Description of problem: not much to add to summary. This is current Rawhide out of static-repos in koji. Version-Release number of selected component (if applicable): [matej@hubmaier ~]$ rpm -qa xorg-x11\*server\* xorg-x11-server-debuginfo-1.4.99.1-0.23.20080222.fc9.x86_64 xorg-x11-server-common-1.4.99.901-1.20080307.fc9.x86_64 xorg-x11-server-Xorg-1.4.99.901-1.20080307.fc9.x86_64 xorg-x11-server-utils-7.3-3.fc9.x86_64 [matej@hubmaier ~]$ rpm -q selinux-policy-targeted selinux-policy-targeted-3.3.1-12.fc9.noarch [matej@hubmaier ~]$ How reproducible: 100% Steps to Reproduce: 1.setenforce 1 2. 3. Actual results: wait for the crash Expected results: nothing, it should just work Additional info: I found a lot of the different AVC denials in my computer. More than I could imagine. I will file a different bug for that.
Created attachment 297465 [details] /var/log/Xorg.0.log
Created attachment 297466 [details] /etc/X11/xorg.conf
all-problems-with-selinux bug is bug 436820
Created attachment 297469 [details] output of grep X /var/log/audit/audit.log [matej@hubmaier ~]$ grep X /tmp/audit.log |wc -l 1594 [matej@hubmaier ~]$
So you boot the machine in permissive mode and then turn on enforcing?
yes, that's what i did. Now I have to stay in the permissive mode all the time.
What? computer or X? Computer works like a charm (THANKS!), but X doesn't.
What avc messages are you seeing? Please attach audit.log.
see bug 436820 where the audit.log is attached as the attachment 297468 [details]
Could you please update to todays rawhide and see if you still have probems in enforcing mode.
OK, it didn't crash, but currently I am in 14251 times AVC denied this (and counting ;-)): Summary: SELinux is preventing init (init_t) "sendto" to 002F636F6D2F7562756E74752F757073746172742F33353436 (initrc_t). Detailed Description: SELinux denied access requested by init. It is not expected that this access is required by init and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:init_t Target Context system_u:system_r:initrc_t Target Objects 002F636F6D2F7562756E74752F757073746172742F33353436 [ unix_dgram_socket ] Source init Source Path <Unknown> Port <Unknown> Host hubmaier.ceplovi.cz Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.3.1-15.fc9 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name hubmaier.ceplovi.cz Platform Linux hubmaier.ceplovi.cz 2.6.25-0.113.rc5.git2.fc9 #1 SMP Tue Mar 11 22:33:43 EDT 2008 x86_64 x86_64 Alert Count 13370 First Seen Wed 12 Mar 2008 12:52:49 CET Last Seen Wed 12 Mar 2008 12:53:23 CET Local ID cbc41da7-f5cc-42f4-9bd1-9c48be382efb Line Numbers Raw Audit Messages host=hubmaier.ceplovi.cz type=AVC msg=audit(1205322803.157:30035): avc: denied { sendto } for pid=1 comm="init" path=002F636F6D2F7562756E74752F757073746172742F33353436 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=unix_dgram_socket
And it really doesn't matter that I have switched (from gnome-terminal) SELinux to Permissive -- 17700+, now actually most of the activity of the computer seems to be consumed by setroubleshootd :-) Will try to relabel if that helps.
Grab selinux-policy-3.3.1-16.fc9 out of Koji when it finishes building and see if that fixes your problem.
I'm just going to flip x-selinux off by default for F9. *** This bug has been marked as a duplicate of 436404 ***
(In reply to comment #15) > Grab selinux-policy-3.3.1-16.fc9 out of Koji when it finishes building and see > if that fixes your problem. Yes, now it works -- I have Xorg in the Enforcing mode again. Thanks.