>>>>>>> Enforcing Mode: Permissive
>>>>>>>> Plugin Name: home_tmp_bad_labels
>>>>>>>> Host Name: C5.aardvark.com.au
>>>>>>>> Platform: Linux C5.aardvark.com.au 2.6.18-128.4.1.el5 #1
>>>>>>>> SMP Tue
>>>>>>>> Aug 4 20:19:25 EDT 2009 x86_64 x86_64
>>>>>>>> Alert Count: 37
>>>>>>>> First Seen: Sun Jan 11 17:55:13 2009
>>>>>>>> Last Seen: Mon Aug 10 18:13:19 2009
>>>>>>>> Local ID: 0950df01-cfad-420a-9e84-4996a8d31942
>>>>>>>> Line Numbers: Raw Audit Messages :
>>>>>>>>
>>>>>>>> host=C5.aardvark.com.au type=AVC msg=audit(1249899199.903:20): avc:
>>>>>>>> denied { search } for pid=4022 comm="setxkbmap" name=".X11-unix"
>>>>>>>> dev=dm-0 ino=27590701 scontext=system_u:system_r:rhgb_t:s0
>>>>>>>> tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir
>>>>>>>> host=C5.aardvark.com.au type=AVC msg=audit(1249899199.903:20): avc:
>>>>>>>> denied { search } for pid=4022 comm="setxkbmap" name=".X11-unix"
>>>>>>>> dev=dm-0 ino=27590701 scontext=system_u:system_r:rhgb_t:s0
>>>>>>>> tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir
>>>>>>>> host=C5.aardvark.com.au type=SYSCALL msg=audit(1249899199.903:20):
>>>>>>>> arch=c000003e syscall=42 success=no exit=-2 a0=3 a1=7fffd74235b0
>>>>>>>> a2=13
>>>>>>>> a3=8 items=0 ppid=1 pid=4022 auid=4294967295 uid=0 gid=0 euid=0
>>>>>>>> suid=0
>>>>>>>> fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
>>>>>>>> comm="setxkbmap"
>>>>>>>> exe="/usr/bin/setxkbmap" subj=system_u:system_r:rhgb_t:s0 key=(null)
>>>>>>>> host=C5.aardvark.com.au type=SYSCALL msg=audit(1249899199.903:20):
>>>>>>>> arch=c000003e syscall=42 success=no exit=-2 a0=3 a1=7fffd74235b0
>>>>>>>> a2=13
>>>>>>>> a3=8 items=0 ppid=1 pid=4022 auid=4294967295 uid=0 gid=0 euid=0
>>>>>>>> suid=0
>>>>>>>> fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
>>>>>>>> comm="setxkbmap"
>>>>>>>> exe="/usr/bin/setxkbmap" subj=system_u:system_r:rhgb_t:s0 key=(null)
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> fedora-selinux-list mailing list
>>>>>>>> fedora-selinux-list at redhat.com
>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>>>>>>>
>>>>>>>>
>>>>>>> chcon -R -t xserver_tmp_t /tmp/.X11-unix
>>>>>>>
>>>>>>> I always use tmpfs for /tmp, so I never end up with garbage on a
>>>>>>> reboot.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>> Thanks Daniel - but this is the response...
>>>>>>
>>>>>> [root at C5 ~]# chcon -R -t xserver_tmp_t /tmp/.X11-unix
>>>>>> chcon: failed to change context of /tmp/.X11-unix to
>>>>>> system_u:object_r:xserver_t mp_t: Invalid
>>>>>> argument
>>>>>> chcon: failed to change context of /tmp/.X11-unix/X0 to
>>>>>> system_u:object_r:xserve r_tmp_t: Invalid
>>>>>> argument
>>>>>> chcon: failed to change context of /tmp/.X11-unix/X1005 to
>>>>>> user_u:object_r:xserv er_tmp_t: Invalid
>>>>>> argument
>>>>>> [root at C5 ~]#
>>>>>>
>>>>>> Being pretty green - I don't really understand the problem here.
>>>>>> Also -
>>>>>> if this chcon worked - would this be a permanent solution - or does it
>>>>>> need to be executed in a boot script?
>>>>>> I like your idea of using tmpfs - but is it ever a problem that
>>>>>> tmpfs is
>>>>>> relatively small and finite? Also - please excuse my ignorance -
>>>>>> but how
>>>>>> do I make tmpfs the tmp folder?
>>>>>>
>>>>>> Richard.
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>> Must have changed between RHEL5 and F11
>>>>>
>>>>> Try
>>>>> chcon -R -t xdm_xserver_tmp_t /tmp/.X11-unix
>>>>>
>>>>> Add this line to /etc/fstab
>>>>>
>>>>> tmpfs /tmp tmpfs
>>>>> rootcontext="system_u:object_r:tmp_t:s0",defaults 0 0
>>>>>
>>>>> And reboot.
