Bug 197829

Summary: selinux prevents X clients from starting
Product: [Fedora] Fedora Reporter: Matt Domsch <matt_domsch>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED RAWHIDE QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: rawhideCC: dwalsh
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-10-05 12:09:47 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Matt Domsch 2006-07-06 17:58:03 UTC 
Description of problem:
Running FC6test1 i386 on a Dell Latitude D610 laptop worked fine.  Upgrading to
rawhide a couple weeks later, and X no longer starts unless selinux is not in
enforcing mode.  setenforce 0 lets X start again, setenforce 1 causes it to fail
again.

Here are the audit logs starting from running 'setenforce 1', and then starting
X.  Note that X clients cannot connect to the X server using localhost.  Killing
X, then running 'setenforce 0' allows X to start.


type=AVC msg=audit(1152202223.489:661): avc:  granted  { setenforce } for 
pid=3352 comm="setenforce" scontext=user_u:system_r:unconfined_t:s0
tcontext=system_u:object_r:security_t:s0 tclass=security
type=MAC_STATUS msg=audit(1152202223.489:661): enforcing=1 old_enforcing=0 auid=1003
type=SYSCALL msg=audit(1152202223.489:661): arch=40000003 syscall=4 success=yes
exit=1 a0=3 a1=bf9c11c4 a2=1 a3=bf9c11c4 items=0 ppid=3326 pid=3352 auid=1003
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1
comm="setenforce" exe="/usr/sbin/setenforce" subj=user_u:system_r:unconfined_t:s0
type=AVC msg=audit(1152202229.397:662): avc:  denied  { recv } for  pid=3371
comm="X" saddr=127.0.0.1 src=32802 daddr=127.0.0.1 dest=53 netif=lo
scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:unlabeled_t:s0
tclass=packet
type=SYSCALL msg=audit(1152202229.397:662): arch=40000003 syscall=102
success=yes exit=30 a0=9 a1=bfb6aeb0 a2=aa7ff4 a3=5 items=0 ppid=3370 pid=3371
auid=1003 uid=1003 gid=1003 euid=0 suid=0 fsuid=0 egid=1003 sgid=1003 fsgid=1003
tty=tty1 comm="X" exe="/usr/bin/Xorg" subj=user_u:system_r:xdm_xserver_t:s0
type=SOCKETCALL msg=audit(1152202229.397:662): nargs=4 a0=6 a1=bfb6b210 a2=1e
a3=4000
type=AVC msg=audit(1152202234.406:663): avc:  denied  { recv } for  pid=3371
comm="X" saddr=127.0.0.1 src=32803 daddr=127.0.0.1 dest=53 netif=lo
scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:unlabeled_t:s0
tclass=packet
type=SYSCALL msg=audit(1152202234.406:663): arch=40000003 syscall=102
success=yes exit=51 a0=9 a1=bfb6aeb0 a2=aa7ff4 a3=5 items=0 ppid=3370 pid=3371
auid=1003 uid=1003 gid=1003 euid=0 suid=0 fsuid=0 egid=1003 sgid=1003 fsgid=1003
tty=tty1 comm="X" exe="/usr/bin/Xorg" subj=user_u:system_r:xdm_xserver_t:s0
type=SOCKETCALL msg=audit(1152202234.406:663): nargs=4 a0=6 a1=bfb6b210 a2=33
a3=4000
type=AVC msg=audit(1152202235.018:664): avc:  denied  { send } for  pid=1962
comm="ntpd" saddr=10.9.71.115 src=123 daddr=60.56.119.79 dest=123
netif=dev1804289383 scontext=system_u:system_r:ntpd_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet
type=SYSCALL msg=audit(1152202235.018:664): arch=40000003 syscall=102 success=no
exit=-1 a0=b a1=bfa8df50 a2=4cba98 a3=30 items=0 ppid=1 pid=1962 auid=4294967295
uid=38 gid=38 euid=38 suid=38 fsuid=38 egid=38 sgid=38 fsgid=38 tty=(none)
comm="ntpd" exe="/usr/sbin/ntpd" subj=system_u:system_r:ntpd_t:s0
type=SOCKADDR msg=audit(1152202235.018:664): saddr=0200007B3C38774F0000000000000000
type=SOCKETCALL msg=audit(1152202235.018:664): nargs=6 a0=10 a1=bfa8e020 a2=30
a3=0 a4=4d5e08 a5=10
type=AVC msg=audit(1152202239.018:665): avc:  denied  { send } for  pid=1962
comm="ntpd" saddr=10.9.71.115 src=123 daddr=62.3.211.186 dest=123
netif=dev1804289383 scontext=system_u:system_r:ntpd_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet
