Bug 120845 - policy errors using X after rawhide update
policy errors using X after rawhide update
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: policy (Show other bugs)
rawhide
athlon Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-04-14 10:24 EDT by keith adamson
Modified: 2007-11-30 17:10 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2004-04-15 11:37:41 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description keith adamson 2004-04-14 10:24:38 EDT
Description of problem:

Lots of policy errors after rawhide update today:

avc:  denied  { create } for  pid=51 exe=/usr/X11R6/bin/Xorg
name=XFree86.0.log scontext=system_u:system_r:rhgb_t
tcontext=system_u:object_r:ramfs_t tclass=file
avc:  denied  { name_bind } for  pid=51 exe=/usr/X11R6/bin/Xorg
scontext=system_u:system_r:rhgb_t
tcontext=system_u:object_r:xserver_port_t tclass=tcp_socket
avc:  denied  { search } for  pid=51 exe=/usr/X11R6/bin/Xorg name=tmp
dev=hda2 ino=245281 scontext=system_u:system_r:rhgb_t
tcontext=system_u:object_r:tmp_t tclass=dir
avc:  denied  { write } for  pid=51 exe=/usr/X11R6/bin/Xorg
path=/initrd/XFree86.0.log dev= ino=992
scontext=system_u:system_r:rhgb_t tcontext=system_u:object_r:ramfs_t
tclass=file
avc:  denied  { read } for  pid=51 exe=/usr/X11R6/bin/Xorg name=mem
dev=hda2 ino=506942 scontext=system_u:system_r:rhgb_t
tcontext=system_u:object_r:memory_device_t tclass=chr_file
avc:  denied  { sys_rawio } for  pid=51 exe=/usr/X11R6/bin/Xorg
capability=17 scontext=system_u:system_r:rhgb_t
tcontext=system_u:system_r:rhgb_t tclass=capability
avc:  denied  { read write } for  pid=51 exe=/usr/X11R6/bin/Xorg
name=apm_bios dev=hda2 ino=506959 scontext=system_u:system_r:rhgb_t
tcontext=system_u:object_r:apm_bios_t tclass=chr_file
avc:  denied  { setpgid } for  pid=51 exe=/usr/X11R6/bin/Xorg
scontext=system_u:system_r:rhgb_t tcontext=system_u:system_r:rhgb_t
tclass=process
avc:  denied  { read write } for  pid=51 exe=/usr/X11R6/bin/Xorg
name=tty8 dev=hda2 ino=518906 scontext=system_u:system_r:rhgb_t
tcontext=system_u:object_r:tty_device_t tclass=chr_file
avc:  denied  { getattr } for  pid=51 exe=/usr/X11R6/bin/Xorg
path=/dev/tty0 dev=hda2 ino=517652 scontext=system_u:system_r:rhgb_t
tcontext=system_u:object_r:tty_device_t tclass=chr_file
avc:  denied  { ioctl } for  pid=51 exe=/usr/X11R6/bin/Xorg
path=/dev/tty8 dev=hda2 ino=518906 scontext=system_u:system_r:rhgb_t
tcontext=system_u:object_r:tty_device_t tclass=chr_file
avc:  denied  { sys_tty_config } for  pid=51 exe=/usr/X11R6/bin/Xorg
capability=26 scontext=system_u:system_r:rhgb_t
tcontext=system_u:system_r:rhgb_t tclass=capability
avc:  denied  { write } for  pid=51 exe=/usr/X11R6/bin/Xorg name=mem
dev=hda2 ino=506942 scontext=system_u:system_r:rhgb_t
tcontext=system_u:object_r:memory_device_t tclass=chr_file
