Bug 2240159

Summary: systemd-localed needs directory create access on /etc/X11/xorg.conf.d
Product: [Fedora] Fedora Reporter: Hector Martin <marcan>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 38CC: dwalsh, lvrabec, mmalik, ngompa13, nknazeko, omosnacek, pkoncity, vmojzis, zbyszek, zpytela
Target Milestone: ---Keywords: SELinux
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-38.29-1.fc38 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-10-06 01:28:30 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Hector Martin 2023-09-22 06:37:58 UTC 
systemd-localed manages the X11 keyboard configuration at /etc/X11/xorg.conf.d/00-keyboard.conf. This file isn't just used for X11, but is canonically parsed by various Wayland-based tools and such in order to obtain the XKB keyboard layout config (yay legacy).

This works fine if /etc/X11/xorg.conf.d exists. However, if it doesn't, systemd-localed tries to create the directory, and gets denied by SELinux.

If the parent /etc/X11 does not exist either, that gets created too. So systemd-localed needs create access to:

- /etc/X11
- /etc/X11/xorg.conf.d

SELinux deny report:

----
SELinux is preventing systemd-localed from create access on the directory xorg.conf.d.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that systemd-localed should be allowed create access on the xorg.conf.d directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'systemd-localed' --raw | audit2allow -M my-systemdlocaled
# semodule -X 300 -i my-systemdlocaled.pp

Additional Information:
Source Context                system_u:system_r:systemd_localed_t:s0
Target Context                system_u:object_r:xserver_etc_t:s0
Target Objects                xorg.conf.d [ dir ]
Source                        systemd-localed
Source Path                   systemd-localed
Port                          <Unknown>
Host                          macherie
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-38.28-1.fc38.noarch
Local Policy RPM              selinux-policy-targeted-38.28-1.fc38.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     macherie
Platform                      Linux macherie 6.5.4-402.asahi.fc38.aarch64+16k #1
                              SMP PREEMPT_DYNAMIC Thu Sep 21 11:57:55 UTC 2023
                              aarch64
Alert Count                   3
First Seen                    2023-09-22 15:17:02 JST
Last Seen                     2023-09-22 15:17:27 JST
Local ID                      9a2e81e9-f57f-4c71-80ea-a0da04dca58e

Raw Audit Messages
type=AVC msg=audit(1695363447.636:377): avc:  denied  { create } for  pid=3121 comm="systemd-localed" name="xorg.conf.d" scontext=system_u:system_r:systemd_localed_t:s0 tcontext=system_u:object_r:xserver_etc_t:s0 tclass=dir permissive=0


Hash: systemd-localed,systemd_localed_t,xserver_etc_t,dir,create
---

Reproducible: Always

Steps to Reproduce:
1. Install a system with no X11 configs (so /etc/X11/xorg.conf.d does not exist, or delete/move it if it does)
2. `localectl set-x11-keymap us`
Actual Results:  
/etc/X11/xorg.conf.d still does not exist, SELinux denial.

Expected Results:  
/etc/X11/xorg.conf.d is created and 00-keyboard.conf within it.
Comment 1 Milos Malik 2023-09-22 06:49:24 UTC 
Caught in enforcing mode:
----
type=PROCTITLE msg=audit(09/22/2023 02:48:22.657:493) : proctitle=/usr/lib/systemd/systemd-localed 
type=PATH msg=audit(09/22/2023 02:48:22.657:493) : item=1 name=/etc/X11/xorg.conf.d nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(09/22/2023 02:48:22.657:493) : item=0 name=/etc/X11/ inode=137769 dev=fc:02 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:etc_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(09/22/2023 02:48:22.657:493) : cwd=/ 
type=SYSCALL msg=audit(09/22/2023 02:48:22.657:493) : arch=x86_64 syscall=mkdirat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x557c22a4c0ea a2=0755 a3=0x0 items=2 ppid=1 pid=1706 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-localed exe=/usr/lib/systemd/systemd-localed subj=system_u:system_r:systemd_localed_t:s0 key=(null) 
type=AVC msg=audit(09/22/2023 02:48:22.657:493) : avc:  denied  { create } for  pid=1706 comm=systemd-localed name=xorg.conf.d scontext=system_u:system_r:systemd_localed_t:s0 tcontext=system_u:object_r:xserver_etc_t:s0 tclass=dir permissive=0 
----

