Bug 159187
| Summary: | configurable hotkey feature doesn't work on enforcing mode | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Akira TAGOH <tagoh> |
| Component: | policy | Assignee: | Russell Coker <rcoker> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Ben Levenson <benl> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | rawhide | CC: | dwalsh, eng-i18n-bugs, pgraner, sundaram |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | 1.25.3-9 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2005-09-05 00:40:42 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Akira TAGOH
2005-05-31 08:46:46 UTC
What avc messages are you seeing? Dan Actually I haven't seen any avc messages in /var/log/messages. how can I get more info on that? Are you running audit? If yes the avc messages will go to /usr/log/audit/audit.log. Thanks. I got:
type=AVC msg=audit(1117719768.653:7061488): avc: denied { search } for
pid=7584 comm="iiimd" name=/ dev=hda6 ino=2 scontext=root:system_r:i18n_input_t
tcontext=system_u:object_r:home_root_t tclass=dir
type=SYSCALL msg=audit(1117719768.653:7061488): arch=40000003 syscall=196
success=no exit=-13 a0=952c790 a1=b7ed50dc a2=3e6ff4 a3=b7ed50dc items=1
pid=7584 auid=4294967295 uid=100 gid=101 euid=100 suid=100 fsuid=100 egid=101
sgid=101 fsgid=101 comm="iiimd" exe="/usr/bin/iiimd"
type=PATH msg=audit(1117719768.653:7061488): item=0
name="/home/tagoh/.iiim/le.xml.conf" inode=2 dev=03:06 mode=040755 ouid=0 ogid=0
rdev=00:00
it was output when I run gedit say.
Hope this helps.
Can you run
> setenforce 0
> gedit
and see if you get any other avc messages?
Sure.
type=AVC msg=audit(1118135184.663:4402919): avc: denied { search } for
pid=13855 comm="iiimd" name=/ dev=hda6 ino=2 scontext=root:system_r:i18n_input_t
tcontext=system_u:object_r:home_root_t tclass=dir
type=AVC msg=audit(1118135184.663:4402919): avc: denied { search } for
pid=13855 comm="iiimd" name=tagoh dev=hda6 ino=5242911
scontext=root:system_r:i18n_input_t tcontext=system_u:object_r:default_t tclass=dir
type=AVC msg=audit(1118135184.663:4402919): avc: denied { search } for
pid=13855 comm="iiimd" name=.iiim dev=hda6 ino=5243004
scontext=root:system_r:i18n_input_t tcontext=user_u:object_r:default_t tclass=dir
type=AVC msg=audit(1118135184.663:4402919): avc: denied { getattr } for
pid=13855 comm="iiimd" name=le.xml.conf dev=hda6 ino=5243380
scontext=root:system_r:i18n_input_t tcontext=user_u:object_r:default_t tclass=file
type=SYSCALL msg=audit(1118135184.663:4402919): arch=40000003 syscall=196
success=yes exit=0 a0=84afc60 a1=b7fa30dc a2=6a7ff4 a3=b7fa30dc items=1
pid=13855 auid=4294967295 uid=100 gid=101 euid=100 suid=100 fsuid=100 egid=101
sgid=101 fsgid=101 comm="iiimd" exe="/usr/bin/iiimd"
type=AVC_PATH msg=audit(1118135184.663:4402919):
path="/home/tagoh/.iiim/le.xml.conf"
type=PATH msg=audit(1118135184.663:4402919): item=0
name="/home/tagoh/.iiim/le.xml.conf" inode=5243380 dev=03:06 mode=0100664
ouid=500 ogid=500 rdev=00:00
type=AVC msg=audit(1118135184.664:4402926): avc: denied { read } for
pid=13855 comm="iiimd" name=le.xml.conf dev=hda6 ino=5243380
scontext=root:system_r:i18n_input_t tcontext=user_u:object_r:default_t tclass=file
type=SYSCALL msg=audit(1118135184.664:4402926): arch=40000003 syscall=5
success=yes exit=6 a0=84afc60 a1=0 a2=0 a3=84d7ce0 items=1 pid=13855
auid=4294967295 uid=100 gid=101 euid=100 suid=100 fsuid=100 egid=101 sgid=101
fsgid=101 comm="iiimd" exe="/usr/bin/iiimd"
type=PATH msg=audit(1118135184.664:4402926): item=0
name="/home/tagoh/.iiim/le.xml.conf" inode=5243380 dev=03:06 mode=0100664
ouid=500 ogid=500 rdev=00:00