avc:  denied  { execute } for  pid=51 path=/dev/mem dev=hda2
ino=506942 scontext=system_u:system_r:rhgb_t
tcontext=system_u:object_r:memory_device_t tclass=chr_file
avc:  denied  { write } for  pid=51 exe=/usr/X11R6/bin/Xorg name=mtrr
dev= ino=4327 scontext=system_u:system_r:rhgb_t
tcontext=system_u:object_r:mtrr_device_t tclass=file
avc:  denied  { ioctl } for  pid=51 exe=/usr/X11R6/bin/Xorg
path=/proc/mtrr dev= ino=4327 scontext=system_u:system_r:rhgb_t
tcontext=system_u:object_r:mtrr_device_t tclass=file
avc:  denied  { read write } for  pid=51 exe=/usr/X11R6/bin/Xorg
name=mice dev=hda2 ino=574457 scontext=system_u:system_r:rhgb_t
tcontext=system_u:object_r:mouse_device_t tclass=chr_file
avc:  denied  { ioctl } for  pid=51 exe=/usr/X11R6/bin/Xorg
path=/dev/input/mice dev=hda2 ino=574457
scontext=system_u:system_r:rhgb_t
tcontext=system_u:object_r:mouse_device_t tclass=chr_file
avc:  denied  { setgid } for  pid=63 exe=/usr/X11R6/bin/Xorg
capability=6 scontext=system_u:system_r:rhgb_t
tcontext=system_u:system_r:rhgb_t tclass=capability
avc:  denied  { setuid } for  pid=63 exe=/usr/X11R6/bin/Xorg
capability=7 scontext=system_u:system_r:rhgb_t
tcontext=system_u:system_r:rhgb_t tclass=capability
avc:  denied  { getattr } for  pid=51 exe=/usr/X11R6/bin/Xorg
path=/dev/input/mice dev=hda2 ino=574457
scontext=system_u:system_r:rhgb_t
tcontext=system_u:object_r:mouse_device_t tclass=chr_file
avc:  denied  { ioctl } for  pid=51 exe=/usr/X11R6/bin/Xorg
path=/dev/tty8 dev=hda2 ino=518906 scontext=system_u:system_r:rhgb_t
tcontext=system_u:object_r:tty_device_t tclass=chr_file
avc:  denied  { sys_tty_config } for  pid=51 exe=/usr/X11R6/bin/Xorg
capability=26 scontext=system_u:system_r:rhgb_t
tcontext=system_u:system_r:rhgb_t tclass=capability
avc:  denied  { ioctl } for  pid=51 exe=/usr/X11R6/bin/Xorg
path=/proc/mtrr dev= ino=4327 scontext=system_u:system_r:rhgb_t
tcontext=system_u:object_r:mtrr_device_t tclass=file
avc:  denied  { sys_admin } for  pid=51 exe=/usr/X11R6/bin/Xorg
capability=21 scontext=system_u:system_r:rhgb_t
tcontext=system_u:system_r:rhgb_t tclass=capability
avc:  denied  { setattr } for  pid=51 exe=/usr/X11R6/bin/Xorg
name=tty0 dev=hda2 ino=517652 scontext=system_u:system_r:rhgb_t
tcontext=system_u:object_r:tty_device_t tclass=chr_file
avc:  denied  { getattr } for  pid=3375 exe=/usr/X11R6/bin/Xorg
path=/var/log/Xorg.0.log dev=hda2 ino=490739
scontext=system_u:system_r:xdm_t tcontext=system_u:object_r:var_log_t
tclass=file
avc:  denied  { rename } for  pid=3375 exe=/usr/X11R6/bin/Xorg
name=Xorg.0.log dev=hda2 ino=490739 scontext=system_u:system_r:xdm_t
tcontext=system_u:object_r:var_log_t tclass=file
avc:  denied  { unlink } for  pid=3375 exe=/usr/X11R6/bin/Xorg
name=Xorg.0.log.old dev=hda2 ino=490737