# rpm -qa selinux\*
selinux-policy-38.27-1.fc38.noarch
selinux-policy-targeted-38.27-1.fc38.noarch
#
Comment 2 Milos Malik 2023-09-22 06:52:55 UTC 
Caught in permissive mode:
----
type=PROCTITLE msg=audit(09/22/2023 02:50:04.280:504) : proctitle=/usr/lib/systemd/systemd-localed 
type=PATH msg=audit(09/22/2023 02:50:04.280:504) : item=1 name=/etc/X11/xorg.conf.d inode=262180 dev=fc:02 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:xserver_etc_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(09/22/2023 02:50:04.280:504) : item=0 name=/etc/X11/ inode=137769 dev=fc:02 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:etc_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(09/22/2023 02:50:04.280:504) : cwd=/ 
type=SYSCALL msg=audit(09/22/2023 02:50:04.280:504) : arch=x86_64 syscall=mkdirat success=yes exit=0 a0=AT_FDCWD a1=0x5621a26be0ea a2=0755 a3=0x0 items=2 ppid=1 pid=1726 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-localed exe=/usr/lib/systemd/systemd-localed subj=system_u:system_r:systemd_localed_t:s0 key=(null) 
type=AVC msg=audit(09/22/2023 02:50:04.280:504) : avc:  denied  { create } for  pid=1726 comm=systemd-localed name=xorg.conf.d scontext=system_u:system_r:systemd_localed_t:s0 tcontext=system_u:object_r:xserver_etc_t:s0 tclass=dir permissive=1 
----

# ls -ldZ /etc/X11/xorg.conf.d
drwxr-xr-x. 2 root root system_u:object_r:xserver_etc_t:s0 4096 Sep 22 02:50 /etc/X11/xorg.conf.d
# ls -lZ /etc/X11/xorg.conf.d/
total 4
-rw-r--r--. 1 root root system_u:object_r:xserver_etc_t:s0 311 Sep 22 02:50 00-keyboard.conf
#
Comment 3 Zdenek Pytela 2023-09-22 06:58:41 UTC 
Hector,

The directory exists in a common installation and is a part of the xorg-x11-server-Xorg package:

# rpm -qf /etc/X11/xorg.conf.d
xorg-x11-server-Xorg-1.20.14-23.fc38.x86_64

How can you get to the state where the directory does not exist?
Comment 4 Milos Malik 2023-09-22 07:06:46 UTC 
When a Fedora machine is installed without any graphical applications, the picture looks this way:

# rpm -qa | grep -i -e x11 -e xorg
# rpm -qf /etc/X11/xorg.conf.d/
file /etc/X11/xorg.conf.d is not owned by any package
#
Comment 5 Neal Gompa 2023-09-22 07:30:17 UTC 
(In reply to Zdenek Pytela from comment #3)
> Hector,
> 
> The directory exists in a common installation and is a part of the
> xorg-x11-server-Xorg package:
> 
> # rpm -qf /etc/X11/xorg.conf.d
> xorg-x11-server-Xorg-1.20.14-23.fc38.x86_64
> 
> How can you get to the state where the directory does not exist?

We do not install xorg-x11-server-Xorg in Fedora Asahi Remix images.
Comment 6 Hector Martin 2023-09-22 07:37:13 UTC 
To add more context: XKB keyboard layouts are universally used by X11 and Wayland, and there needs to be a way to configure the systemwide XKB keyboard layout. For legacy reasons, a bunch of tools will parse the Xorg config file to figure out the configured layout, **even if Xorg is not in use in any way**. This is why localed messes with that file, and needs to do so even if Xorg isn't in the picture.

So a pure Wayland machine will not (and should not) have xorg-x11-server-Xorg installed, and thus will not have that directory. But localectl still needs to work. This also affects machines without graphics packages at all, since they still have systemd-localed.
Comment 7 Milos Malik 2023-09-22 10:30:35 UTC 
The problem is reproducible on RHEL-8 and RHEL-9 too.
Comment 8 Milos Malik 2023-09-22 10:59:09 UTC 
Test coverage for this BZ exists in a form of PR:
 * https://src.fedoraproject.org/tests/selinux/pull-request/429

The PR waits for a review.
Comment 9 Fedora Update System 2023-10-02 11:44:09 UTC 
FEDORA-2023-b001a7edcc has been submitted as an update to Fedora 38. https://bodhi.fedoraproject.org/updates/FEDORA-2023-b001a7edcc
Comment 10 Fedora Update System 2023-10-03 03:31:04 UTC 
FEDORA-2023-b001a7edcc has been pushed to the Fedora 38 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-b001a7edcc`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-b001a7edcc

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 11 Fedora Update System 2023-10-06 01:28:30 UTC 
FEDORA-2023-b001a7edcc has been pushed to the Fedora 38 stable repository.
If problem still persists, please make note of it in this bug report.