Bug 627869

Summary: SELinux is preventing /usr/bin/Xorg "unix_read" access .
Product: [Fedora] Fedora Reporter: Matěj Cepl <mcepl>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 14CC: anto.trande, cpanceac, drussell, dwalsh, hundred17, linuxdonald, mcepl, mgrepl, misek
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard: setroubleshoot_trace_hash:aedde58316b910ac4ac5544c01f6a7a88fd2495103d81582ed9538220dbc0374
Fixed In Version: selinux-policy-3.9.0-2.fc14 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-09-08 04:31:42 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Matěj Cepl 2010-08-27 08:46:07 UTC 
Souhrn:

SELinux is preventing /usr/bin/Xorg "unix_read" access .

Podrobný popis:

[Xorg je v toleratním režimu (xserver_t). Přístup byl povolen.]

SELinux denied access requested by Xorg. It is not expected that this access is
required by Xorg and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Povolení přístupu:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Další informace:

Kontext zdroje                system_u:system_r:xserver_t:s0-s0:c0.c1023
Kontext cíle                  unconfined_u:unconfined_r:unconfined_java_t:s0-s0:
                              c0.c1023
Objekty cíle                  None [ shm ]
Zdroj                         Xorg
Cesta zdroje                  /usr/bin/Xorg
Port                          <Neznámé>
Počítač                       (odstraněno)
RPM balíčky zdroje            xorg-x11-server-Xorg-1.9.0-2.fc14
RPM balíčky cíle              
RPM politiky                  selinux-policy-3.8.8-20.fc14
Selinux povolen               True
Typ politiky                  targeted
Vynucovací režim              Enforcing
Název zásuvného modulu        catchall
Název počítače                (odstraněno)
Platforma                     Linux (odstraněno) 2.6.35.2-9.fc14.x86_64
                              #1 SMP Tue Aug 17 22:36:15 UTC 2010 x86_64 x86_64
Počet upozornění              2
Poprvé viděno                 Čt 26. srpen 2010, 23:58:50 CEST
Naposledy viděno              Čt 26. srpen 2010, 23:58:50 CEST
Místní ID                     18f7d6dc-2fbc-454e-a637-4a229d56c22c
Čísla řádků                   

Původní zprávy auditu         

node=(odstraněno) type=AVC msg=audit(1282859930.152:143): avc:  denied  { unix_read } for  pid=2166 comm="Xorg" key=0  scontext=system_u:system_r:xserver_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_java_t:s0-s0:c0.c1023 tclass=shm

node=(odstraněno) type=AVC msg=audit(1282859930.152:143): avc:  denied  { read } for  pid=2166 comm="Xorg" key=0  scontext=system_u:system_r:xserver_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_java_t:s0-s0:c0.c1023 tclass=shm

node=(odstraněno) type=SYSCALL msg=audit(1282859930.152:143): arch=c000003e syscall=30 success=yes exit=140262531756032 a0=51801f a1=0 a2=1000 a3=0 items=0 ppid=2161 pid=2166 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=4294967295 comm="Xorg" exe="/usr/bin/Xorg" subj=system_u:system_r:xserver_t:s0-s0:c0.c1023 key=(null)



Hash String generated from  catchall,Xorg,xserver_t,unconfined_java_t,shm,unix_read
audit2allow suggests:

#============= xserver_t ==============
allow xserver_t unconfined_java_t:shm { unix_read read };
Comment 1 Daniel Walsh 2010-08-27 15:35:04 UTC 
Fixed in selinux-policy-3.9.0-2.fc14
Comment 2 Fedora Update System 2010-08-30 15:59:08 UTC 
selinux-policy-3.9.0-2.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/selinux-policy-3.9.0-2.fc14
Comment 3 Fedora Update System 2010-08-30 19:37:49 UTC 
selinux-policy-3.9.0-2.fc14 has been pushed to the Fedora 14 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: https://admin.fedoraproject.org/updates/selinux-policy-3.9.0-2.fc14
Comment 4 Fedora Update System 2010-09-08 04:29:59 UTC 
selinux-policy-3.9.0-2.fc14 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.