>>>>>
>>>>> I don't tend to store huge abouts of stuff in /tmp. If I want to
>>>>> store big stuff I can always use /var/tmp
>>>>>
>>>>>
>>>>>
>>>> Thanks Daniel
>>>>
>>>> That chcon command worked fine. Should this be a permanent solution - or
>>>> will new files appearing there need a chcon too? Should I put this
>>>> command into a boot script somewhere?
>>>>
>>>> I'll try tmpfs and see if it ever overflows in practice. Hopefully I'll
>>>> be able to see something in my logwatch if there is ever a problem.
>>>> Currently - It's using less than 1/2 its 2 gigs or ram - so there is
>>>> some room to spare. Seems your suggestion has sparked quite a bit of
>>>> interest...:-)
>>>>
>>>> Thanks again
>>>>
>>>> Richard.
>>>>
>>>>
>>>>
>>>>
>>> No the chcon is fine. It was mislabeled at some point and relabeling
>>> does not touch /tmp
>>>
>>>
>>>
>
> I guess I would need to see the AVC messages, to make sure they are the same.
>
> What is the label on the /tmp/.X11-unix directory?
>
>
Hi Daniel
Does this answer your question?
*> ls -Za /tmp*
drwxrwxrwt root root system_u:object_r:tmp_t .
drwxr-xr-x root root system_u:object_r:root_t ..
drwxrwxrwt root root system_u:object_r:xdm_tmp_t .ICE-unix
-r--r--r-- root root system_u:object_r:xdm_tmp_t .X0-lock
drwxrwxrwt root root system_u:object_r:initrc_tmp_t .X11-unix
drwxrwxrwt root root system_u:object_r:xfs_tmp_t .font-unix
srw-rw-rw- root root system_u:object_r:xdm_tmp_t .gdm_socket
-rw------- nx nx user_u:object_r:tmp_t .nX1000-lock
drwxr-xr-x root root root:object_r:initrc_tmp_t .webmin
drwx------ root root user_u:object_r:tmp_t gconfd-root
srwxr-xr-x root root user_u:object_r:tmp_t gedit.root.3537314166
srwxr-xr-x root root user_u:object_r:tmp_t mapping-root
-rw-r--r-- root root user_u:object_r:tmp_t sarg-file.in
And just in case it is useful:
*> ls -Za /tmp/.X11-unix*
drwxrwxrwt root root system_u:object_r:initrc_tmp_t .
drwxrwxrwt root root system_u:object_r:tmp_t ..
srwxrwxrwx root root system_u:object_r:initrc_tmp_t X0
Here are the recent AVCs:
Summary
SELinux is preventing the setxkbmap from using potentially mislabeled
files (./.X11-unix).
Detailed Description
[SELinux is in permissive mode, the operation would have been denied but
was permitted due to permissive mode.]
SELinux has denied setxkbmap access to potentially mislabeled file(s)
(./.X11-unix). This means that SELinux will not allow setxkbmap to use
these files. It is common for users to edit files in their home
directory or tmp directories and then move (mv) them to system
directories. The problem is that the files end up with the wrong file
context which confined applications are not allowed to access.
Allowing Access
If you want setxkbmap to access this files, you need to relabel them
using restorecon -v './.X11-unix'. You might want to relabel the entire
directory using restorecon -R -v './.X11-unix'.
