Bug 403081 - SElinux denies loadkeys access to .xsession-errors when changing keyboard with system-config-keyboard
SElinux denies loadkeys access to .xsession-errors when changing keyboard wit...
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
8
All Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-11-28 11:04 EST by Oliver Henshaw
Modified: 2007-12-12 17:10 EST (History)
1 user (show)

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-12-12 17:10:00 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Oliver Henshaw 2007-11-28 11:04:11 EST
Version-Release number of selected component (if applicable):

kbd-1.12-27.fc8

How reproducible:

After using system-config-keyboard to select a keyboard (even if it's the same
keyboard as before) I get a selinux troubleshooter alert.

Additional info:

Summary
    SELinux is preventing loadkeys (loadkeys_t) "write" to /home/henshaw
    /.xsession-errors (unconfined_home_t).

Detailed Description
    SELinux denied access requested by loadkeys. /home/henshaw/.xsession-errors
    may be a mislabeled.  /home/henshaw/.xsession-errors default SELinux type is
    <B>user_home_t</B>, while its current type is <B>unconfined_home_t</B>.
    Changing this file back to the default type, may fix your problem. File
    contexts can get assigned to a file can following ways.  <ul> <li>Files
    created in a directory recieve the file context of the parent directory by
    default. <li>Users can change the file context on a file using tools like
    chcon, or restorecon. <li>The kernel can decide via policy that an
    application running as context A Creating a file in a directory labeled B
    will create files labeled C. </ul> This file could have been mislabeled
    either by user error, or if an normally confined application was run under
    the wrong domain. Of course this could also indicate a bug in SELinux, in
    that the file should not be labeled with this type.  If you believe this is
    a bug, please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
    against this package.

Allowing Access
    You can restore the default system context to this file by executing the
    restorecon command.  restorecon /home/henshaw/.xsession-errors, if this file
    is a directory, you can recursively restore using restorecon -R
    /home/henshaw/.xsession-errors.

    The following command will allow this access:
    restorecon /home/henshaw/.xsession-errors

Additional Information        

Source Context                system_u:system_r:loadkeys_t:s0
Target Context                unconfined_u:object_r:unconfined_home_t:s0
Target Objects                /home/henshaw/.xsession-errors [ file ]
Affected RPM Packages         
Policy RPM                    selinux-policy-3.0.8-56.fc8
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.restorecon
Host Name                     mostin
Platform                      Linux mostin 2.6.23.1-42.fc8 #1 SMP Tue Oct 30
                              13:55:12 EDT 2007 i686 athlon
Alert Count                   1
First Seen                    Wed 28 Nov 2007 14:15:04 GMT
Last Seen                     Wed 28 Nov 2007 14:15:04 GMT
Local ID                      d2196c88-b709-43c2-900c-463a0c5553cc
Line Numbers                  

Raw Audit Messages            

avc: denied { write } for comm=loadkeys dev=dm-6 path=/home/henshaw/.xsession-
errors pid=4012 scontext=system_u:system_r:loadkeys_t:s0 tclass=file
tcontext=unconfined_u:object_r:unconfined_home_t:s0
Comment 1 Daniel Walsh 2007-12-01 08:17:16 EST
You can safely ignore this, this is just a redirection of loadkeys terminal to
this file.

Fixed in selinux-policy-3.0.8-63.fc8
Comment 2 Oliver Henshaw 2007-12-12 11:02:42 EST
This does appear to be solved on updating to selinux-policy-3.0.8-64.fc8. I'm
not sure what the proper bugzilla resolution etiquette is.
Comment 3 Daniel Walsh 2007-12-12 17:10:00 EST
Just close the bug.  :^)

Note You need to log in before you can comment on or make changes to this bug.