Bug 477781
| Summary: | SELinux issues blocking start of X | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Matěj Cepl <mcepl> | ||||||||
| Component: | xorg-x11-server | Assignee: | Adam Jackson <ajax> | ||||||||
| Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||||
| Severity: | medium | Docs Contact: | |||||||||
| Priority: | low | ||||||||||
| Version: | 10 | CC: | dwalsh, mcepl, peter.hutterer, xgl-maint | ||||||||
| Target Milestone: | --- | Keywords: | SELinux | ||||||||
| Target Release: | --- | ||||||||||
| Hardware: | All | ||||||||||
| OS: | Linux | ||||||||||
| Whiteboard: | |||||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||||
| Doc Text: | Story Points: | --- | |||||||||
| Clone Of: | Environment: | ||||||||||
| Last Closed: | 2009-01-05 17:20:35 UTC | Type: | --- | ||||||||
| Regression: | --- | Mount Type: | --- | ||||||||
| Documentation: | --- | CRM: | |||||||||
| Verified Versions: | Category: | --- | |||||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||||
| Embargoed: | |||||||||||
| Attachments: |
|
||||||||||
Created attachment 327761 [details]
/var/log/Xorg.0.log (with the additional module)
Created attachment 327762 [details]
/var/log/audit/audit.log
I totally don't discard a possibility that there is something very broken with my computer, but no idea what. I will take a liberty to call my bug triaged ;-). wait. the log says "X.Org X Server 1.5.99.3". This is the rawhide X server, yet you say it's supposed to be package xorg-x11-server-Xorg-1.5.3-6.fc10.i386. I don't know what policy you have but most of these are in policy 35 on F10. It also looks to me like you have a partially upgraded rawhide system (In reply to comment #4) > wait. the log says "X.Org X Server 1.5.99.3". This is the rawhide X server, yet > you say it's supposed to be package xorg-x11-server-Xorg-1.5.3-6.fc10.i386. ??? [matej@hubmaier ~]$ rpm -q xorg-x11-server-Xorg xorg-x11-server-Xorg-1.5.99.3-5.fc11.x86_64 [matej@hubmaier ~]$ Upgraded everything, restarted, and now it works. No idea, what has changed. |
Created attachment 327760 [details] /var/log/Xorg.1.log (before the additional module) When trying to start X (either as telinit 5 or startx) it doesn't start, saying that: SELinux: Failed to set label property on window! (whole Xorg.1.log which contains the message is attached). This is even in the permissive mode! (note to Dan -- this is NOT staff_u user, just plain SELinux from the package with regular users) ausearch -m AVC -ts today |audit2allow generates this: [root@hubmaier ~]# ausearch -m AVC -ts today |audit2allow #============= audisp_t ============== allow audisp_t self:capability sys_nice; allow audisp_t self:process setsched; #============= auditd_t ============== allow auditd_t anon_inodefs_t:file write; #============= load_policy_t ============== allow load_policy_t semanage_store_t:file { read getattr }; #============= postfix_master_t ============== allow postfix_master_t var_lib_t:file { read write getattr lock }; #============= setroubleshootd_t ============== allow setroubleshootd_t rpm_t:process signull; allow setroubleshootd_t semanage_store_t:file read; #============= sshd_t ============== allow sshd_t unlabeled_t:dir { search getattr }; allow sshd_t unlabeled_t:file { read getattr open }; #============= system_dbusd_t ============== allow system_dbusd_t NetworkManager_t:dir search; allow system_dbusd_t NetworkManager_t:file { read open }; allow system_dbusd_t avahi_t:dir search; allow system_dbusd_t avahi_t:file read; allow system_dbusd_t consolekit_t:dir search; allow system_dbusd_t consolekit_t:file read; allow system_dbusd_t cupsd_t:dir search; allow system_dbusd_t hald_t:dir search; allow system_dbusd_t hald_t:file { read open }; allow system_dbusd_t initrc_t:dir search; allow system_dbusd_t initrc_t:file { read open }; allow system_dbusd_t kerneloops_t:dir search; allow system_dbusd_t kerneloops_t:file read; allow system_dbusd_t local_login_t:dir search; allow system_dbusd_t local_login_t:file read; allow system_dbusd_t polkit_auth_t:dir search; allow system_dbusd_t polkit_auth_t:file { read open }; allow system_dbusd_t rpm_script_t:dir search; allow system_dbusd_t rpm_t:dir search; allow system_dbusd_t rpm_t:file read; allow system_dbusd_t setroubleshootd_t:dir search; allow system_dbusd_t setroubleshootd_t:file read; allow system_dbusd_t system_crond_t:dir search; allow system_dbusd_t system_crond_t:file read; allow system_dbusd_t unconfined_dbusd_t:dir search; allow system_dbusd_t unconfined_dbusd_t:file read; allow system_dbusd_t unconfined_t:dir search; allow system_dbusd_t unconfined_t:file { read open }; allow system_dbusd_t virtd_t:dir search; allow system_dbusd_t virtd_t:file read; allow system_dbusd_t xdm_t:dir search; allow system_dbusd_t xdm_t:file read; allow system_dbusd_t xserver_t:dir search; allow system_dbusd_t xserver_t:file { read open }; #============= virtd_t ============== allow virtd_t ifconfig_exec_t:file { read execute execute_no_trans }; allow virtd_t proc_t:filesystem mount; allow virtd_t self:netlink_route_socket nlmsg_write; allow virtd_t user_home_t:dir read; I have generated this package with audit2allow: module dbusFix 1.0; require { type unconfined_t; type unconfined_dbusd_t; type kerneloops_t; type consolekit_t; type rpm_script_t; type setroubleshootd_t; type cupsd_t; type virtd_t; type local_login_t; type initrc_t; type hald_t; type rpm_t; type system_dbusd_t; type xdm_t; type avahi_t; class dir search; class file read; } #============= system_dbusd_t ============== allow system_dbusd_t avahi_t:dir search; allow system_dbusd_t avahi_t:file read; allow system_dbusd_t consolekit_t:dir search; allow system_dbusd_t consolekit_t:file read; allow system_dbusd_t cupsd_t:dir search; allow system_dbusd_t hald_t:dir search; allow system_dbusd_t hald_t:file read; allow system_dbusd_t initrc_t:dir search; allow system_dbusd_t initrc_t:file read; allow system_dbusd_t kerneloops_t:dir search; allow system_dbusd_t kerneloops_t:file read; allow system_dbusd_t local_login_t:dir search; allow system_dbusd_t local_login_t:file read; allow system_dbusd_t rpm_script_t:dir search; allow system_dbusd_t rpm_t:dir search; and Xorg then starts but without keyboard (that's Xorg.0.log). Version of packages: selinux-policy-targeted-3.5.13-35.fc10.noarch xorg-x11-server-Xorg-1.5.3-6.fc10.i386