scontext=system_u:system_r:xdm_t tcontext=system_u:object_r:var_log_t
tclass=file
avc:  denied  { read } for  pid=3375 exe=/usr/X11R6/bin/Xorg name=mem
dev=hda2 ino=506942 scontext=system_u:system_r:xdm_t
tcontext=system_u:object_r:memory_device_t tclass=chr_file
avc:  denied  { write } for  pid=3375 exe=/usr/X11R6/bin/Xorg name=mem
dev=hda2 ino=506942 scontext=system_u:system_r:xdm_t
tcontext=system_u:object_r:memory_device_t tclass=chr_file
avc:  denied  { execute } for  pid=3375 path=/dev/mem dev=hda2
ino=506942 scontext=system_u:system_r:xdm_t
tcontext=system_u:object_r:memory_device_t tclass=chr_file
avc:  denied  { write } for  pid=3375 exe=/usr/X11R6/bin/Xorg
name=mtrr dev= ino=4327 scontext=system_u:system_r:xdm_t
tcontext=system_u:object_r:mtrr_device_t tclass=file
avc:  denied  { ioctl } for  pid=3375 exe=/usr/X11R6/bin/Xorg
path=/proc/mtrr dev= ino=4327 scontext=system_u:system_r:xdm_t
tcontext=system_u:object_r:mtrr_device_t tclass=file
avc:  denied  { read write } for  pid=3375 exe=/usr/X11R6/bin/Xorg
name=mice dev=hda2 ino=574457 scontext=system_u:system_r:xdm_t
tcontext=system_u:object_r:mouse_device_t tclass=chr_file
avc:  denied  { ioctl } for  pid=3375 exe=/usr/X11R6/bin/Xorg
path=/dev/input/mice dev=hda2 ino=574457
scontext=system_u:system_r:xdm_t
tcontext=system_u:object_r:mouse_device_t tclass=chr_file
avc:  denied  { search } for  pid=3375 exe=/usr/X11R6/bin/Xorg
name=xkb dev=hda2 ino=72180 scontext=system_u:system_r:xdm_t
tcontext=system_u:object_r:var_lib_xkb_t tclass=dir
avc:  denied  { read } for  pid=3375 exe=/usr/X11R6/bin/Xorg name=xorg
dev=hda2 ino=72285 scontext=system_u:system_r:xdm_t
tcontext=system_u:object_r:var_lib_xkb_t tclass=file
avc:  denied  { getattr } for  pid=3375 exe=/usr/X11R6/bin/Xorg
path=/usr/X11R6/lib/X11/xkb/rules/xorg dev=hda2 ino=72285
scontext=system_u:system_r:xdm_t
tcontext=system_u:object_r:var_lib_xkb_t tclass=file
avc:  denied  { write } for  pid=3378
exe=/usr/X11R6/lib/X11/xkb/xkbcomp name=xkb dev=hda2 ino=114590
scontext=system_u:system_r:xdm_t
tcontext=system_u:object_r:var_lib_xkb_t tclass=dir
avc:  denied  { add_name } for  pid=3378
exe=/usr/X11R6/lib/X11/xkb/xkbcomp name=server-0.xkm
scontext=system_u:system_r:xdm_t
tcontext=system_u:object_r:var_lib_xkb_t tclass=dir
avc:  denied  { create } for  pid=3378
exe=/usr/X11R6/lib/X11/xkb/xkbcomp name=server-0.xkm
scontext=system_u:system_r:xdm_t
tcontext=system_u:object_r:var_lib_xkb_t tclass=file
avc:  denied  { write } for  pid=3378
exe=/usr/X11R6/lib/X11/xkb/xkbcomp path=/var/lib/xkb/server-0.xkm
dev=hda2 ino=114502 scontext=system_u:system_r:xdm_t
tcontext=system_u:object_r:var_lib_xkb_t tclass=file
avc:  denied  { remove_name } for  pid=3375 exe=/usr/X11R6/bin/Xorg
name=server-0.xkm dev=hda2 ino=114502 scontext=system_u:system_r:xdm_t
