Bug 159187 - configurable hotkey feature doesn't work on enforcing mode
configurable hotkey feature doesn't work on enforcing mode
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: policy (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Russell Coker
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-05-31 04:46 EDT by Akira TAGOH
Modified: 2007-11-30 17:11 EST (History)
4 users (show)

See Also:
Fixed In Version: 1.25.3-9
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-09-04 20:40:42 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Akira TAGOH 2005-05-31 04:46:46 EDT
Description of problem:
On enforcing mode, a per-user configurable hotkey feature doesn't work, which
the configuration file is placed on $HOME/.iiim.  It works after setenforce 0.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-1.23.16-6
iiimf-server-12.2-4

How reproducible:
always

Steps to Reproduce:
1.boot up the kernel with the enforcing mode
2.log into the Japanese desktop say and run iiimf-le-tools --add-hotkey
'<shift>space' --lang ja on the terminal.
3.run gedit and try to press ctrl+space to confirm it's disabled.
  
Actual results:
both of ctrl+space and shift+space works since it's set as default hotkeys.

Expected results:
only shift+space works to activate the input method.

Additional info:
exact filename for this configuration is $HOME/.iiim/le.xml.conf and it's used
to store the user-preferred key to activate.
Comment 1 Daniel Walsh 2005-05-31 16:59:20 EDT
What avc messages are you seeing?

Dan
Comment 2 Akira TAGOH 2005-06-02 05:25:56 EDT
Actually I haven't seen any avc messages in /var/log/messages. how can I get
more info on that?
Comment 3 Daniel Walsh 2005-06-02 08:17:16 EDT
Are you running audit?  If yes the avc messages will go to 
/usr/log/audit/audit.log.
Comment 4 Akira TAGOH 2005-06-02 09:44:14 EDT
Thanks. I got:
type=AVC msg=audit(1117719768.653:7061488): avc:  denied  { search } for 
pid=7584 comm="iiimd" name=/ dev=hda6 ino=2 scontext=root:system_r:i18n_input_t
tcontext=system_u:object_r:home_root_t tclass=dir
type=SYSCALL msg=audit(1117719768.653:7061488): arch=40000003 syscall=196
success=no exit=-13 a0=952c790 a1=b7ed50dc a2=3e6ff4 a3=b7ed50dc items=1
pid=7584 auid=4294967295 uid=100 gid=101 euid=100 suid=100 fsuid=100 egid=101
sgid=101 fsgid=101 comm="iiimd" exe="/usr/bin/iiimd"
type=PATH msg=audit(1117719768.653:7061488): item=0
name="/home/tagoh/.iiim/le.xml.conf" inode=2 dev=03:06 mode=040755 ouid=0 ogid=0
rdev=00:00

it was output when I run gedit say.
Hope this helps.
Comment 5 Daniel Walsh 2005-06-06 09:37:46 EDT
Can you run 
> setenforce 0
> gedit
and see if you get any other avc messages?

Comment 6 Akira TAGOH 2005-06-07 05:09:11 EDT
Sure.

type=AVC msg=audit(1118135184.663:4402919): avc:  denied  { search } for 
pid=13855 comm="iiimd" name=/ dev=hda6 ino=2 scontext=root:system_r:i18n_input_t
tcontext=system_u:object_r:home_root_t tclass=dir
type=AVC msg=audit(1118135184.663:4402919): avc:  denied  { search } for 
pid=13855 comm="iiimd" name=tagoh dev=hda6 ino=5242911
scontext=root:system_r:i18n_input_t tcontext=system_u:object_r:default_t tclass=dir
type=AVC msg=audit(1118135184.663:4402919): avc:  denied  { search } for 
pid=13855 comm="iiimd" name=.iiim dev=hda6 ino=5243004
scontext=root:system_r:i18n_input_t tcontext=user_u:object_r:default_t tclass=dir
type=AVC msg=audit(1118135184.663:4402919): avc:  denied  { getattr } for 
pid=13855 comm="iiimd" name=le.xml.conf dev=hda6 ino=5243380
scontext=root:system_r:i18n_input_t tcontext=user_u:object_r:default_t tclass=file
type=SYSCALL msg=audit(1118135184.663:4402919): arch=40000003 syscall=196
success=yes exit=0 a0=84afc60 a1=b7fa30dc a2=6a7ff4 a3=b7fa30dc items=1
pid=13855 auid=4294967295 uid=100 gid=101 euid=100 suid=100 fsuid=100 egid=101
sgid=101 fsgid=101 comm="iiimd" exe="/usr/bin/iiimd"
type=AVC_PATH msg=audit(1118135184.663:4402919): 
path="/home/tagoh/.iiim/le.xml.conf"
type=PATH msg=audit(1118135184.663:4402919): item=0
name="/home/tagoh/.iiim/le.xml.conf" inode=5243380 dev=03:06 mode=0100664
ouid=500 ogid=500 rdev=00:00
type=AVC msg=audit(1118135184.664:4402926): avc:  denied  { read } for 
pid=13855 comm="iiimd" name=le.xml.conf dev=hda6 ino=5243380
scontext=root:system_r:i18n_input_t tcontext=user_u:object_r:default_t tclass=file
type=SYSCALL msg=audit(1118135184.664:4402926): arch=40000003 syscall=5
success=yes exit=6 a0=84afc60 a1=0 a2=0 a3=84d7ce0 items=1 pid=13855
auid=4294967295 uid=100 gid=101 euid=100 suid=100 fsuid=100 egid=101 sgid=101
fsgid=101 comm="iiimd" exe="/usr/bin/iiimd"
type=PATH msg=audit(1118135184.664:4402926): item=0
name="/home/tagoh/.iiim/le.xml.conf" inode=5243380 dev=03:06 mode=0100664
ouid=500 ogid=500 rdev=00:00
Comment 7 Daniel Walsh 2005-06-07 14:10:35 EDT
This looks like you have a labeling problem.  Are your home directories labeled
correctly?  THe file in /home/tagoh.iim/.e.xml.conf should not be labeled default_t.

