Bug 197829 - selinux prevents X clients from starting
selinux prevents X clients from starting
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
rawhide
All Linux
high Severity high
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-07-06 13:58 EDT by Matt Domsch
Modified: 2007-11-30 17:11 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-10-05 08:09:47 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Matt Domsch 2006-07-06 13:58:03 EDT
Description of problem:
Running FC6test1 i386 on a Dell Latitude D610 laptop worked fine.  Upgrading to
rawhide a couple weeks later, and X no longer starts unless selinux is not in
enforcing mode.  setenforce 0 lets X start again, setenforce 1 causes it to fail
again.

Here are the audit logs starting from running 'setenforce 1', and then starting
X.  Note that X clients cannot connect to the X server using localhost.  Killing
X, then running 'setenforce 0' allows X to start.


type=AVC msg=audit(1152202223.489:661): avc:  granted  { setenforce } for 
pid=3352 comm="setenforce" scontext=user_u:system_r:unconfined_t:s0
tcontext=system_u:object_r:security_t:s0 tclass=security
type=MAC_STATUS msg=audit(1152202223.489:661): enforcing=1 old_enforcing=0 auid=1003
type=SYSCALL msg=audit(1152202223.489:661): arch=40000003 syscall=4 success=yes
exit=1 a0=3 a1=bf9c11c4 a2=1 a3=bf9c11c4 items=0 ppid=3326 pid=3352 auid=1003
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1
comm="setenforce" exe="/usr/sbin/setenforce" subj=user_u:system_r:unconfined_t:s0
type=AVC msg=audit(1152202229.397:662): avc:  denied  { recv } for  pid=3371
comm="X" saddr=127.0.0.1 src=32802 daddr=127.0.0.1 dest=53 netif=lo
scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:unlabeled_t:s0
tclass=packet
type=SYSCALL msg=audit(1152202229.397:662): arch=40000003 syscall=102
success=yes exit=30 a0=9 a1=bfb6aeb0 a2=aa7ff4 a3=5 items=0 ppid=3370 pid=3371
auid=1003 uid=1003 gid=1003 euid=0 suid=0 fsuid=0 egid=1003 sgid=1003 fsgid=1003
tty=tty1 comm="X" exe="/usr/bin/Xorg" subj=user_u:system_r:xdm_xserver_t:s0
type=SOCKETCALL msg=audit(1152202229.397:662): nargs=4 a0=6 a1=bfb6b210 a2=1e
a3=4000
type=AVC msg=audit(1152202234.406:663): avc:  denied  { recv } for  pid=3371
comm="X" saddr=127.0.0.1 src=32803 daddr=127.0.0.1 dest=53 netif=lo
scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:unlabeled_t:s0
tclass=packet
type=SYSCALL msg=audit(1152202234.406:663): arch=40000003 syscall=102
success=yes exit=51 a0=9 a1=bfb6aeb0 a2=aa7ff4 a3=5 items=0 ppid=3370 pid=3371
auid=1003 uid=1003 gid=1003 euid=0 suid=0 fsuid=0 egid=1003 sgid=1003 fsgid=1003
tty=tty1 comm="X" exe="/usr/bin/Xorg" subj=user_u:system_r:xdm_xserver_t:s0
type=SOCKETCALL msg=audit(1152202234.406:663): nargs=4 a0=6 a1=bfb6b210 a2=33
a3=4000
type=AVC msg=audit(1152202235.018:664): avc:  denied  { send } for  pid=1962
comm="ntpd" saddr=10.9.71.115 src=123 daddr=60.56.119.79 dest=123
netif=dev1804289383 scontext=system_u:system_r:ntpd_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet
type=SYSCALL msg=audit(1152202235.018:664): arch=40000003 syscall=102 success=no
exit=-1 a0=b a1=bfa8df50 a2=4cba98 a3=30 items=0 ppid=1 pid=1962 auid=4294967295
uid=38 gid=38 euid=38 suid=38 fsuid=38 egid=38 sgid=38 fsgid=38 tty=(none)
comm="ntpd" exe="/usr/sbin/ntpd" subj=system_u:system_r:ntpd_t:s0
type=SOCKADDR msg=audit(1152202235.018:664): saddr=0200007B3C38774F0000000000000000
type=SOCKETCALL msg=audit(1152202235.018:664): nargs=6 a0=10 a1=bfa8e020 a2=30
a3=0 a4=4d5e08 a5=10
type=AVC msg=audit(1152202239.018:665): avc:  denied  { send } for  pid=1962
comm="ntpd" saddr=10.9.71.115 src=123 daddr=62.3.211.186 dest=123
netif=dev1804289383 scontext=system_u:system_r:ntpd_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet
type=SYSCALL msg=audit(1152202239.018:665): arch=40000003 syscall=102 success=no
exit=-1 a0=b a1=bfa8df50 a2=4cba98 a3=30 items=0 ppid=1 pid=1962 auid=4294967295
uid=38 gid=38 euid=38 suid=38 fsuid=38 egid=38 sgid=38 fsgid=38 tty=(none)
comm="ntpd" exe="/usr/sbin/ntpd" subj=system_u:system_r:ntpd_t:s0
type=SOCKADDR msg=audit(1152202239.018:665): saddr=0200007B3E03D3BA0000000000000000
type=SOCKETCALL msg=audit(1152202239.018:665): nargs=6 a0=10 a1=bfa8e020 a2=30
a3=0 a4=4d5b08 a5=10
type=AVC msg=audit(1152202239.414:666): avc:  denied  { recv } for  pid=3371
comm="X" saddr=127.0.0.1 src=32804 daddr=127.0.0.1 dest=53 netif=lo
scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:unlabeled_t:s0
tclass=packet
type=SYSCALL msg=audit(1152202239.414:666): arch=40000003 syscall=102
success=yes exit=42 a0=9 a1=bfb6aeb0 a2=aa7ff4 a3=5 items=0 ppid=3370 pid=3371
auid=1003 uid=1003 gid=1003 euid=0 suid=0 fsuid=0 egid=1003 sgid=1003 fsgid=1003
tty=tty1 comm="X" exe="/usr/bin/Xorg" subj=user_u:system_r:xdm_xserver_t:s0
type=SOCKETCALL msg=audit(1152202239.414:666): nargs=4 a0=6 a1=bfb6b210 a2=2a
a3=4000
type=AVC msg=audit(1152202244.418:667): avc:  denied  { recv } for  pid=3371
comm="X" saddr=127.0.0.1 src=32805 daddr=127.0.0.1 dest=53 netif=lo
scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:unlabeled_t:s0
tclass=packet
type=SYSCALL msg=audit(1152202244.418:667): arch=40000003 syscall=102
success=yes exit=30 a0=9 a1=bfb6aeb0 a2=aa7ff4 a3=5 items=0 ppid=3370 pid=3371
auid=1003 uid=1003 gid=1003 euid=0 suid=0 fsuid=0 egid=1003 sgid=1003 fsgid=1003
tty=tty1 comm="X" exe="/usr/bin/Xorg" subj=user_u:system_r:xdm_xserver_t:s0
type=SOCKETCALL msg=audit(1152202244.418:667): nargs=4 a0=6 a1=bfb6b210 a2=1e
a3=4000
type=AVC msg=audit(1152202249.431:668): avc:  denied  { recv } for  pid=3371
comm="X" saddr=127.0.0.1 src=32806 daddr=127.0.0.1 dest=53 netif=lo
scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:unlabeled_t:s0
tclass=packet
type=SYSCALL msg=audit(1152202249.431:668): arch=40000003 syscall=102
success=yes exit=51 a0=9 a1=bfb6aeb0 a2=aa7ff4 a3=5 items=0 ppid=3370 pid=3371
auid=1003 uid=1003 gid=1003 euid=0 suid=0 fsuid=0 egid=1003 sgid=1003 fsgid=1003
tty=tty1 comm="X" exe="/usr/bin/Xorg" subj=user_u:system_r:xdm_xserver_t:s0
type=SOCKETCALL msg=audit(1152202249.431:668): nargs=4 a0=6 a1=bfb6b210 a2=33
a3=4000
type=AVC msg=audit(1152202254.435:669): avc:  denied  { recv } for  pid=3371
comm="X" saddr=127.0.0.1 src=32807 daddr=127.0.0.1 dest=53 netif=lo
scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:unlabeled_t:s0
tclass=packet
type=SYSCALL msg=audit(1152202254.435:669): arch=40000003 syscall=102
success=yes exit=42 a0=9 a1=bfb6aeb0 a2=aa7ff4 a3=5 items=0 ppid=3370 pid=3371
auid=1003 uid=1003 gid=1003 euid=0 suid=0 fsuid=0 egid=1003 sgid=1003 fsgid=1003
tty=tty1 comm="X" exe="/usr/bin/Xorg" subj=user_u:system_r:xdm_xserver_t:s0
type=SOCKETCALL msg=audit(1152202254.435:669): nargs=4 a0=6 a1=bfb6b210 a2=2a
a3=4000
type=AVC msg=audit(1152202259.435:670): avc:  denied  { recv } for  pid=3371
comm="X" saddr=127.0.0.1 src=32808 daddr=127.0.0.1 dest=53 netif=lo
scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:unlabeled_t:s0
tclass=packet
type=SYSCALL msg=audit(1152202259.435:670): arch=40000003 syscall=102
success=yes exit=28 a0=9 a1=bfb6aeb0 a2=aa7ff4 a3=5 items=0 ppid=3370 pid=3371
auid=1003 uid=1003 gid=1003 euid=0 suid=0 fsuid=0 egid=1003 sgid=1003 fsgid=1003
tty=tty1 comm="X" exe="/usr/bin/Xorg" subj=user_u:system_r:xdm_xserver_t:s0
type=SOCKETCALL msg=audit(1152202259.435:670): nargs=4 a0=6 a1=bfb6b210 a2=1c
a3=4000
Comment 1 Daniel Walsh 2006-07-11 10:40:17 EDT
Fixed in selinux-policy-2.3.2-1

Note You need to log in before you can comment on or make changes to this bug.