Description of problem: On enforcing mode, a per-user configurable hotkey feature doesn't work, which the configuration file is placed on $HOME/.iiim. It works after setenforce 0. Version-Release number of selected component (if applicable): selinux-policy-targeted-1.23.16-6 iiimf-server-12.2-4 How reproducible: always Steps to Reproduce: 1.boot up the kernel with the enforcing mode 2.log into the Japanese desktop say and run iiimf-le-tools --add-hotkey '<shift>space' --lang ja on the terminal. 3.run gedit and try to press ctrl+space to confirm it's disabled. Actual results: both of ctrl+space and shift+space works since it's set as default hotkeys. Expected results: only shift+space works to activate the input method. Additional info: exact filename for this configuration is $HOME/.iiim/le.xml.conf and it's used to store the user-preferred key to activate.
What avc messages are you seeing? Dan
Actually I haven't seen any avc messages in /var/log/messages. how can I get more info on that?
Are you running audit? If yes the avc messages will go to /usr/log/audit/audit.log.
Thanks. I got: type=AVC msg=audit(1117719768.653:7061488): avc: denied { search } for pid=7584 comm="iiimd" name=/ dev=hda6 ino=2 scontext=root:system_r:i18n_input_t tcontext=system_u:object_r:home_root_t tclass=dir type=SYSCALL msg=audit(1117719768.653:7061488): arch=40000003 syscall=196 success=no exit=-13 a0=952c790 a1=b7ed50dc a2=3e6ff4 a3=b7ed50dc items=1 pid=7584 auid=4294967295 uid=100 gid=101 euid=100 suid=100 fsuid=100 egid=101 sgid=101 fsgid=101 comm="iiimd" exe="/usr/bin/iiimd" type=PATH msg=audit(1117719768.653:7061488): item=0 name="/home/tagoh/.iiim/le.xml.conf" inode=2 dev=03:06 mode=040755 ouid=0 ogid=0 rdev=00:00 it was output when I run gedit say. Hope this helps.
Can you run > setenforce 0 > gedit and see if you get any other avc messages?
Sure. type=AVC msg=audit(1118135184.663:4402919): avc: denied { search } for pid=13855 comm="iiimd" name=/ dev=hda6 ino=2 scontext=root:system_r:i18n_input_t tcontext=system_u:object_r:home_root_t tclass=dir type=AVC msg=audit(1118135184.663:4402919): avc: denied { search } for pid=13855 comm="iiimd" name=tagoh dev=hda6 ino=5242911 scontext=root:system_r:i18n_input_t tcontext=system_u:object_r:default_t tclass=dir type=AVC msg=audit(1118135184.663:4402919): avc: denied { search } for pid=13855 comm="iiimd" name=.iiim dev=hda6 ino=5243004 scontext=root:system_r:i18n_input_t tcontext=user_u:object_r:default_t tclass=dir type=AVC msg=audit(1118135184.663:4402919): avc: denied { getattr } for pid=13855 comm="iiimd" name=le.xml.conf dev=hda6 ino=5243380 scontext=root:system_r:i18n_input_t tcontext=user_u:object_r:default_t tclass=file type=SYSCALL msg=audit(1118135184.663:4402919): arch=40000003 syscall=196 success=yes exit=0 a0=84afc60 a1=b7fa30dc a2=6a7ff4 a3=b7fa30dc items=1 pid=13855 auid=4294967295 uid=100 gid=101 euid=100 suid=100 fsuid=100 egid=101 sgid=101 fsgid=101 comm="iiimd" exe="/usr/bin/iiimd" type=AVC_PATH msg=audit(1118135184.663:4402919): path="/home/tagoh/.iiim/le.xml.conf" type=PATH msg=audit(1118135184.663:4402919): item=0 name="/home/tagoh/.iiim/le.xml.conf" inode=5243380 dev=03:06 mode=0100664 ouid=500 ogid=500 rdev=00:00 type=AVC msg=audit(1118135184.664:4402926): avc: denied { read } for pid=13855 comm="iiimd" name=le.xml.conf dev=hda6 ino=5243380 scontext=root:system_r:i18n_input_t tcontext=user_u:object_r:default_t tclass=file type=SYSCALL msg=audit(1118135184.664:4402926): arch=40000003 syscall=5 success=yes exit=6 a0=84afc60 a1=0 a2=0 a3=84d7ce0 items=1 pid=13855 auid=4294967295 uid=100 gid=101 euid=100 suid=100 fsuid=100 egid=101 sgid=101 fsgid=101 comm="iiimd" exe="/usr/bin/iiimd" type=PATH msg=audit(1118135184.664:4402926): item=0 name="/home/tagoh/.iiim/le.xml.conf" inode=5243380 dev=03:06 mode=0100664 ouid=500 ogid=500 rdev=00:00
This looks like you have a labeling problem. Are your home directories labeled correctly? THe file in /home/tagoh.iim/.e.xml.conf should not be labeled default_t. Dan
Hmm, I just did make reload and make relabel under /etc/selinux/targeted/src/policy/. but it's still labeled default_t.
