Bug 334381 - SELinux policy errors
SELinux policy errors
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
8
x86_64 Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-10-16 10:29 EDT by Zdenek Kabelac
Modified: 2008-01-30 14:19 EST (History)
0 users

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-01-30 14:19:07 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
setoubleshoot output after reboot (7.62 KB, application/x-bzip)
2007-10-19 05:58 EDT, Zdenek Kabelac
no flags Details

  None (edit)
Description Zdenek Kabelac 2007-10-16 10:29:03 EDT
Description of problem:

Some SELinux errors I'm receiving:

SELinux is preventing /usr/bin/Xorg (xdm_xserver_t) "read" to (initrc_t).

Source Context:  system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023Target
Context:  system_u:system_r:initrc_t:s0Target Objects:  None [ shm ]Affected RPM
Packages:  xorg-x11-server-Xorg-1.3.0.0-30.fc8 [application]Policy
RPM:  selinux-policy-3.0.8-22.fc8Selinux Enabled:  TruePolicy Type:  targetedMLS
Enabled:  TrueEnforcing Mode:  PermissivePlugin Name:  plugins.catchallHost
Name:  dhcp-lab-228.englab.brq.redhat.comPlatform:  Linux
dhcp-lab-228.englab.brq.redhat.com 2.6.23-6.fc8 #1 SMP Thu Oct 11 13:36:39 EDT
2007 x86_64 x86_64Alert Count:  2First
Seen:  Út 16. říjen 2007, 11:06:52 CESTLast
Seen:  Út 16. říjen 2007, 15:47:06 CESTLocal
ID:  672ef70c-49e6-48bf-a652-527afde4ec6dLine Numbers:  Raw Audit Messages :avc:
denied { read } for comm=X egid=0 euid=0 exe=/usr/bin/Xorg exit=-1023295488
fsgid=0 fsuid=0 gid=0 items=0 pid=2842
scontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 sgid=0
subj=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 suid=0 tclass=shm
tcontext=system_u:system_r:initrc_t:s0 tty=tty7 uid=0 
---------------------------------------

SELinux is preventing X (xdm_xserver_t) "getattr associate" to (initrc_t).

Source Context:  system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023Target
Context:  system_u:system_r:initrc_t:s0Target Objects:  None [ shm ]Affected RPM
Packages:  Policy RPM:  selinux-policy-3.0.8-22.fc8Selinux Enabled:  TruePolicy
Type:  targetedMLS Enabled:  TrueEnforcing Mode:  PermissivePlugin
Name:  plugins.catchallHost
Name:  dhcp-lab-228.englab.brq.redhat.comPlatform:  Linux
dhcp-lab-228.englab.brq.redhat.com 2.6.23-6.fc8 #1 SMP Thu Oct 11 13:36:39 EDT
2007 x86_64 x86_64Alert Count:  4First
Seen:  Čt 11. říjen 2007, 12:30:17 CESTLast
Seen:  Út 16. říjen 2007, 11:29:19 CESTLocal
ID:  843413c5-ed24-4e2a-9b70-7372ca512a5cLine Numbers:  Raw Audit Messages :avc:
denied { getattr associate } for comm=X pid=2842
scontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 tclass=shm
tcontext=system_u:system_r:initrc_t:s0 

-------------------------------------------------
SELinux is preventing X (xdm_xserver_t) "unix_read" to (initrc_t).


Source Context:  system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023Target
Context:  system_u:system_r:initrc_t:s0Target Objects:  None [ shm ]Affected RPM
Packages:  Policy RPM:  selinux-policy-3.0.8-22.fc8Selinux Enabled:  TruePolicy
Type:  targetedMLS Enabled:  TrueEnforcing Mode:  PermissivePlugin
Name:  plugins.catchallHost
Name:  dhcp-lab-228.englab.brq.redhat.comPlatform:  Linux
dhcp-lab-228.englab.brq.redhat.com 2.6.23-6.fc8 #1 SMP Thu Oct 11 13:36:39 EDT
2007 x86_64 x86_64Alert Count:  15First
Seen:  Út 9. říjen 2007, 15:56:52 CESTLast
Seen:  Út 16. říjen 2007, 11:29:19 CESTLocal
ID:  0bc6e292-1c50-45a5-8bee-6b2bc28966c5Line Numbers:  Raw Audit Messages :avc:
denied { unix_read } for comm=X pid=2842
scontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 tclass=shm
tcontext=system_u:system_r:initrc_t:s0 






Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Daniel Walsh 2007-10-16 23:07:16 EDT
Which process on your machine is running as initrc_t?

ps -eZ | grep initrc_t

Comment 2 Zdenek Kabelac 2007-10-17 04:05:54 EDT
[root@]# ps -eZ | grep initrc_t
system_u:system_r:initrc_t:s0    2265 ?        00:00:01 vmware-serverd
system_u:system_r:initrc_t:s0    2356 ?        00:00:00 nasd
system_u:system_r:initrc_t:s0    2534 ?        00:00:00 libvirtd
system_u:system_r:initrc_t:s0    4390 ?        00:00:03 vmware-vmx
Comment 3 Daniel Walsh 2007-10-17 08:36:48 EDT
What is the path to vmware-serverd and vmware-vmx?

If you run chcon -t vmware_exec_t vmware-serverd vmware-vmx

Do things work better?
Comment 4 Zdenek Kabelac 2007-10-17 09:00:06 EDT
/usr/sbin/vmware-serverd
/usr/lib/vmware/bin/vmware-vmx


And I'll watch if the messages will disappear after chcon command..
Comment 5 Daniel Walsh 2007-10-17 14:16:22 EDT
Fixed vmware context in selinux-policy-3.0.8-24.fc8.src.rpm
Comment 6 Zdenek Kabelac 2007-10-19 05:58:40 EDT
Created attachment 232391 [details]
setoubleshoot output after reboot

Hi
Actually after todays update & reboot I'm getting much more selinux errors then
I've used to get before this update. See the attached log file - I guess it's
more readable then to copy them here one-by-one
Comment 7 Daniel Walsh 2007-10-19 10:23:19 EDT
Please attach audit.log.
We are investigating other problems.
Comment 8 Daniel Walsh 2008-01-30 14:19:07 EST
Bulk closing all bugs in Fedora updates in the modified state.  If you bug is
not fixed, please reopen.

Note You need to log in before you can comment on or make changes to this bug.