tcontext=system_u:object_r:var_lib_xkb_t tclass=dir
avc:  denied  { unlink } for  pid=3375 exe=/usr/X11R6/bin/Xorg
name=server-0.xkm dev=hda2 ino=114502 scontext=system_u:system_r:xdm_t
tcontext=system_u:object_r:var_lib_xkb_t tclass=file
avc:  denied  { unix_read unix_write } for  pid=3375
exe=/usr/X11R6/bin/Xorg key=0 scontext=system_u:system_r:xdm_t
tcontext=user_u:user_r:user_t tclass=shm
avc:  denied  { read write } for  pid=3375 exe=/usr/X11R6/bin/Xorg
key=0 scontext=system_u:system_r:xdm_t tcontext=user_u:user_r:user_t
tclass=shm
avc:  denied  { read write } for  pid=3375 path=/SYSV00000000
(deleted) dev= ino=131072 scontext=system_u:system_r:xdm_t
tcontext=user_u:object_r:user_tmpfs_t tclass=file
avc:  denied  { getattr associate } for  pid=3375
exe=/usr/X11R6/bin/Xorg key=0 scontext=system_u:system_r:xdm_t
tcontext=user_u:user_r:user_t tclass=shm
avc:  denied  { search } for  pid=3489 exe=/usr/X11R6/bin/xscreensaver
name=.X11-unix dev=hda2 ino=261663
scontext=user_u:user_r:user_screensaver_t
tcontext=system_u:object_r:xdm_tmp_t tclass=dir
avc:  denied  { write } for  pid=3489 exe=/usr/X11R6/bin/xscreensaver
name=X0 dev=hda2 ino=261670 scontext=user_u:user_r:user_screensaver_t
tcontext=system_u:object_r:xdm_tmp_t tclass=sock_file
avc:  denied  { connectto } for  pid=3489
exe=/usr/X11R6/bin/xscreensaver path=/tmp/.X11-unix/X0
scontext=user_u:user_r:user_screensaver_t
tcontext=system_u:system_r:xdm_t tclass=unix_stream_socket
avc:  denied  { read } for  pid=3375 exe=/usr/X11R6/bin/Xorg
path=/dev/input/mice dev=hda2 ino=574457
scontext=system_u:system_r:xdm_t
tcontext=system_u:object_r:mouse_device_t tclass=chr_file
avc:  denied  { ioctl } for  pid=3521 exe=/usr/bin/magicdev
path=/dev/hdc dev=hda2 ino=509795 scontext=user_u:user_r:user_t
tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file
avc:  denied  { getattr } for  pid=3546
exe=/usr/libexec/gnome-vfs-daemon path=/initrd dev=ram0 ino=2
scontext=user_u:user_r:user_t tcontext=system_u:object_r:file_t tclass=dir
avc:  denied  { write } for  pid=3583 exe=/usr/X11R6/bin/xauth
name=keith dev=hda5 ino=10010625 scontext=user_u:user_r:userhelper_t
tcontext=system_u:object_r:user_home_dir_t tclass=dir
avc:  denied  { add_name } for  pid=3583 exe=/usr/X11R6/bin/xauth
name=.Xauthority-c scontext=user_u:user_r:userhelper_t
tcontext=system_u:object_r:user_home_dir_t tclass=dir
avc:  denied  { create } for  pid=3583 exe=/usr/X11R6/bin/xauth
name=.Xauthority-c scontext=user_u:user_r:userhelper_t
tcontext=user_u:object_r:user_home_dir_t tclass=file
avc:  denied  { link } for  pid=3583 exe=/usr/X11R6/bin/xauth
name=.Xauthority-c dev=hda5 ino=10010977
scontext=user_u:user_r:userhelper_t
tcontext=user_u:object_r:user_home_dir_t tclass=file
avc:  denied  { write } for  pid=3583 exe=/usr/X11R6/bin/xauth
