Bug 590461

Summary: SELinux is preventing /usr/bin/system-setup-keyboard "write" access on xorg.conf.d.
Product: [Fedora] Fedora Reporter: Bastien Nocera <bnocera>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 13CC: dux.v02, dwalsh, lmandersonsr, mgrepl, oaklists, subscribed-lists, tore
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard: setroubleshoot_trace_hash:c53a19e87d96bdb1edeffa92babfcd9525a36b26322e2696c19ad3f4ec99b860
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-05-27 19:30:59 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description Bastien Nocera 2010-05-09 17:02:56 UTC
Summary:

SELinux is preventing /usr/bin/system-setup-keyboard "write" access on
xorg.conf.d.

Detailed Description:

[SELinux is in permissive mode. This access was not denied.]

SELinux denied access requested by system-setup-ke. It is not expected that this
access is required by system-setup-ke and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                system_u:system_r:hald_t:s0
Target Context                system_u:object_r:etc_t:s0
Target Objects                xorg.conf.d [ dir ]
Source                        system-setup-ke
Source Path                   /usr/bin/system-setup-keyboard
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           system-setup-keyboard-0.7-1.fc12
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.32-84.fc12
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Plugin Name                   catchall
Host Name                     (removed)
Platform                      Linux (removed)
                              2.6.33.3-73.fc13.x86_64 #1 SMP Thu Apr 29 09:46:07
                              UTC 2010 x86_64 x86_64
Alert Count                   2
First Seen                    Sat 08 May 2010 15:04:59 BST
Last Seen                     Sat 08 May 2010 16:26:14 BST
Local ID                      cc5f09bb-e86f-4483-a3dd-2da329b7189f
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1273332374.978:6): avc:  denied  { write } for  pid=1155 comm="system-setup-ke" name="xorg.conf.d" dev=sda4 ino=125593 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir

node=(removed) type=SYSCALL msg=audit(1273332374.978:6): arch=c000003e syscall=21 success=yes exit=128 a0=401838 a1=3 a2=7fff40c6ec48 a3=7fff40c6e650 items=0 ppid=1122 pid=1155 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="system-setup-ke" exe="/usr/bin/system-setup-keyboard" subj=system_u:system_r:hald_t:s0 key=(null)



Hash String generated from  catchall,system-setup-ke,hald_t,etc_t,dir,write
audit2allow suggests:

#============= hald_t ==============
#!!!! The source type 'hald_t' can write to a 'dir' of the following types:
# hald_cache_t, hald_var_lib_t, hald_var_run_t, hald_tmp_t, var_lock_t, mnt_t, root_t, tmp_t, virt_image_type, cardmgr_var_run_t, sysctl_vm_t, hald_log_t, device_t, fusefs_t, dosfs_t, var_run_t, var_log_t, root_t

allow hald_t etc_t:dir write;

Comment 1 Daniel Walsh 2010-05-10 18:22:12 UTC
Are you sure, this seems to be a partially updated system.

f12 policy and f13 kernel?

Comment 2 Steven Stern 2010-05-26 12:25:19 UTC
Got the same thing following an F12->F13 upgrade.

Comment 3 Daniel Walsh 2010-05-26 20:09:23 UTC
Right but does it still happen.  With F13 selinux policy?

Comment 4 Steven Stern 2010-05-26 21:14:26 UTC
I assume that the F13 policy replaced the F12 policy. I did the upgrade from the DVD.

Comment 5 Daniel Walsh 2010-05-27 18:58:21 UTC
It did but this AVC might have happened during the process.

rpm -q selinux-policy

Comment 6 Steven Stern 2010-05-27 19:25:29 UTC
$ rpm -q selinux-policy
selinux-policy-3.7.19-15.fc13.noarch

Comment 7 Daniel Walsh 2010-05-27 19:30:59 UTC
Ok you look fine.  If this AVC happens again reopen the bug.