Dan
Comment 8 Akira TAGOH 2005-06-08 03:22:36 EDT
Hmm, I just did make reload and make relabel under
/etc/selinux/targeted/src/policy/. but it's still labeled default_t.
Comment 9 Daniel Walsh 2005-06-08 07:54:06 EDT
What is the output of 
ls -lZd /home /home/tagoh.iim
ls -lZ /home/tagoh.iim/e.xml.conf
Comment 10 Daniel Walsh 2005-06-08 07:54:59 EDT
Also do a 
restorecon -R -v /home/tagoh.iim
Comment 11 Akira TAGOH 2005-06-08 10:47:27 EDT
]$ ls -lZd /home/ /home/tagoh/.iiim/
drwxr-xr-x  root     root     system_u:object_r:default_t      /home/
drwxrwxr-x  tagoh    tagoh    user_u:object_r:default_t        /home/tagoh/.iiim
$ ls -lZ /home/tagoh/.iiim/le.xml.conf
-rw-rw-r--  tagoh    tagoh    user_u:object_r:default_t       
/home/tagoh/.iiim/le.xml.conf
# restorecon -R -v /home/tagoh/.iiim/
restorecon reset /home/tagoh/.iiim context
user_u:object_r:default_t->user_u:object_r:user_home_t
restorecon reset /home/tagoh/.iiim/le.xml.conf context
user_u:object_r:default_t->user_u:object_r:user_home_t
$ ls -lZd /home/ /home/tagoh/ /home/tagoh/.iiim/
drwxr-xr-x  root     root     system_u:object_r:default_t      /home/
drwxr-xr-x  tagoh    tagoh    system_u:object_r:default_t      /home/tagoh/
drwxrwxr-x  tagoh    tagoh    user_u:object_r:user_home_t      /home/tagoh/.iiim/
$ ls -lZ /home/tagoh/.iiim/le.xml.conf
-rw-rw-r--  tagoh    tagoh    user_u:object_r:user_home_t     
/home/tagoh/.iiim/le.xml.conf

Ok, let me try again:
# setenforce 1

still doesn't work.

# setenforce 0
type=AVC msg=audit(1118241917.468:13949755): avc:  denied  { search } for 
pid=884 comm="iiimd" name=.iiim dev=hda6 ino=5243004
scontext=root:system_r:i18n_input_t tcontext=user_u:object_r:user_home_t tclass=dir
type=AVC msg=audit(1118241917.468:13949755): avc:  denied  { search } for 
pid=884 comm="iiimd" name=/ dev=hda6 ino=2 scontext=root:system_r:i18n_input_t
tcontext=system_u:object_r:default_t tclass=dir
type=AVC msg=audit(1118241917.468:13949755): avc:  denied  { getattr } for 
pid=884 comm="iiimd" name=le.xml.conf dev=hda6 ino=5243380
scontext=root:system_r:i18n_input_t tcontext=user_u:object_r:user_home_t tclass=file
type=SYSCALL msg=audit(1118241917.468:13949755): arch=40000003 syscall=196
success=yes exit=0 a0=84f6148 a1=b75810dc a2=6a7ff4 a3=b75810dc items=1 pid=884
auid=4294967295 uid=100 gid=101 euid=100 suid=100 fsuid=100 egid=101 sgid=101
fsgid=101 comm="iiimd"
exe=2F7573722F62696E2F6969696D642E237072656C696E6B232E514F66576A62202864656C6574656429
type=AVC_PATH msg=audit(1118241917.468:13949755): 
path="/home/tagoh/.iiim/le.xml.conf"
type=PATH msg=audit(1118241917.468:13949755): item=0
name="/home/tagoh/.iiim/le.xml.conf" inode=5243380 dev=03:06 mode=0100664
ouid=500 ogid=500 rdev=00:00
type=AVC msg=audit(1118241917.468:13949771): avc:  denied  { read } for  pid=884
comm="iiimd" name=le.xml.conf dev=hda6 ino=5243380
scontext=root:system_r:i18n_input_t tcontext=user_u:object_r:user_home_t tclass=file
type=SYSCALL msg=audit(1118241917.468:13949771): arch=40000003 syscall=5
success=yes exit=8 a0=84f6148 a1=0 a2=0 a3=85000e0 items=1 pid=884
auid=4294967295 uid=100 gid=101 euid=100 suid=100 fsuid=100 egid=101 sgid=101
fsgid=101 comm="iiimd"
exe=2F7573722F62696E2F6969696D642E237072656C696E6B232E514F66576A62202864656C6574656429
type=PATH msg=audit(1118241917.468:13949771): item=0
name="/home/tagoh/.iiim/le.xml.conf" inode=5243380 dev=03:06 mode=0100664
ouid=500 ogid=500 rdev=00:00
Comment 12 Daniel Walsh 2005-06-08 10:57:26 EDT
Ok we are closer.  You need to restorecon at the home dir though

restorecon -R -v /home

That will eliminate one of your messages.  Now the bigger question isn't there a
better way then allowing i18n_input to read the users home directories.  This is
a server application that has to go rooting around in the users home dir for
config files????

Dan
Comment 13 Daniel Walsh 2005-08-25 10:50:56 EDT
Removing i18n_input from targeted policy so it will run unconfined.
selinux-policy-targeted-1.25.3-9

Note You need to log in before you can comment on or make changes to this bug.