name=.Xauthority dev=hda5 ino=10010965
scontext=user_u:user_r:userhelper_t
tcontext=system_u:object_r:user_home_xauth_t tclass=file
avc:  denied  { read } for  pid=3583 exe=/usr/X11R6/bin/xauth
name=.Xauthority dev=hda5 ino=10010965
scontext=user_u:user_r:userhelper_t
tcontext=system_u:object_r:user_home_xauth_t tclass=file
avc:  denied  { getattr } for  pid=3583 exe=/usr/X11R6/bin/xauth
path=/home/keith/.Xauthority dev=hda5 ino=10010965
scontext=user_u:user_r:userhelper_t
tcontext=system_u:object_r:user_home_xauth_t tclass=file
avc:  denied  { remove_name } for  pid=3583 exe=/usr/X11R6/bin/xauth
name=.Xauthority-c dev=hda5 ino=10010977
scontext=user_u:user_r:userhelper_t
tcontext=system_u:object_r:user_home_dir_t tclass=dir
avc:  denied  { unlink } for  pid=3583 exe=/usr/X11R6/bin/xauth
name=.Xauthority-c dev=hda5 ino=10010977
scontext=user_u:user_r:userhelper_t
tcontext=user_u:object_r:user_home_dir_t tclass=file
avc:  denied  { write } for  pid=3582 exe=/usr/sbin/userhelper
name=root dev=hda2 ino=16353 scontext=user_u:user_r:userhelper_t
tcontext=root:object_r:staff_home_dir_t tclass=dir
avc:  denied  { add_name } for  pid=3582 exe=/usr/sbin/userhelper
name=.xauthXPAxwi scontext=user_u:user_r:userhelper_t
tcontext=root:object_r:staff_home_dir_t tclass=dir
avc:  denied  { create } for  pid=3582 exe=/usr/sbin/userhelper
name=.xauthXPAxwi scontext=user_u:user_r:userhelper_t
tcontext=user_u:object_r:staff_home_dir_t tclass=file
avc:  denied  { setattr } for  pid=3582 exe=/usr/sbin/userhelper
name=.xauthXPAxwi dev=hda2 ino=19382
scontext=user_u:user_r:userhelper_t
tcontext=user_u:object_r:staff_home_dir_t tclass=file
avc:  denied  { link } for  pid=3584 exe=/usr/X11R6/bin/xauth
name=.xauthXPAxwi-c dev=hda2 ino=19441
scontext=user_u:user_r:userhelper_t
tcontext=user_u:object_r:staff_home_dir_t tclass=file
avc:  denied  { write } for  pid=3584 exe=/usr/X11R6/bin/xauth
name=.xauthXPAxwi dev=hda2 ino=19382
scontext=user_u:user_r:userhelper_t
tcontext=user_u:object_r:staff_home_dir_t tclass=file
avc:  denied  { read } for  pid=3584 exe=/usr/X11R6/bin/xauth
name=.xauthXPAxwi dev=hda2 ino=19382
scontext=user_u:user_r:userhelper_t
tcontext=user_u:object_r:staff_home_dir_t tclass=file
avc:  denied  { getattr } for  pid=3584 exe=/usr/X11R6/bin/xauth
path=/root/.xauthXPAxwi dev=hda2 ino=19382
scontext=user_u:user_r:userhelper_t
tcontext=user_u:object_r:staff_home_dir_t tclass=file
avc:  denied  { remove_name } for  pid=3584 exe=/usr/X11R6/bin/xauth
name=.xauthXPAxwi dev=hda2 ino=19382
scontext=user_u:user_r:userhelper_t
tcontext=root:object_r:staff_home_dir_t tclass=dir
avc:  denied  { unlink } for  pid=3584 exe=/usr/X11R6/bin/xauth
name=.xauthXPAxwi dev=hda2 ino=19382
scontext=user_u:user_r:userhelper_t
tcontext=user_u:object_r:staff_home_dir_t tclass=file
