systemd-localed manages the X11 keyboard configuration at /etc/X11/xorg.conf.d/00-keyboard.conf. This file isn't just used for X11, but is canonically parsed by various Wayland-based tools and such in order to obtain the XKB keyboard layout config (yay legacy). This works fine if /etc/X11/xorg.conf.d exists. However, if it doesn't, systemd-localed tries to create the directory, and gets denied by SELinux. If the parent /etc/X11 does not exist either, that gets created too. So systemd-localed needs create access to: - /etc/X11 - /etc/X11/xorg.conf.d SELinux deny report: ---- SELinux is preventing systemd-localed from create access on the directory xorg.conf.d. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that systemd-localed should be allowed create access on the xorg.conf.d directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'systemd-localed' --raw | audit2allow -M my-systemdlocaled # semodule -X 300 -i my-systemdlocaled.pp Additional Information: Source Context system_u:system_r:systemd_localed_t:s0 Target Context system_u:object_r:xserver_etc_t:s0 Target Objects xorg.conf.d [ dir ] Source systemd-localed Source Path systemd-localed Port <Unknown> Host macherie Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-targeted-38.28-1.fc38.noarch Local Policy RPM selinux-policy-targeted-38.28-1.fc38.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name macherie Platform Linux macherie 6.5.4-402.asahi.fc38.aarch64+16k #1 SMP PREEMPT_DYNAMIC Thu Sep 21 11:57:55 UTC 2023 aarch64 Alert Count 3 First Seen 2023-09-22 15:17:02 JST Last Seen 2023-09-22 15:17:27 JST Local ID 9a2e81e9-f57f-4c71-80ea-a0da04dca58e Raw Audit Messages type=AVC msg=audit(1695363447.636:377): avc: denied { create } for pid=3121 comm="systemd-localed" name="xorg.conf.d" scontext=system_u:system_r:systemd_localed_t:s0 tcontext=system_u:object_r:xserver_etc_t:s0 tclass=dir permissive=0 Hash: systemd-localed,systemd_localed_t,xserver_etc_t,dir,create --- Reproducible: Always Steps to Reproduce: 1. Install a system with no X11 configs (so /etc/X11/xorg.conf.d does not exist, or delete/move it if it does) 2. `localectl set-x11-keymap us` Actual Results: /etc/X11/xorg.conf.d still does not exist, SELinux denial. Expected Results: /etc/X11/xorg.conf.d is created and 00-keyboard.conf within it.
Caught in enforcing mode: ---- type=PROCTITLE msg=audit(09/22/2023 02:48:22.657:493) : proctitle=/usr/lib/systemd/systemd-localed type=PATH msg=audit(09/22/2023 02:48:22.657:493) : item=1 name=/etc/X11/xorg.conf.d nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(09/22/2023 02:48:22.657:493) : item=0 name=/etc/X11/ inode=137769 dev=fc:02 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:etc_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(09/22/2023 02:48:22.657:493) : cwd=/ type=SYSCALL msg=audit(09/22/2023 02:48:22.657:493) : arch=x86_64 syscall=mkdirat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x557c22a4c0ea a2=0755 a3=0x0 items=2 ppid=1 pid=1706 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-localed exe=/usr/lib/systemd/systemd-localed subj=system_u:system_r:systemd_localed_t:s0 key=(null) type=AVC msg=audit(09/22/2023 02:48:22.657:493) : avc: denied { create } for pid=1706 comm=systemd-localed name=xorg.conf.d scontext=system_u:system_r:systemd_localed_t:s0 tcontext=system_u:object_r:xserver_etc_t:s0 tclass=dir permissive=0 ---- # rpm -qa selinux\* selinux-policy-38.27-1.fc38.noarch selinux-policy-targeted-38.27-1.fc38.noarch #
Caught in permissive mode: ---- type=PROCTITLE msg=audit(09/22/2023 02:50:04.280:504) : proctitle=/usr/lib/systemd/systemd-localed type=PATH msg=audit(09/22/2023 02:50:04.280:504) : item=1 name=/etc/X11/xorg.conf.d inode=262180 dev=fc:02 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:xserver_etc_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(09/22/2023 02:50:04.280:504) : item=0 name=/etc/X11/ inode=137769 dev=fc:02 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:etc_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(09/22/2023 02:50:04.280:504) : cwd=/ type=SYSCALL msg=audit(09/22/2023 02:50:04.280:504) : arch=x86_64 syscall=mkdirat success=yes exit=0 a0=AT_FDCWD a1=0x5621a26be0ea a2=0755 a3=0x0 items=2 ppid=1 pid=1726 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-localed exe=/usr/lib/systemd/systemd-localed subj=system_u:system_r:systemd_localed_t:s0 key=(null) type=AVC msg=audit(09/22/2023 02:50:04.280:504) : avc: denied { create } for pid=1726 comm=systemd-localed name=xorg.conf.d scontext=system_u:system_r:systemd_localed_t:s0 tcontext=system_u:object_r:xserver_etc_t:s0 tclass=dir permissive=1 ---- # ls -ldZ /etc/X11/xorg.conf.d drwxr-xr-x. 2 root root system_u:object_r:xserver_etc_t:s0 4096 Sep 22 02:50 /etc/X11/xorg.conf.d # ls -lZ /etc/X11/xorg.conf.d/ total 4 -rw-r--r--. 1 root root system_u:object_r:xserver_etc_t:s0 311 Sep 22 02:50 00-keyboard.conf #
Hector, The directory exists in a common installation and is a part of the xorg-x11-server-Xorg package: # rpm -qf /etc/X11/xorg.conf.d xorg-x11-server-Xorg-1.20.14-23.fc38.x86_64 How can you get to the state where the directory does not exist?
When a Fedora machine is installed without any graphical applications, the picture looks this way: # rpm -qa | grep -i -e x11 -e xorg # rpm -qf /etc/X11/xorg.conf.d/ file /etc/X11/xorg.conf.d is not owned by any package #
(In reply to Zdenek Pytela from comment #3) > Hector, > > The directory exists in a common installation and is a part of the > xorg-x11-server-Xorg package: > > # rpm -qf /etc/X11/xorg.conf.d > xorg-x11-server-Xorg-1.20.14-23.fc38.x86_64 > > How can you get to the state where the directory does not exist? We do not install xorg-x11-server-Xorg in Fedora Asahi Remix images.
To add more context: XKB keyboard layouts are universally used by X11 and Wayland, and there needs to be a way to configure the systemwide XKB keyboard layout. For legacy reasons, a bunch of tools will parse the Xorg config file to figure out the configured layout, **even if Xorg is not in use in any way**. This is why localed messes with that file, and needs to do so even if Xorg isn't in the picture. So a pure Wayland machine will not (and should not) have xorg-x11-server-Xorg installed, and thus will not have that directory. But localectl still needs to work. This also affects machines without graphics packages at all, since they still have systemd-localed.
The problem is reproducible on RHEL-8 and RHEL-9 too.
Test coverage for this BZ exists in a form of PR: * https://src.fedoraproject.org/tests/selinux/pull-request/429 The PR waits for a review.
FEDORA-2023-b001a7edcc has been submitted as an update to Fedora 38. https://bodhi.fedoraproject.org/updates/FEDORA-2023-b001a7edcc
FEDORA-2023-b001a7edcc has been pushed to the Fedora 38 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-b001a7edcc` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-b001a7edcc See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2023-b001a7edcc has been pushed to the Fedora 38 stable repository. If problem still persists, please make note of it in this bug report.