Bug 159187
Summary: | configurable hotkey feature doesn't work on enforcing mode | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Akira TAGOH <tagoh> |
Component: | policy | Assignee: | Russell Coker <rcoker> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Ben Levenson <benl> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | rawhide | CC: | dwalsh, eng-i18n-bugs, pgraner, sundaram |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | 1.25.3-9 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2005-09-05 00:40:42 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Akira TAGOH
2005-05-31 08:46:46 UTC
What avc messages are you seeing? Dan Actually I haven't seen any avc messages in /var/log/messages. how can I get more info on that? Are you running audit? If yes the avc messages will go to /usr/log/audit/audit.log. Thanks. I got: type=AVC msg=audit(1117719768.653:7061488): avc: denied { search } for pid=7584 comm="iiimd" name=/ dev=hda6 ino=2 scontext=root:system_r:i18n_input_t tcontext=system_u:object_r:home_root_t tclass=dir type=SYSCALL msg=audit(1117719768.653:7061488): arch=40000003 syscall=196 success=no exit=-13 a0=952c790 a1=b7ed50dc a2=3e6ff4 a3=b7ed50dc items=1 pid=7584 auid=4294967295 uid=100 gid=101 euid=100 suid=100 fsuid=100 egid=101 sgid=101 fsgid=101 comm="iiimd" exe="/usr/bin/iiimd" type=PATH msg=audit(1117719768.653:7061488): item=0 name="/home/tagoh/.iiim/le.xml.conf" inode=2 dev=03:06 mode=040755 ouid=0 ogid=0 rdev=00:00 it was output when I run gedit say. Hope this helps. Can you run
> setenforce 0
> gedit
and see if you get any other avc messages?
Sure. type=AVC msg=audit(1118135184.663:4402919): avc: denied { search } for pid=13855 comm="iiimd" name=/ dev=hda6 ino=2 scontext=root:system_r:i18n_input_t tcontext=system_u:object_r:home_root_t tclass=dir type=AVC msg=audit(1118135184.663:4402919): avc: denied { search } for pid=13855 comm="iiimd" name=tagoh dev=hda6 ino=5242911 scontext=root:system_r:i18n_input_t tcontext=system_u:object_r:default_t tclass=dir type=AVC msg=audit(1118135184.663:4402919): avc: denied { search } for pid=13855 comm="iiimd" name=.iiim dev=hda6 ino=5243004 scontext=root:system_r:i18n_input_t tcontext=user_u:object_r:default_t tclass=dir type=AVC msg=audit(1118135184.663:4402919): avc: denied { getattr } for pid=13855 comm="iiimd" name=le.xml.conf dev=hda6 ino=5243380 scontext=root:system_r:i18n_input_t tcontext=user_u:object_r:default_t tclass=file type=SYSCALL msg=audit(1118135184.663:4402919): arch=40000003 syscall=196 success=yes exit=0 a0=84afc60 a1=b7fa30dc a2=6a7ff4 a3=b7fa30dc items=1 pid=13855 auid=4294967295 uid=100 gid=101 euid=100 suid=100 fsuid=100 egid=101 sgid=101 fsgid=101 comm="iiimd" exe="/usr/bin/iiimd" type=AVC_PATH msg=audit(1118135184.663:4402919): path="/home/tagoh/.iiim/le.xml.conf" type=PATH msg=audit(1118135184.663:4402919): item=0 name="/home/tagoh/.iiim/le.xml.conf" inode=5243380 dev=03:06 mode=0100664 ouid=500 ogid=500 rdev=00:00 type=AVC msg=audit(1118135184.664:4402926): avc: denied { read } for pid=13855 comm="iiimd" name=le.xml.conf dev=hda6 ino=5243380 scontext=root:system_r:i18n_input_t tcontext=user_u:object_r:default_t tclass=file type=SYSCALL msg=audit(1118135184.664:4402926): arch=40000003 syscall=5 success=yes exit=6 a0=84afc60 a1=0 a2=0 a3=84d7ce0 items=1 pid=13855 auid=4294967295 uid=100 gid=101 euid=100 suid=100 fsuid=100 egid=101 sgid=101 fsgid=101 comm="iiimd" exe="/usr/bin/iiimd" type=PATH msg=audit(1118135184.664:4402926): item=0 name="/home/tagoh/.iiim/le.xml.conf" inode=5243380 dev=03:06 mode=0100664 ouid=500 ogid=500 rdev=00:00 This looks like you have a labeling problem. Are your home