Bug 403081
| Summary: | SElinux denies loadkeys access to .xsession-errors when changing keyboard with system-config-keyboard | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Oliver Henshaw <oliver.henshaw> |
| Component: | selinux-policy | Assignee: | Daniel Walsh <dwalsh> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | 8 | CC: | vcrhonek |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Current | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2007-12-12 22:10:00 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
You can safely ignore this, this is just a redirection of loadkeys terminal to this file. Fixed in selinux-policy-3.0.8-63.fc8 This does appear to be solved on updating to selinux-policy-3.0.8-64.fc8. I'm not sure what the proper bugzilla resolution etiquette is. Just close the bug. :^) |
Version-Release number of selected component (if applicable): kbd-1.12-27.fc8 How reproducible: After using system-config-keyboard to select a keyboard (even if it's the same keyboard as before) I get a selinux troubleshooter alert. Additional info: Summary SELinux is preventing loadkeys (loadkeys_t) "write" to /home/henshaw /.xsession-errors (unconfined_home_t). Detailed Description SELinux denied access requested by loadkeys. /home/henshaw/.xsession-errors may be a mislabeled. /home/henshaw/.xsession-errors default SELinux type is <B>user_home_t</B>, while its current type is <B>unconfined_home_t</B>. Changing this file back to the default type, may fix your problem. File contexts can get assigned to a file can following ways. <ul> <li>Files created in a directory recieve the file context of the parent directory by default. <li>Users can change the file context on a file using tools like chcon, or restorecon. <li>The kernel can decide via policy that an application running as context A Creating a file in a directory labeled B will create files labeled C. </ul> This file could have been mislabeled either by user error, or if an normally confined application was run under the wrong domain. Of course this could also indicate a bug in SELinux, in that the file should not be labeled with this type. If you believe this is a bug, please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Allowing Access You can restore the default system context to this file by executing the restorecon command. restorecon /home/henshaw/.xsession-errors, if this file is a directory, you can recursively restore using restorecon -R /home/henshaw/.xsession-errors. The following command will allow this access: restorecon /home/henshaw/.xsession-errors Additional Information Source Context system_u:system_r:loadkeys_t:s0 Target Context unconfined_u:object_r:unconfined_home_t:s0 Target Objects /home/henshaw/.xsession-errors [ file ] Affected RPM Packages Policy RPM selinux-policy-3.0.8-56.fc8 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.restorecon Host Name mostin Platform Linux mostin 2.6.23.1-42.fc8 #1 SMP Tue Oct 30 13:55:12 EDT 2007 i686 athlon Alert Count 1 First Seen Wed 28 Nov 2007 14:15:04 GMT Last Seen Wed 28 Nov 2007 14:15:04 GMT Local ID d2196c88-b709-43c2-900c-463a0c5553cc Line Numbers Raw Audit Messages avc: denied { write } for comm=loadkeys dev=dm-6 path=/home/henshaw/.xsession- errors pid=4012 scontext=system_u:system_r:loadkeys_t:s0 tclass=file tcontext=unconfined_u:object_r:unconfined_home_t:s0