| Summary: | SELinux is preventing /usr/bin/Xorg from 'unix_read, unix_write' accesses on the shared memory Unknown. | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Matěj Cepl <mcepl> | ||||
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | medium | ||||||
| Version: | 6.2 | CC: | dwalsh, mgrepl, mmalik, mnowak, overholt | ||||
| Target Milestone: | rc | Keywords: | SELinux | ||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | selinux-policy-3.7.19-118.el6 | Doc Type: | Bug Fix | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2011-12-06 10:20:06 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Attachments: |
|
||||||
This request was evaluated by Red Hat Product Management for inclusion in the current release of Red Hat Enterprise Linux. Because the affected component is not scheduled to be updated in the current release, Red Hat is unfortunately unable to address this request at this time. Red Hat invites you to ask your support representative to propose this request, if appropriate and relevant, in the next release of Red Hat Enterprise Linux. If you would like it considered as an exception in the current release, please ask your support representative. Is this the same set of Eclipse RPMs that are available in 6.1? mitmanek:~ $ rpm -qa eclipse\* eclipse-jdt-3.6.1-6.13.el6.x86_64 eclipse-rcp-3.6.1-6.13.el6.x86_64 eclipse-rpm-editor-0.5.0-2.el6.x86_64 eclipse-changelog-2.7.0-1.el6.x86_64 eclipse-pde-3.6.1-6.13.el6.x86_64 eclipse-swt-3.6.1-6.13.el6.x86_64 eclipse-platform-3.6.1-6.13.el6.x86_64 mitmanek:~ $ plus mitmanek:.eclipse $ ls ~/.eclipse/org.eclipse.platform_3.6.1_793567567/plugins/ com.python.pydev.analysis_2.2.3.2011100616 com.python.pydev.codecompletion_2.2.3.2011100616 com.python.pydev.debug_2.2.3.2011100616 com.python.pydev.fastparser_2.2.3.2011100616 com.python.pydev.refactoring_2.2.3.2011100616 com.python.pydev_2.2.3.2011100616 javax.activation_1.1.0.v201105071233.jar javax.xml.bind_2.2.0.v201105210648.jar javax.xml.stream_1.0.1.v201004272200.jar javax.xml_1.3.4.v201005080400.jar org.apache.commons.lang_2.4.0.v201005080502.jar org.apache.ws.commons.util_1.0.1.v20100518-1140.jar org.apache.xmlrpc_3.0.0.v20100427-1100.jar org.eclipse.egit.core_1.1.0.201109151100-r.jar org.eclipse.egit.doc_1.1.0.201109151100-r.jar org.eclipse.egit.ui_1.1.0.201109151100-r.jar org.eclipse.egit_1.1.0.201109151100-r.jar org.eclipse.jgit_1.1.0.201109151100-r.jar org.eclipse.mylyn.bugzilla.core_3.6.2.v20110903-0100.jar org.eclipse.mylyn.bugzilla.ide_3.6.0.v20110608-1400.jar org.eclipse.mylyn.bugzilla.ui_3.6.0.v20110608-1400.jar org.eclipse.mylyn.commons.core_3.6.0.v20110608-1400.jar org.eclipse.mylyn.commons.identity_0.8.0.v20110608-1400.jar org.eclipse.mylyn.commons.net_3.6.0.v20110608-1400.jar org.eclipse.mylyn.commons.repositories_0.8.0.v20110608-1400.jar org.eclipse.mylyn.commons.screenshots_3.6.0.v20110608-1400.jar org.eclipse.mylyn.commons.team_0.8.0.v20110608-1400.jar org.eclipse.mylyn.commons.ui_3.6.1.v20110720-0100.jar org.eclipse.mylyn.commons.xmlrpc_3.6.0.v20110608-1400.jar org.eclipse.mylyn.context.core_3.6.1.v20110720-0100.jar org.eclipse.mylyn.context.ui_3.6.0.v20110608-1400.jar org.eclipse.mylyn.discovery.core_3.6.1.v20110817-0100.jar org.eclipse.mylyn.discovery.ui_3.6.1.v20110819-0100.jar org.eclipse.mylyn.git.core_0.8.1.v20110720-0100.jar org.eclipse.mylyn.git.ui_0.8.0.v20110608-1400.jar org.eclipse.mylyn.help.ui_3.6.1.v20110830-0100.jar org.eclipse.mylyn.ide.ui_3.6.0.v20110608-1400.jar org.eclipse.mylyn.monitor.core_3.6.0.v20110608-1400.jar org.eclipse.mylyn.monitor.ui_3.6.0.v20110608-1400.jar org.eclipse.mylyn.resources.ui_3.6.0.v20110608-1400.jar org.eclipse.mylyn.tasks.bugs_3.6.1.v20110825-0100.jar org.eclipse.mylyn.tasks.core_3.6.0.v20110608-1400.jar org.eclipse.mylyn.tasks.search_3.6.0.v20110608-1400.jar org.eclipse.mylyn.tasks.ui_3.6.2.v20110826-0100.jar org.eclipse.mylyn.team.cvs_3.6.0.v20110608-1400.jar org.eclipse.mylyn.team.ui_3.6.1.v20110825-0100.jar org.eclipse.mylyn.trac.core_3.6.0.v20110608-1400.jar org.eclipse.mylyn.trac.ui_3.6.0.v20110608-1400.jar org.eclipse.mylyn.versions.core_0.8.0.v20110608-1400.jar org.eclipse.mylyn.versions.ui_0.8.0.v20110608-1400.jar org.eclipse.mylyn.wikitext.core_1.5.1.v20110720-0100.jar org.eclipse.mylyn.wikitext.mediawiki.core_1.5.2.v20110830-0100.jar org.eclipse.mylyn_3.6.0.v20110608-1400.jar org.jdom_1.1.1.v201101151400.jar org.python.pydev.ast_2.2.3.2011100616 org.python.pydev.core_2.2.3.2011100616 org.python.pydev.customizations_2.2.3.2011100616 