directories labeled correctly? THe file in /home/tagoh.iim/.e.xml.conf should not be labeled default_t. Dan Hmm, I just did make reload and make relabel under /etc/selinux/targeted/src/policy/. but it's still labeled default_t. What is the output of ls -lZd /home /home/tagoh.iim ls -lZ /home/tagoh.iim/e.xml.conf Also do a restorecon -R -v /home/tagoh.iim ]$ ls -lZd /home/ /home/tagoh/.iiim/ drwxr-xr-x root root system_u:object_r:default_t /home/ drwxrwxr-x tagoh tagoh user_u:object_r:default_t /home/tagoh/.iiim $ ls -lZ /home/tagoh/.iiim/le.xml.conf -rw-rw-r-- tagoh tagoh user_u:object_r:default_t /home/tagoh/.iiim/le.xml.conf # restorecon -R -v /home/tagoh/.iiim/ restorecon reset /home/tagoh/.iiim context user_u:object_r:default_t->user_u:object_r:user_home_t restorecon reset /home/tagoh/.iiim/le.xml.conf context user_u:object_r:default_t->user_u:object_r:user_home_t $ ls -lZd /home/ /home/tagoh/ /home/tagoh/.iiim/ drwxr-xr-x root root system_u:object_r:default_t /home/ drwxr-xr-x tagoh tagoh system_u:object_r:default_t /home/tagoh/ drwxrwxr-x tagoh tagoh user_u:object_r:user_home_t /home/tagoh/.iiim/ $ ls -lZ /home/tagoh/.iiim/le.xml.conf -rw-rw-r-- tagoh tagoh user_u:object_r:user_home_t /home/tagoh/.iiim/le.xml.conf Ok, let me try again: # setenforce 1 still doesn't work. # setenforce 0 type=AVC msg=audit(1118241917.468:13949755): avc: denied { search } for pid=884 comm="iiimd" name=.iiim dev=hda6 ino=5243004 scontext=root:system_r:i18n_input_t tcontext=user_u:object_r:user_home_t tclass=dir type=AVC msg=audit(1118241917.468:13949755): avc: denied { search } for pid=884 comm="iiimd" name=/ dev=hda6 ino=2 scontext=root:system_r:i18n_input_t tcontext=system_u:object_r:default_t tclass=dir type=AVC msg=audit(1118241917.468:13949755): avc: denied { getattr } for pid=884 comm="iiimd" name=le.xml.conf dev=hda6 ino=5243380 scontext=root:system_r:i18n_input_t tcontext=user_u:object_r:user_home_t tclass=file type=SYSCALL msg=audit(1118241917.468:13949755): arch=40000003 syscall=196 success=yes exit=0 a0=84f6148 a1=b75810dc a2=6a7ff4 a3=b75810dc items=1 pid=884 auid=4294967295 uid=100 gid=101 euid=100 suid=100 fsuid=100 egid=101 sgid=101 fsgid=101 comm="iiimd" exe=2F7573722F62696E2F6969696D642E237072656C696E6B232E514F66576A62202864656C6574656429 type=AVC_PATH msg=audit(1118241917.468:13949755): path="/home/tagoh/.iiim/le.xml.conf" type=PATH msg=audit(1118241917.468:13949755): item=0 name="/home/tagoh/.iiim/le.xml.conf" inode=5243380 dev=03:06 mode=0100664 ouid=500 ogid=500 rdev=00:00 type=AVC msg=audit(1118241917.468:13949771): avc: denied { read } for pid=884 comm="iiimd" name=le.xml.conf dev=hda6 ino=5243380 scontext=root:system_r:i18n_input_t tcontext=user_u:object_r:user_home_t tclass=file type=SYSCALL msg=audit(1118241917.468:13949771): arch=40000003 syscall=5 success=yes exit=8 a0=84f6148 a1=0 a2=0 a3=85000e0 items=1 pid=884 auid=4294967295 uid=100 gid=101 euid=100 suid=100 fsuid=100 egid=101 sgid=101 fsgid=101 comm="iiimd" exe=2F7573722F62696E2F6969696D642E237072656C696E6B232E514F66576A62202864656C6574656429 type=PATH msg=audit(1118241917.468:13949771): item=0 name="/home/tagoh/.iiim/le.xml.conf" inode=5243380 dev=03:06 mode=0100664 ouid=500 ogid=500 rdev=00:00 Ok we are closer. You need to restorecon at the home dir though restorecon -R -v /home That will eliminate one of your messages. Now the bigger question isn't there a better way then allowing i18n_input to read the users home directories. This is a server application that has to go rooting around in the users home dir for config files???? Dan Removing i18n_input from targeted policy so it will run unconfined. selinux-policy-targeted-1.25.3-9 |