Bug 334381 - SELinux policy errors
Summary: SELinux policy errors
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 8
Hardware: x86_64
OS: Linux
low
low
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-10-16 14:29 UTC by Zdenek Kabelac
Modified: 2008-01-30 19:19 UTC (History)
0 users

Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-01-30 19:19:07 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)
setoubleshoot output after reboot (7.62 KB, application/x-bzip)
2007-10-19 09:58 UTC, Zdenek Kabelac 		no flags Details
View All

Description Zdenek Kabelac 2007-10-16 14:29:03 UTC 
Description of problem:

Some SELinux errors I'm receiving:

SELinux is preventing /usr/bin/Xorg (xdm_xserver_t) "read" to (initrc_t).

Source Context:  system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023Target
Context:  system_u:system_r:initrc_t:s0Target Objects:  None [ shm ]Affected RPM
Packages:  xorg-x11-server-Xorg-1.3.0.0-30.fc8 [application]Policy
RPM:  selinux-policy-3.0.8-22.fc8Selinux Enabled:  TruePolicy Type:  targetedMLS
Enabled:  TrueEnforcing Mode:  PermissivePlugin Name:  plugins.catchallHost
Name:  dhcp-lab-228.englab.brq.redhat.comPlatform:  Linux
dhcp-lab-228.englab.brq.redhat.com 2.6.23-6.fc8 #1 SMP Thu Oct 11 13:36:39 EDT
2007 x86_64 x86_64Alert Count:  2First
Seen:  Út 16. říjen 2007, 11:06:52 CESTLast
Seen:  Út 16. říjen 2007, 15:47:06 CESTLocal
ID:  672ef70c-49e6-48bf-a652-527afde4ec6dLine Numbers:  Raw Audit Messages :avc:
denied { read } for comm=X egid=0 euid=0 exe=/usr/bin/Xorg exit=-1023295488
fsgid=0 fsuid=0 gid=0 items=0 pid=2842
scontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 sgid=0
subj=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 suid=0 tclass=shm
tcontext=system_u:system_r:initrc_t:s0 tty=tty7 uid=0 
---------------------------------------

SELinux is preventing X (xdm_xserver_t) "getattr associate" to (initrc_t).

Source Context:  system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023Target
Context:  system_u:system_r:initrc_t:s0Target Objects:  None [ shm ]Affected RPM
Packages:  Policy RPM:  selinux-policy-3.0.8-22.fc8Selinux Enabled:  TruePolicy
Type:  targetedMLS Enabled:  TrueEnforcing Mode:  PermissivePlugin
Name:  plugins.catchallHost
Name:  dhcp-lab-228.englab.brq.redhat.comPlatform:  Linux
dhcp-lab-228.englab.brq.redhat.com 2.6.23-6.fc8 #1 SMP Thu Oct 11 13:36:39 EDT
2007 x86_64 x86_64Alert Count:  4First
Seen:  Čt 11. říjen 2007, 12:30:17 CESTLast
Seen:  Út 16. říjen 2007, 11:29:19 CESTLocal
ID:  843413c5-ed24-4e2a-9b70-7372ca512a5cLine Numbers:  Raw Audit Messages :avc:
denied { getattr associate } for comm=X pid=2842
scontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 tclass=shm
tcontext=system_u:system_r:initrc_t:s0 

-------------------------------------------------
SELinux is preventing X (xdm_xserver_t) "unix_read" to (initrc_t).


Source Context:  system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023Target
Context:  system_u:system_r:initrc_t:s0Target Objects:  None [ shm ]Affected RPM
Packages:  Policy RPM:  selinux-policy-3.0.8-22.fc8Selinux Enabled:  TruePolicy
Type:  targetedMLS Enabled:  TrueEnforcing Mode:  PermissivePlugin
Name:  plugins.catchallHost
Name:  dhcp-lab-228.englab.brq.redhat.comPlatform:  Linux
dhcp-lab-228.englab.brq.redhat.com 2.6.23-6.fc8 #1 SMP Thu Oct 11 13:36:39 EDT
2007 x86_64 x86_64Alert Count:  15First
Seen:  Út 9. říjen 2007, 15:56:52 CESTLast
Seen:  Út 16. říjen 2007, 11:29:19 CESTLocal
ID:  0bc6e292-1c50-45a5-8bee-6b2bc28966c5Line Numbers:  Raw Audit Messages :avc:
denied { unix_read } for comm=X pid=2842
scontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 tclass=shm
tcontext=system_u:system_r:initrc_t:s0 






Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Daniel Walsh 2007-10-17 03:07:16 UTC 
Which process on your machine is running as initrc_t?

ps -eZ | grep initrc_t
Comment 2 Zdenek Kabelac 2007-10-17 08:05:54 UTC 
[root@]# ps -eZ | grep initrc_t
system_u:system_r:initrc_t:s0    2265 ?        00:00:01 vmware-serverd
system_u:system_r:initrc_t:s0    2356 ?        00:00:00 nasd
system_u:system_r:initrc_t:s0    2534 ?        00:00:00 libvirtd
system_u:system_r:initrc_t:s0    4390 ?        00:00:03 vmware-vmx
Comment 3 Daniel Walsh 2007-10-17 12:36:48 UTC 
What is the path to vmware-serverd and vmware-vmx?

If you run chcon -t vmware_exec_t vmware-serverd vmware-vmx

Do things work better?
Comment 4 Zdenek Kabelac 2007-10-17 13:00:06 UTC 
/usr/sbin/vmware-serverd
/usr/lib/vmware/bin/vmware-vmx


And I'll watch if the messages will disappear after chcon command..
Comment 5 Daniel Walsh 2007-10-17 18:16:22 UTC 
Fixed vmware context in selinux-policy-3.0.8-24.fc8.src.rpm
Comment 6 Zdenek Kabelac 2007-10-19 09:58:40 UTC 
Created attachment 232391 [details]
setoubleshoot output after reboot

Hi
Actually after todays update & reboot I'm getting much more selinux errors then
I've used to get before this update. See the attached log file - I guess it's
more readable then to copy them here one-by-one
Comment 7 Daniel Walsh 2007-10-19 14:23:19 UTC 
Please attach audit.log.
We are investigating other problems.
Comment 8 Daniel Walsh 2008-01-30 19:19:07 UTC 
Bulk closing all bugs in Fedora updates in the modified state.  If you bug is
not fixed, please reopen.
Note You need to log in before you can comment on or make changes to this bug.