What is the output of ls -lZd /home /home/tagoh.iim ls -lZ /home/tagoh.iim/e.xml.conf
Also do a restorecon -R -v /home/tagoh.iim
]$ ls -lZd /home/ /home/tagoh/.iiim/ drwxr-xr-x root root system_u:object_r:default_t /home/ drwxrwxr-x tagoh tagoh user_u:object_r:default_t /home/tagoh/.iiim $ ls -lZ /home/tagoh/.iiim/le.xml.conf -rw-rw-r-- tagoh tagoh user_u:object_r:default_t /home/tagoh/.iiim/le.xml.conf # restorecon -R -v /home/tagoh/.iiim/ restorecon reset /home/tagoh/.iiim context user_u:object_r:default_t->user_u:object_r:user_home_t restorecon reset /home/tagoh/.iiim/le.xml.conf context user_u:object_r:default_t->user_u:object_r:user_home_t $ ls -lZd /home/ /home/tagoh/ /home/tagoh/.iiim/ drwxr-xr-x root root system_u:object_r:default_t /home/ drwxr-xr-x tagoh tagoh system_u:object_r:default_t /home/tagoh/ drwxrwxr-x tagoh tagoh user_u:object_r:user_home_t /home/tagoh/.iiim/ $ ls -lZ /home/tagoh/.iiim/le.xml.conf -rw-rw-r-- tagoh tagoh user_u:object_r:user_home_t /home/tagoh/.iiim/le.xml.conf Ok, let me try again: # setenforce 1 still doesn't work. # setenforce 0 type=AVC msg=audit(1118241917.468:13949755): avc: denied { search } for pid=884 comm="iiimd" name=.iiim dev=hda6 ino=5243004 scontext=root:system_r:i18n_input_t tcontext=user_u:object_r:user_home_t tclass=dir type=AVC msg=audit(1118241917.468:13949755): avc: denied { search } for pid=884 comm="iiimd" name=/ dev=hda6 ino=2 scontext=root:system_r:i18n_input_t tcontext=system_u:object_r:default_t tclass=dir type=AVC msg=audit(1118241917.468:13949755): avc: denied { getattr } for pid=884 comm="iiimd" name=le.xml.conf dev=hda6 ino=5243380 scontext=root:system_r:i18n_input_t tcontext=user_u:object_r:user_home_t tclass=file type=SYSCALL msg=audit(1118241917.468:13949755): arch=40000003 syscall=196 success=yes exit=0 a0=84f6148 a1=b75810dc a2=6a7ff4 a3=b75810dc items=1 pid=884 auid=4294967295 uid=100 gid=101 euid=100 suid=100 fsuid=100 egid=101 sgid=101 fsgid=101 comm="iiimd" exe=2F7573722F62696E2F6969696D642E237072656C696E6B232E514F66576A62202864656C6574656429 type=AVC_PATH msg=audit(1118241917.468:13949755): path="/home/tagoh/.iiim/le.xml.conf" type=PATH msg=audit(1118241917.468:13949755): item=0 name="/home/tagoh/.iiim/le.xml.conf" inode=5243380 dev=03:06 mode=0100664 ouid=500 ogid=500 rdev=00:00 type=AVC msg=audit(1118241917.468:13949771): avc: denied { read } for pid=884 comm="iiimd" name=le.xml.conf dev=hda6 ino=5243380 scontext=root:system_r:i18n_input_t tcontext=user_u:object_r:user_home_t tclass=file type=SYSCALL msg=audit(1118241917.468:13949771): arch=40000003 syscall=5 success=yes exit=8 a0=84f6148 a1=0 a2=0 a3=85000e0 items=1 pid=884 auid=4294967295 uid=100 gid=101 euid=100 suid=100 fsuid=100 egid=101 sgid=101 fsgid=101 comm="iiimd" exe=2F7573722F62696E2F6969696D642E237072656C696E6B232E514F66576A62202864656C6574656429 type=PATH msg=audit(1118241917.468:13949771): item=0 name="/home/tagoh/.iiim/le.xml.conf" inode=5243380 dev=03:06 mode=0100664 ouid=500 ogid=500 rdev=00:00
Ok we are closer. You need to restorecon at the home dir though restorecon -R -v /home That will eliminate one of your messages. Now the bigger question isn't there a better way then allowing i18n_input to read the users home directories. This is a server application that has to go rooting around in the users home dir for config files???? Dan
Removing i18n_input from targeted policy so it will run unconfined. selinux-policy-targeted-1.25.3-9