Additional Information
Source Context: system_u:system_r:rhgb_t
Target Context: system_u:object_r:initrc_tmp_t
Target Objects: ./.X11-unix [ dir ]
Source: setxkbmap
Source Path: /usr/bin/setxkbmap
Port: <Unknown>
Host: C5.aardvark.com.au
Source RPM Packages: xorg-x11-xkb-utils-1.0.2-2.1
Target RPM Packages:
Policy RPM: selinux-policy-2.4.6-225.el5
Selinux Enabled: True
Policy Type: targeted
MLS Enabled: True
Enforcing Mode: Permissive
Plugin Name: home_tmp_bad_labels
Host Name: C5.aardvark.com.au
Platform: Linux C5.aardvark.com.au 2.6.18-128.7.1.el5 #1 SMP Mon Aug
24 08:21:56 EDT 2009 x86_64 x86_64
Alert Count: 38
First Seen: Sun Jan 11 17:55:13 2009
Last Seen: Mon Aug 31 09:24:11 2009
Local ID: 0950df01-cfad-420a-9e84-4996a8d31942
Line Numbers:
Raw Audit Messages :
host=C5.aardvark.com.au type=AVC msg=audit(1251681851.968:15): avc:
denied { search } for pid=4135 comm="setxkbmap" name=".X11-unix"
dev=dm-0 ino=27590701 scontext=system_u:system_r:rhgb_t:s0
tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir
host=C5.aardvark.com.au type=AVC msg=audit(1251681851.968:15): avc:
denied { search } for pid=4135 comm="setxkbmap" name=".X11-unix"
dev=dm-0 ino=27590701 scontext=system_u:system_r:rhgb_t:s0
tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir
host=C5.aardvark.com.au type=SYSCALL msg=audit(1251681851.968:15):
arch=c000003e syscall=42 success=no exit=-2 a0=3 a1=7fff95f931b0 a2=13
a3=0 items=0 ppid=1 pid=4135 auid=4294967295 uid=0 gid=0 euid=0 suid=0
fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setxkbmap"
exe="/usr/bin/setxkbmap" subj=system_u:system_r:rhgb_t:s0 key=(null)
host=C5.aardvark.com.au type=SYSCALL msg=audit(1251681851.968:15):
arch=c000003e syscall=42 success=no exit=-2 a0=3 a1=7fff95f931b0 a2=13
a3=0 items=0 ppid=1 pid=4135 auid=4294967295 uid=0 gid=0 euid=0 suid=0
fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setxkbmap"
exe="/usr/bin/setxkbmap" subj=system_u:system_r:rhgb_t:s0 key=(null)
Summary
SELinux is preventing the setxkbmap from using potentially mislabeled
files (./.X11-unix).
Detailed Description
[SELinux is in permissive mode, the operation would have been denied but
was permitted due to permissive mode.]
SELinux has denied setxkbmap access to potentially mislabeled file(s)
(./.X11-unix). This means that SELinux will not allow setxkbmap to use
these files. It is common for users to edit files in their home
directory or tmp directories and then move (mv) them to system
directories. The problem is that the files end up with the wrong file
context which confined applications are not allowed to access.
Allowing Access
If you want setxkbmap to access this files, you need to relabel them
using restorecon -v './.X11-unix'. You might want to relabel the entire
directory using restorecon -R -v './.X11-unix'.
Additional Information
Source Context: system_u:system_r:rhgb_t
Target Context: system_u:object_r:initrc_tmp_t
Target Objects: ./.X11-unix [ dir ]
Source: setxkbmap
Source Path: /usr/bin/setxkbmap
Port: <Unknown>
Host: C5.aardvark.com.au
Source RPM Packages: xorg-x11-xkb-utils-1.0.2-2.1
Target RPM Packages:
Policy RPM: selinux-policy-2.4.6-225.el5
Selinux Enabled: True
Policy Type: targeted
MLS Enabled: True
Enforcing Mode: Permissive
Plugin Name: home_tmp_bad_labels
Host Name: C5.aardvark.com.au
Platform: Linux C5.aardvark.com.au 2.6.18-128.7.1.el5 #1 SMP Mon Aug
24 08:21:56 EDT 2009 x86_64 x86_64
Alert Count: 39
First Seen: Sun Jan 11 17:55:13 2009
Last Seen: Mon Aug 31 09:24:13 2009
Local ID: 0950df01-cfad-420a-9e84-4996a8d31942
Line Numbers:
Raw Audit Messages :
host=C5.aardvark.com.au type=AVC msg=audit(1251681853.972:16): avc:
denied { search } for pid=4135 comm="setxkbmap" name=".X11-unix"
dev=dm-0 ino=27590701 scontext=system_u:system_r:rhgb_t:s0
tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir
host=C5.aardvark.com.au type=AVC msg=audit(1251681853.972:16): avc:
denied { search } for pid=4135 comm="setxkbmap" name=".X11-unix"
dev=dm-0 ino=27590701 scontext=system_u:system_r:rhgb_t:s0
tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir
host=C5.aardvark.com.au type=SYSCALL msg=audit(1251681853.972:16):
arch=c000003e syscall=42 success=no exit=-2 a0=3 a1=7fff95f931b0 a2=13
a3=8 items=0 ppid=1 pid=4135 auid=4294967295 uid=0 gid=0 euid=0 suid=0
fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setxkbmap"
exe="/usr/bin/setxkbmap" subj=system_u:system_r:rhgb_t:s0 key=(null)
host=C5.aardvark.com.au type=SYSCALL msg=audit(1251681853.972:16):
arch=c000003e syscall=42 success=no exit=-2 a0=3 a1=7fff95f931b0 a2=13
a3=8 items=0 ppid=1 pid=4135 auid=4294967295 uid=0 gid=0 euid=0 suid=0
fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setxkbmap"
exe="/usr/bin/setxkbmap" subj=system_u:system_r:rhgb_t:s0 key=(null)
More information about the fedora-selinux-list
mailing list