Red Hat Bugzilla – Bug 396231
SELinux error, even after relabelling system
Last modified: 2007-12-01 23:29:09 EST
Description of problem: SELinux is preventing /usr/bin/Xorg (xdm_xserver_t) "search" to (hwdata_t). Version-Release number of selected component (if applicable): xorg-x11-server-Xorg-1.4.99.1-0.10.fc9 [application] How reproducible: Remove rpm and reinstall after seeing the error in setroubleshooter browser. relabel system and check again Error is still present. Steps to Reproduce: Drop to runlevel 1 and stop networking. setenforce 0 fixfiles relabel shutdown -Fr boot into runlevel 3 startx check troubleshooter browser file report since error is still present Actual results: Summary SELinux is preventing /usr/bin/Xorg (xdm_xserver_t) "search" to <Unknown> (hwdata_t). Detailed Description SELinux denied access requested by /usr/bin/Xorg. It is not expected that this access is required by /usr/bin/Xorg and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for <Unknown>, restorecon -v <Unknown> If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Additional Information Source Context system_u:system_r:xdm_xserver_t Target Context system_u:object_r:hwdata_t Target Objects None [ dir ] Affected RPM Packages xorg-x11-server-Xorg-1.4.99.1-0.10.fc9 [application] Policy RPM selinux-policy-3.0.8-44.fc8 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.catchall_file Host Name HP-JCF7 Platform Linux HP-JCF7 2.6.23.1-49.fc8 #1 SMP Thu Nov 8 21:41:26 EST 2007 i686 athlon Alert Count 2 First Seen Thu 22 Nov 2007 09:11:35 PM EST Last Seen Thu 22 Nov 2007 09:11:36 PM EST Local ID 16f17e36-1797-4e4c-ac1a-c13eb3baed71 Line Numbers Raw Audit Messages avc: denied { search } for comm=X dev=sda6 egid=500 euid=0 exe=/usr/bin/Xorg exit=-13 fsgid=500 fsuid=0 gid=500 items=0 name=hwdata pid=2420 scontext=system_u:system_r:xdm_xserver_t:s0 sgid=500 subj=system_u:system_r:xdm_xserver_t:s0 suid=0 tclass=dir tcontext=system_u:object_r:hwdata_t:s0 tty=tty7 uid=500 Expected results: no errors, system working properly Additional info:
It's better to do relabel with touch /.autorelabel; reboot. Also, please attach your X server config file (/etc/X11/xorg.conf) and X server log file (/var/log/Xorg.*.log) to the bug report as individual uncompressed file attachments using the bugzilla file attachment link below. Could you please also try to run without any /etc/X11/xorg.conf whatsoever and let X11 autodetect your display and video card? Attach to this bug /var/log/Xorg.0.log from this attempt as well, please. We will review this issue again once you've had a chance to attach this information. Thanks in advance.
The problem that I have with touch /.autorelabel is the thermal control features are not active and since the process takes a long time, the computer shuts off. Regarding the xorg.conf file, I am currently running without an xorg.conf file. I cannot use either the touchpad of the USB mouse with an xorg.conf file. I'll submit the /var/log/Xorg.0.log* files without the xorg.conf file. If I can relabel with touch /.autorelabel orgenerate an xorg.conf file, I will send in those as attachments to the report. Attached logs will be next submittal.
Created attachment 267671 [details] xorg log without xorg.conf today Here is the currently running X log
Created attachment 267681 [details] log from previous running xorg yesterday This may be similar to the currently running log
Created attachment 267701 [details] xorg.conf generated through running X session Since s-c-display does not work with the touchpad or USB mouse from the console invoking of X, here is a file generated while running X where I have usage of the pointing devices. A touch /.autorelabel will be tried next
Created attachment 267711 [details] Xorg.0.log.old after /.autorelabel ... This is the error log when booted up with GUI generated xorg.conf file on a reboot after touch /.autorelabel completed. I had no mouse bu X started. The SELInux errors are present and with multiple entries for occurrence. Autorelabel boot stressed system but the cooler temperatures allowed completion without safety temperature related shutdowns.
Closing bug since I am not getting any more errors after relabeling and several policy updates. xorg-x11-server-Xorg is the same version as it was on initial bug reporting. I believe I was trying to start X from runlevel 5 after gdm failed to start with startx. I tried changing to runlevel 3 before starting X with startx with no errors reporting. I also was able to start X with SELinux in permissive mode via a partially working gdm which I could click on the user followed by entering the password without receiving this particular error. I will report the existing errors and call this one resolved for now. Insufficient data since it is not happening now.