Bug 440704
| Summary: | SELinux - problem by trying to change Gnome's keyboard layout | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Gianluca Varisco <gvarisco> |
| Component: | selinux-policy | Assignee: | Daniel Walsh <dwalsh> |
| Status: | CLOSED RAWHIDE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | rawhide | CC: | jkubin, nobody |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2008-04-06 11:05:03 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
You can allow this for now by executing # audit2allow -M mypol -i /var/log/audit/audit.log # semodule -i mypol.pp Fixed in selinux-policy-3.3.1-29.fc9 |
Description of problem: "SELinux has denied loadkeys access to potentially mislabeled file(s) (/home/gvarisco/.xsession-errors). This means that SELinux will not allow loadkeys to use these files. It is common for users to edit files in their home directory or tmp directories and then move (mv) them to system directories. The problem is that the files end up with the wrong file context which confined applications are not allowed to access. " Version-Release number of selected component (if applicable): selinux-policy-3.3.1-26.fc9.noarch selinux-policy-targeted-3.3.1-26.fc9.noarch Steps to Reproduce: 1. launch System-Administration-Keyboard 2. Select your keyboard's layout and click OK 3. An AVC denial will appear by showing this SELinux report. Actual results: SELinux is preventing the loadkeys from using potentially mislabeled files (/home/gvarisco/.xsession-errors). Detailed Description: SELinux has denied loadkeys access to potentially mislabeled file(s) (/home/gvarisco/.xsession-errors). This means that SELinux will not allow loadkeys to use these files. It is common for users to edit files in their home directory or tmp directories and then move (mv) them to system directories. The problem is that the files end up with the wrong file context which confined applications are not allowed to access. Additional Information: Source Context unconfined_u:unconfined_r:loadkeys_t:SystemLow- SystemHigh Target Context unconfined_u:object_r:user_home_t Target Objects /home/gvarisco/.xsession-errors [ file ] Source loadkeys Source Path /bin/loadkeys Port <Unknown> Host devbox Source RPM Packages kbd-1.12-31.fc9 Target RPM Packages Policy RPM selinux-policy-3.3.1-26.fc9 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name home_tmp_bad_labels Host Name devbox Platform Linux devbox 2.6.25-0.185.rc7.git6.fc9.i686 #1 SMP Tue Apr 1 13:48:40 EDT 2008 i686 i686 Alert Count 6 First Seen Fri 04 Apr 2008 05:01:14 PM CEST Last Seen Fri 04 Apr 2008 05:03:01 PM CEST Local ID 19c80ae3-8898-4cd1-8e71-9a4894228bfb Line Numbers Raw Audit Messages host=devbox type=AVC msg=audit(1207321381.811:39): avc: denied { read append } for pid=2882 comm="loadkeys" path="/home/gvarisco/.xsession-errors" dev=dm-1 ino=139274 scontext=unconfined_u:unconfined_r:loadkeys_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file host=devbox type=AVC msg=audit(1207321381.811:39): avc: denied { read append } for pid=2882 comm="loadkeys" path="/home/gvarisco/.xsession-errors" dev=dm-1 ino=139274 scontext=unconfined_u:unconfined_r:loadkeys_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file host=devbox type=SYSCALL msg=audit(1207321381.811:39): arch=40000003 syscall=11 success=yes exit=0 a0=9964bb0 a1=95ee688 a2=bf99aee0 a3=9454c70 items=0 ppid=2767 pid=2882 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="loadkeys" exe="/bin/loadkeys" subj=unconfined_u:unconfined_r:loadkeys_t:s0-s0:c0.c1023 key=(null) Many thanks for your help ;-)