Bug 396231 - SELinux error, even after relabelling system
SELinux error, even after relabelling system
Product: Fedora
Classification: Fedora
Component: xorg-x11-server (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: Adam Jackson
Fedora Extras Quality Assurance
: SELinux
Depends On:
  Show dependency treegraph
Reported: 2007-11-22 21:38 EST by Jim Cornette
Modified: 2007-12-01 23:29 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-12-01 23:29:09 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
xorg log without xorg.conf today (29.59 KB, text/plain)
2007-11-23 11:20 EST, Jim Cornette
no flags Details
log from previous running xorg yesterday (30.06 KB, text/plain)
2007-11-23 11:22 EST, Jim Cornette
no flags Details
xorg.conf generated through running X session (828 bytes, text/plain)
2007-11-23 11:59 EST, Jim Cornette
no flags Details
Xorg.0.log.old after /.autorelabel ... (26.32 KB, text/plain)
2007-11-23 12:41 EST, Jim Cornette
no flags Details

  None (edit)
Description Jim Cornette 2007-11-22 21:38:04 EST
Description of problem:
SELinux is preventing /usr/bin/Xorg (xdm_xserver_t) "search" to (hwdata_t).

Version-Release number of selected component (if applicable):
xorg-x11-server-Xorg- [application]

How reproducible:
Remove rpm and reinstall after seeing the error in setroubleshooter browser.
relabel system and check again
Error is still present.

Steps to Reproduce:
Drop to runlevel 1 and stop networking.
setenforce 0
fixfiles relabel
shutdown -Fr
boot into runlevel 3
check troubleshooter browser
file report since error is still present
Actual results:
    SELinux is preventing /usr/bin/Xorg (xdm_xserver_t) "search" to <Unknown>

Detailed Description
    SELinux denied access requested by /usr/bin/Xorg. It is not expected that
    this access is required by /usr/bin/Xorg and this access may signal an
    intrusion attempt. It is also possible that the specific version or
    configuration of the application is causing it to require additional access.

Allowing Access
    Sometimes labeling problems can cause SELinux denials.  You could try to
    restore the default system file context for <Unknown>, restorecon -v
    <Unknown> If this does not work, there is currently no automatic way to
    allow this access. Instead,  you can generate a local policy module to allow
    this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385
    Or you can disable SELinux protection altogether. Disabling SELinux
    protection is not recommended. Please file a
    http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.

Additional Information        

Source Context                system_u:system_r:xdm_xserver_t
Target Context                system_u:object_r:hwdata_t
Target Objects                None [ dir ]
Affected RPM Packages         xorg-x11-server-Xorg-
Policy RPM                    selinux-policy-3.0.8-44.fc8
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.catchall_file
Host Name                     HP-JCF7
Platform                      Linux HP-JCF7 #1 SMP Thu Nov 8
                              21:41:26 EST 2007 i686 athlon
Alert Count                   2
First Seen                    Thu 22 Nov 2007 09:11:35 PM EST
Last Seen                     Thu 22 Nov 2007 09:11:36 PM EST
Local ID                      16f17e36-1797-4e4c-ac1a-c13eb3baed71
Line Numbers                  

Raw Audit Messages            

avc: denied { search } for comm=X dev=sda6 egid=500 euid=0 exe=/usr/bin/Xorg
exit=-13 fsgid=500 fsuid=0 gid=500 items=0 name=hwdata pid=2420
scontext=system_u:system_r:xdm_xserver_t:s0 sgid=500
subj=system_u:system_r:xdm_xserver_t:s0 suid=0 tclass=dir
tcontext=system_u:object_r:hwdata_t:s0 tty=tty7 uid=500

Expected results:
no errors, system working properly

Additional info:
Comment 1 Matěj Cepl 2007-11-23 06:47:02 EST
It's better to do relabel with touch /.autorelabel; reboot.

Also, please attach your X server config file (/etc/X11/xorg.conf) and X server
log file (/var/log/Xorg.*.log) to the bug report as individual uncompressed file
attachments using the bugzilla file attachment link below.

Could you please also try to run without any /etc/X11/xorg.conf whatsoever and
let X11 autodetect your display and video card? Attach to this bug
/var/log/Xorg.0.log from this attempt as well, please.

We will review this issue again once you've had a chance to attach this information.

Thanks in advance.
Comment 2 Jim Cornette 2007-11-23 11:17:53 EST
The problem that I have with touch /.autorelabel is the thermal control features
are not active and since the process takes a long time, the computer shuts off.
Regarding the xorg.conf file, I am currently running without an xorg.conf file.
I cannot use either the touchpad of the USB mouse with an xorg.conf file.
I'll submit the /var/log/Xorg.0.log* files without the xorg.conf file.
If I can relabel with touch /.autorelabel orgenerate an xorg.conf file, I will
send in those as attachments to the report.
Attached logs will be next submittal.
Comment 3 Jim Cornette 2007-11-23 11:20:16 EST
Created attachment 267671 [details]
xorg log without xorg.conf today

Here is the currently running X log
Comment 4 Jim Cornette 2007-11-23 11:22:17 EST
Created attachment 267681 [details]
log from previous running xorg yesterday

This may be similar to the currently running log
Comment 5 Jim Cornette 2007-11-23 11:59:39 EST
Created attachment 267701 [details]
xorg.conf generated through running X session

Since s-c-display does not work with the touchpad or USB mouse from the console
invoking of X, here is a file generated while running X where I have usage of
the pointing devices. A touch /.autorelabel will be tried next
Comment 6 Jim Cornette 2007-11-23 12:41:49 EST
Created attachment 267711 [details]
Xorg.0.log.old after /.autorelabel ...

This is the error log when booted up with GUI generated xorg.conf file on a
reboot after touch /.autorelabel completed.
I had no mouse bu X started. The SELInux errors are present and with multiple
entries for occurrence. Autorelabel boot stressed system but the cooler
temperatures allowed completion without safety temperature related shutdowns.
Comment 7 Jim Cornette 2007-12-01 23:29:09 EST
Closing bug since I am not getting any more errors after relabeling and several
policy updates. xorg-x11-server-Xorg is the same version as it was on initial
bug reporting.

I believe I was trying to start X from runlevel 5 after gdm failed to start with
startx. I tried changing to runlevel 3 before starting X with startx with no
errors reporting. I also was able to start X with SELinux in permissive mode via
a partially working gdm which I could click on the user followed by entering the
password without receiving this particular error.

I will report the existing errors and call this one resolved for now.
Insufficient data since it is not happening now.

Note You need to log in before you can comment on or make changes to this bug.