avc:  denied  { unix_read unix_write } for  pid=3375
exe=/usr/X11R6/bin/Xorg key=0 scontext=system_u:system_r:xdm_t
tcontext=root:sysadm_r:sysadm_t tclass=shm
avc:  denied  { read write } for  pid=3375 exe=/usr/X11R6/bin/Xorg
key=0 scontext=system_u:system_r:xdm_t tcontext=root:sysadm_r:sysadm_t
tclass=shm
avc:  denied  { read write } for  pid=3375 path=/SYSV00000000
(deleted) dev= ino=557069 scontext=system_u:system_r:xdm_t
tcontext=root:object_r:sysadm_tmpfs_t tclass=file
avc:  denied  { getattr associate } for  pid=3375
exe=/usr/X11R6/bin/Xorg key=0 scontext=system_u:system_r:xdm_t
tcontext=root:sysadm_r:sysadm_t tclass=shm
avc:  denied  { search } for  pid=3598
exe=/usr/java/j2sdk1.4.2_03/jre/bin/java name=vm dev= ino=4182
scontext=user_u:user_r:user_mozilla_t
tcontext=system_u:object_r:sysctl_vm_t tclass=dir
avc:  denied  { connectto } for  pid=3611
exe=/usr/lib/mozilla-1.6/mozilla-xremote-client path=/tmp/.X11-unix/X0
scontext=user_u:user_r:user_mozilla_t tcontext=system_u:system_r:xdm_t
tclass=unix_stream_socket
avc:  denied  { execute } for  pid=3588
path=/usr/java/j2sdk1.4.2_03/jre/plugin/i386/ns610-gcc32/libjavaplugin_oji.so
dev=hda2 ino=753034 scontext=user_u:user_r:user_mozilla_t
tcontext=system_u:object_r:usr_t tclass=file
avc:  denied  { unix_read unix_write } for  pid=3375
exe=/usr/X11R6/bin/Xorg key=0 scontext=system_u:system_r:xdm_t
tcontext=user_u:user_r:user_mozilla_t tclass=shm
avc:  denied  { read write } for  pid=3375 exe=/usr/X11R6/bin/Xorg
key=0 scontext=system_u:system_r:xdm_t
tcontext=user_u:user_r:user_mozilla_t tclass=shm
avc:  denied  { use } for  pid=3375 path=/SYSV00000000 (deleted) dev=
ino=589838 scontext=system_u:system_r:xdm_t
tcontext=user_u:user_r:user_mozilla_t tclass=fd
avc:  denied  { read write } for  pid=3375 path=/SYSV00000000
(deleted) dev= ino=589838 scontext=system_u:system_r:xdm_t
tcontext=user_u:object_r:user_mozilla_tmpfs_t tclass=file
avc:  denied  { getattr associate } for  pid=3375
exe=/usr/X11R6/bin/Xorg key=0 scontext=system_u:system_r:xdm_t
tcontext=user_u:user_r:user_mozilla_t tclass=shm

Version-Release number of selected component (if applicable):

checkpolicy-1.10-1
policy-1.11.2-1
policycoreutils-1.10-2
policy-sources-1.11.2-1
xorg-x11-6.7.0-0.4

How reproducible:

didn't try

Steps to Reproduce:
1. update to rawhide
2. run fixfiles relabel
3. reboot
  
Actual results:

lots of errors running X

Expected results:

not errors running X

Additional info:
Comment 1 keith adamson 2004-04-14 17:09:55 EDT
New packages:

libselinux-1.11-3.i386.rpm
libselinux-devel-1.11-3.i386.rpm
policy-1.11.2-3.noarch.rpm
policy-sources-1.11.2-3.noarch.rpm

from:

ftp://people.redhat.com/dwalsh/SELinux/Fedora

Fixes for me.

Note You need to log in before you can comment on or make changes to this bug.