org.python.pydev.debug_2.2.3.2011100616 org.python.pydev.django_2.2.3.2011100616 org.python.pydev.help_2.2.3.2011100616 org.python.pydev.jython_2.2.3.2011100616 org.python.pydev.mylyn_0.3.0.jar org.python.pydev.parser_2.2.3.2011100616 org.python.pydev.red_core_2.2.3.2011100616 org.python.pydev.refactoring_2.2.3.2011100616 org.python.pydev_2.2.3.2011100616 mitmanek:.eclipse $ (In reply to comment #4) > mitmanek:~ $ rpm -qa eclipse\* > [the binary RPMs coming from the eclipse SRPM] > [ChangeLog and .spec editor] > > [...] > > mitmanek:.eclipse $ ls ~/.eclipse/org.eclipse.platform_3.6.1_793567567/plugins/ > [plugins that don't appear to be RPM-installed] Does the crash happen with a clean ~/.eclipse and a clean workspace? Created attachment 528573 [details] screenshot of weird icons (In reply to comment #5) > (In reply to comment #4) > > mitmanek:~ $ rpm -qa eclipse\* > > [the binary RPMs coming from the eclipse SRPM] > > [ChangeLog and .spec editor] > > > > [...] > > > > mitmanek:.eclipse $ ls ~/.eclipse/org.eclipse.platform_3.6.1_793567567/plugins/ > > [plugins that don't appear to be RPM-installed] > > Does the crash happen with a clean ~/.eclipse and a clean workspace? Yes, it does. After discussing this on IRC, I tried to switch off accessibility support in System / Options / A11y options, relogged, and Eclipse now quits cleanly. However, the SELinux warning still goes off. I am not sure however, whether it has some real bad effects (I have removed unconfined module). --- Actually, there seems to be a detrimental effect of the Enforcing SELinux on icons (see attached screenshot). When I switch to permissive mode, icons are all right suddenly. This should be allowed. Fixed in selinux-policy-3.7.19-118.el6
# sesearch -AC -s xserver_t -t unconfined_java_t -c shm
Found 1 semantic av rules:
allow xserver_t unconfined_java_t : shm { create destroy getattr setattr read write associate unix_read unix_write lock } ;
Hi Matej, could you install the latest policy on your machine and tell me if you still see the issue? Latest policy is available here: http://people.redhat.com/dwalsh/SELinux/RHEL6/noarch/ (In reply to comment #16) > Hi Matej, > > could you install the latest policy on your machine and tell me if you still > see the issue? Latest policy is available here: > > http://people.redhat.com/dwalsh/SELinux/RHEL6/noarch/ Yes, I can confirm, that when starting Eclipse with selinux-policy-3.7.19-118.el6.noarch I don't get any SELinux AVC denial. Thank you Thanks for finding this, Matěj, and for fixing it so quickly, Miroslav! Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2011-1511.html |
When starting Eclipse I get this error. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that Xorg should be allowed unix_read unix_write access on the Unknown shm by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep Xorg /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Kontext zdroje system_u:system_r:xserver_t:s0-s0:c0.c1023 Kontext cíle unconfined_u:unconfined_r:unconfined_java_t:s0-s0: c0.c1023 Objekty cíle Unknown [ shm ] Zdroj Xorg Cesta zdroje /usr/bin/Xorg Port <Neznámé> Počítač mitmanek.ceplovi.cz RPM balíčky zdroje xorg-x11-server-Xorg-1.10.4-3.el6 RPM balíčky cíle RPM politiky selinux-policy-3.7.19-117.el6 Selinux povolen True Typ politiky targeted Vynucovací režim Enforcing Název počítače mitmanek.ceplovi.cz Platforma Linux mitmanek.ceplovi.cz 2.6.32-206.el6.x86_64 #1 SMP Tue Oct 4 11:51:32 EDT 2011 x86_64 x86_64 Počet upozornění 1 Poprvé viděno Pá 14. říjen 2011, 23:05:00 CEST Naposledy viděno Pá 14. říjen 2011, 23:05:00 CEST Místní ID 9457eda7-181e-4411-bb1f-977b81a7e9b7 Původní zprávy auditu type=AVC msg=audit(1318626300.766:545): avc: denied { unix_read unix_write } for pid=2961 comm="Xorg" key=0 scontext=system_u:system_r:xserver_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_java_t:s0-s0:c0.c1023 tclass=shm type=SYSCALL msg=audit(1318626300.766:545): arch=x86_64 syscall=shmat success=no exit=EACCES a0=598015 a1=0 a2=0 a3=28 items=0 ppid=2959 pid=2961 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=4294967295 comm=Xorg exe=/usr/bin/Xorg subj=system_u:system_r:xserver_t:s0-s0:c0.c1023 key=(null) Hash: Xorg,xserver_t,unconfined_java_t,shm,unix_read,unix_write audit2allow #============= xserver_t ============== allow xserver_t unconfined_java_t:shm { unix_read unix_write }; audit2allow -R #============= xserver_t ============== allow xserver_t unconfined_java_t:shm { unix_read unix_write };