This looks like you have a labeling problem. Are your home directories labeled correctly? THe file in /home/tagoh.iim/.e.xml.conf should not be labeled default_t. Dan Hmm, I just did make reload and make relabel under /etc/selinux/targeted/src/policy/. but it's still labeled default_t. What is the output of ls -lZd /home /home/tagoh.iim ls -lZ /home/tagoh.iim/e.xml.conf Also do a restorecon -R -v /home/tagoh.iim ]$ ls -lZd /home/ /home/tagoh/.iiim/
drwxr-xr-x root root system_u:object_r:default_t /home/
drwxrwxr-x tagoh tagoh user_u:object_r:default_t /home/tagoh/.iiim
$ ls -lZ /home/tagoh/.iiim/le.xml.conf
-rw-rw-r-- tagoh tagoh user_u:object_r:default_t
/home/tagoh/.iiim/le.xml.conf
# restorecon -R -v /home/tagoh/.iiim/
restorecon reset /home/tagoh/.iiim context
user_u:object_r:default_t->user_u:object_r:user_home_t
restorecon reset /home/tagoh/.iiim/le.xml.conf context
user_u:object_r:default_t->user_u:object_r:user_home_t
$ ls -lZd /home/ /home/tagoh/ /home/tagoh/.iiim/
drwxr-xr-x root root system_u:object_r:default_t /home/
drwxr-xr-x tagoh tagoh system_u:object_r:default_t /home/tagoh/
drwxrwxr-x tagoh tagoh user_u:object_r:user_home_t /home/tagoh/.iiim/
$ ls -lZ /home/tagoh/.iiim/le.xml.conf
-rw-rw-r-- tagoh tagoh user_u:object_r:user_home_t
/home/tagoh/.iiim/le.xml.conf
Ok, let me try again:
# setenforce 1
still doesn't work.
# setenforce 0
type=AVC msg=audit(1118241917.468:13949755): avc: denied { search } for
pid=884 comm="iiimd" name=.iiim dev=hda6 ino=5243004
scontext=root:system_r:i18n_input_t tcontext=user_u:object_r:user_home_t tclass=dir
type=AVC msg=audit(1118241917.468:13949755): avc: denied { search } for
pid=884 comm="iiimd" name=/ dev=hda6 ino=2 scontext=root:system_r:i18n_input_t
tcontext=system_u:object_r:default_t tclass=dir
type=AVC msg=audit(1118241917.468:13949755): avc: denied { getattr } for
pid=884 comm="iiimd" name=le.xml.conf dev=hda6 ino=5243380
scontext=root:system_r:i18n_input_t tcontext=user_u:object_r:user_home_t tclass=file
type=SYSCALL msg=audit(1118241917.468:13949755): arch=40000003 syscall=196
success=yes exit=0 a0=84f6148 a1=b75810dc a2=6a7ff4 a3=b75810dc items=1 pid=884
auid=4294967295 uid=100 gid=101 euid=100 suid=100 fsuid=100 egid=101 sgid=101
fsgid=101 comm="iiimd"
exe=2F7573722F62696E2F6969696D642E237072656C696E6B232E514F66576A62202864656C6574656429
type=AVC_PATH msg=audit(1118241917.468:13949755):
path="/home/tagoh/.iiim/le.xml.conf"
type=PATH msg=audit(1118241917.468:13949755): item=0
name="/home/tagoh/.iiim/le.xml.conf" inode=5243380 dev=03:06 mode=0100664
ouid=500 ogid=500 rdev=00:00
type=AVC msg=audit(1118241917.468:13949771): avc: denied { read } for pid=884
comm="iiimd" name=le.xml.conf dev=hda6 ino=5243380
scontext=root:system_r:i18n_input_t tcontext=user_u:object_r:user_home_t tclass=file
type=SYSCALL msg=audit(1118241917.468:13949771): arch=40000003 syscall=5
success=yes exit=8 a0=84f6148 a1=0 a2=0 a3=85000e0 items=1 pid=884
auid=4294967295 uid=100 gid=101 euid=100 suid=100 fsuid=100 egid=101 sgid=101
fsgid=101 comm="iiimd"
exe=2F7573722F62696E2F6969696D642E237072656C696E6B232E514F66576A62202864656C6574656429
type=PATH msg=audit(1118241917.468:13949771): item=0
name="/home/tagoh/.iiim/le.xml.conf" inode=5243380 dev=03:06 mode=0100664
ouid=500 ogid=500 rdev=00:00
Ok we are closer. You need to restorecon at the home dir though restorecon -R -v /home That will eliminate one of your messages. Now the bigger question isn't there a better way then allowing i18n_input to read the users home directories. This is a server application that has to go rooting around in the users home dir for config files???? Dan Removing i18n_input from targeted policy so it will run unconfined. selinux-policy-targeted-1.25.3-9 |