type=SYSCALL msg=audit(1152202239.018:665): arch=40000003 syscall=102 success=no
exit=-1 a0=b a1=bfa8df50 a2=4cba98 a3=30 items=0 ppid=1 pid=1962 auid=4294967295
uid=38 gid=38 euid=38 suid=38 fsuid=38 egid=38 sgid=38 fsgid=38 tty=(none)
comm="ntpd" exe="/usr/sbin/ntpd" subj=system_u:system_r:ntpd_t:s0
type=SOCKADDR msg=audit(1152202239.018:665): saddr=0200007B3E03D3BA0000000000000000
type=SOCKETCALL msg=audit(1152202239.018:665): nargs=6 a0=10 a1=bfa8e020 a2=30
a3=0 a4=4d5b08 a5=10
type=AVC msg=audit(1152202239.414:666): avc:  denied  { recv } for  pid=3371
comm="X" saddr=127.0.0.1 src=32804 daddr=127.0.0.1 dest=53 netif=lo
scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:unlabeled_t:s0
tclass=packet
type=SYSCALL msg=audit(1152202239.414:666): arch=40000003 syscall=102
success=yes exit=42 a0=9 a1=bfb6aeb0 a2=aa7ff4 a3=5 items=0 ppid=3370 pid=3371
auid=1003 uid=1003 gid=1003 euid=0 suid=0 fsuid=0 egid=1003 sgid=1003 fsgid=1003
tty=tty1 comm="X" exe="/usr/bin/Xorg" subj=user_u:system_r:xdm_xserver_t:s0
type=SOCKETCALL msg=audit(1152202239.414:666): nargs=4 a0=6 a1=bfb6b210 a2=2a
a3=4000
type=AVC msg=audit(1152202244.418:667): avc:  denied  { recv } for  pid=3371
comm="X" saddr=127.0.0.1 src=32805 daddr=127.0.0.1 dest=53 netif=lo
scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:unlabeled_t:s0
tclass=packet
type=SYSCALL msg=audit(1152202244.418:667): arch=40000003 syscall=102
success=yes exit=30 a0=9 a1=bfb6aeb0 a2=aa7ff4 a3=5 items=0 ppid=3370 pid=3371
auid=1003 uid=1003 gid=1003 euid=0 suid=0 fsuid=0 egid=1003 sgid=1003 fsgid=1003
tty=tty1 comm="X" exe="/usr/bin/Xorg" subj=user_u:system_r:xdm_xserver_t:s0
type=SOCKETCALL msg=audit(1152202244.418:667): nargs=4 a0=6 a1=bfb6b210 a2=1e
a3=4000
type=AVC msg=audit(1152202249.431:668): avc:  denied  { recv } for  pid=3371
comm="X" saddr=127.0.0.1 src=32806 daddr=127.0.0.1 dest=53 netif=lo
scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:unlabeled_t:s0
tclass=packet
type=SYSCALL msg=audit(1152202249.431:668): arch=40000003 syscall=102
success=yes exit=51 a0=9 a1=bfb6aeb0 a2=aa7ff4 a3=5 items=0 ppid=3370 pid=3371
auid=1003 uid=1003 gid=1003 euid=0 suid=0 fsuid=0 egid=1003 sgid=1003 fsgid=1003
tty=tty1 comm="X" exe="/usr/bin/Xorg" subj=user_u:system_r:xdm_xserver_t:s0
type=SOCKETCALL msg=audit(1152202249.431:668): nargs=4 a0=6 a1=bfb6b210 a2=33
a3=4000
type=AVC msg=audit(1152202254.435:669): avc:  denied  { recv } for  pid=3371
comm="X" saddr=127.0.0.1 src=32807 daddr=127.0.0.1 dest=53 netif=lo
scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:unlabeled_t:s0
tclass=packet
type=SYSCALL msg=audit(1152202254.435:669): arch=40000003 syscall=102
success=yes exit=42 a0=9 a1=bfb6aeb0 a2=aa7ff4 a3=5 items=0 ppid=3370 pid=3371
auid=1003 uid=1003 gid=1003 euid=0 suid=0 fsuid=0 egid=1003 sgid=1003 fsgid=1003
tty=tty1 comm="X" exe="/usr/bin/Xorg" subj=user_u:system_r:xdm_xserver_t:s0
type=SOCKETCALL msg=audit(1152202254.435:669): nargs=4 a0=6 a1=bfb6b210 a2=2a
a3=4000
type=AVC msg=audit(1152202259.435:670): avc:  denied  { recv } for  pid=3371
comm="X" saddr=127.0.0.1 src=32808 daddr=127.0.0.1 dest=53 netif=lo
scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:unlabeled_t:s0
tclass=packet
type=SYSCALL msg=audit(1152202259.435:670): arch=40000003 syscall=102
success=yes exit=28 a0=9 a1=bfb6aeb0 a2=aa7ff4 a3=5 items=0 ppid=3370 pid=3371
auid=1003 uid=1003 gid=1003 euid=0 suid=0 fsuid=0 egid=1003 sgid=1003 fsgid=1003
tty=tty1 comm="X" exe="/usr/bin/Xorg" subj=user_u:system_r:xdm_xserver_t:s0
type=SOCKETCALL msg=audit(1152202259.435:670): nargs=4 a0=6 a1=bfb6b210 a2=1c
a3=4000
Comment 1 Daniel Walsh 2006-07-11 14:40:17 UTC 
Fixed in selinux-policy-2.3.2-1