Bug 396251 - SELinux is preventing the /usr/libexec/ck-get-x11-server-pid from using potentially mislabeled files ().
SELinux is preventing the /usr/libexec/ck-get-x11-server-pid from using poten...
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
rawhide
All Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-11-22 21:49 EST by Jim Cornette
Modified: 2007-12-01 22:43 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-12-01 22:43:47 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jim Cornette 2007-11-22 21:49:04 EST
Description of problem:
Mislabeled files even after relabeling the system from runlevel 1 and in
permissive mode

Version-Release number of selected component (if applicable):
ConsoleKit-x11-0.2.3-2.fc9 [application]

How reproducible:
remove package, reinstall and relabel filesystem.

Steps to Reproduce:
1. remove rpm
2. reinstall rpm
3. relabel filesystem
  
Actual results:
error persists

Expected results:
error to be resolved with relabel

Additional info:

Summary
    SELinux is preventing the /usr/libexec/ck-get-x11-server-pid from using
    potentially mislabeled files (<Unknown>).

Detailed Description
    SELinux has denied /usr/libexec/ck-get-x11-server-pid access to potentially
    mislabeled file(s) (<Unknown>).  This means that SELinux will not allow
    /usr/libexec/ck-get-x11-server-pid to use these files.  It is common for
    users to edit files in their home directory or tmp directories and then move
    (mv) them to system directories.  The problem is that the files end up with
    the wrong file context which confined applications are not allowed to
    access.

Allowing Access
    If you want /usr/libexec/ck-get-x11-server-pid to access this files, you
    need to relabel them using restorecon -v <Unknown>.  You might want to
    relabel the entire directory using restorecon -R -v <Unknown>.

Additional Information        

Source Context                system_u:system_r:consolekit_t
Target Context                system_u:object_r:user_home_t
Target Objects                None [ file ]
Affected RPM Packages         ConsoleKit-x11-0.2.3-2.fc9 [application]
Policy RPM                    selinux-policy-3.0.8-44.fc8
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.home_tmp_bad_labels
Host Name                     HP-JCF7
Platform                      Linux HP-JCF7 2.6.23.1-49.fc8 #1 SMP Thu Nov 8
                              21:41:26 EST 2007 i686 athlon
Alert Count                   1
First Seen                    Thu 22 Nov 2007 09:11:45 PM EST
Last Seen                     Thu 22 Nov 2007 09:11:45 PM EST
Local ID                      4066ed7e-e886-4fa8-b18e-c5b83d1faa41
Line Numbers                  

Raw Audit Messages            

avc: denied { read } for comm=ck-get-x11-serv dev=sda2 egid=500 euid=500
exe=/usr/libexec/ck-get-x11-server-pid exit=-13 fsgid=500 fsuid=500 gid=500
items=0 name=.Xauthority pid=2502 scontext=system_u:system_r:consolekit_t:s0
sgid=500 subj=system_u:system_r:consolekit_t:s0 suid=500 tclass=file
tcontext=system_u:object_r:user_home_t:s0 tty=(none) uid=500
Comment 1 David Zeuthen 2007-11-26 13:54:22 EST
Please file SELinux bugs against the correct component.
Comment 2 Daniel Walsh 2007-12-01 08:25:39 EST
Fixed in selinux-policy-3.0.8-62.fc8
Comment 3 Jim Cornette 2007-12-01 22:43:47 EST
The last occurrence of this error was in runlevel 3 which only happened when
running startx. The error is no longer present. Closing bug as resolved. Thanks! 

Note You need to log in before you can comment on or make changes to this bug.