This service will be undergoing maintenance at 00:00 UTC, 2016-09-28. It is expected to last about 1 hours
Bug 326491 - selinux is denying a bunch of actions to X
selinux is denying a bunch of actions to X
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
rawhide
All Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-10-10 12:02 EDT by Julian Sikorski
Modified: 2007-11-30 17:12 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-10-22 12:15:40 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Julian Sikorski 2007-10-10 12:02:46 EDT
Description of problem:
While skimming through the logs looking for an unrelated issue, I discovered a
bunch of new selinux denials (there were not there before I upgraded to
rawhide). First part is connected with salsa:
audit(1192029420.860:6): avc:  denied  { execstack } for  pid=2559 comm="X"
scontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023
tcontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 tclass=process
audit(1192029430.600:7): avc:  denied  { ioctl } for  pid=2559 comm="X"
path="inotify" dev=inotifyfs ino=1
scontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023
tcontext=system_u:object_r:inotifyfs_t:s0 tclass=dir
audit(1192029530.658:8): avc:  denied  { read } for  pid=2559 comm="X"
path="inotify" dev=inotifyfs ino=1
scontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023
tcontext=system_u:object_r:inotifyfs_t:s0 tclass=dir
audit(1192029716.599:9): avc:  denied  { search } for  pid=2559 comm="X"
name="3009" dev=proc ino=11841
scontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023
tcontext=system_u:system_r:unconfined_t:s0 tclass=dir
audit(1192029716.599:10): avc:  denied  { getattr } for  pid=2559 comm="X"
path="/proc/3009/cmdline" dev=proc ino=11842
scontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023
tcontext=system_u:system_r:unconfined_t:s0 tclass=file
audit(1192030517.267:12): avc:  denied  { read write } for  pid=2559 comm="X"
path=2F535953563030303030303030202864656C6574656429 dev=tmpfs ino=1474596
scontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023
tcontext=system_u:object_r:rpm_tmpfs_t:s0 tclass=file

Version-Release number of selected component (if applicable):
selinux-policy-3.0.8-18.fc8

How reproducible:
always

Additional info:
obtained with dmesg | grep audit
Comment 1 Julian Sikorski 2007-10-10 12:03:57 EDT
Forgive me the stupid copy-paste error. The errors concern X, of course.
Comment 2 Daniel Walsh 2007-10-10 16:12:03 EDT
I added policy to selinux-policy-3.0.8-21 for inotify.

X should not required execstack.  Are you using an NVIDIA Drivers?

xserver reading rpm_tmpfs_t looks like a file descriptor leak.  How was this
package upgraded?

Any idea why xserver would be reading the cmdline of the login user?
Comment 3 Julian Sikorski 2007-10-10 16:22:23 EDT
(In reply to comment #2)
> I added policy to selinux-policy-3.0.8-21 for inotify.
> 
> X should not required execstack.  Are you using an NVIDIA Drivers?
> 
Yes, I am. FYI, this was not the issue in f7.

> xserver reading rpm_tmpfs_t looks like a file descriptor leak.  How was this
> package upgraded?
> 
I upgraded from f7 to f8t3 and then ran yum update several times.

> Any idea why xserver would be reading the cmdline of the login user?
Thinkfinger maybe?
Comment 4 Daniel Walsh 2007-10-11 15:02:37 EDT
f7 ran an unconfined xserver, so this would be new in f8.

You will need to turn on allow_xserver_execmem on

setsebool -P allow_xserver_execmem=1

Well if you continue to see rpm_tmpfs_t you should report this as a bug in yum.

Does thinkfinger work?
Comment 5 Julian Sikorski 2007-10-11 15:42:01 EDT
Yes, thinkfinger does work. On the second peek, it looks it is unrelated, as
setroubleshoot screamed about this denial in the middle of being logged in, when
no swipe prompt is present. The reason must be different then.
Comment 6 Julian Sikorski 2007-10-15 08:38:20 EDT
OK, inotify seems to be gone. What exactly can I do about rpm_tmpfs_t?
Comment 7 Daniel Walsh 2007-10-15 13:41:10 EDT
Ok I looked at it again, and I decided to add policy

fixed in selinux-policy-3.0.8-23.fc8.src.rpm
Comment 8 Julian Sikorski 2007-10-21 08:41:35 EDT
Things that were supposed to are fixed. I'll open a separate bug report for
cmdline issue.

Note You need to log in before you can comment on or make changes to this bug.