Bug 436819 - X server crashes after couple of minutes most after SELinux is switched to enforcing mode.
X server crashes after couple of minutes most after SELinux is switched to en...
Status: CLOSED DUPLICATE of bug 436404
Product: Fedora
Classification: Fedora
Component: xorg-x11-server (Show other bugs)
rawhide
All Linux
low Severity high
: ---
: ---
Assigned To: Adam Jackson
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-03-10 13:15 EDT by Matěj Cepl
Modified: 2008-03-13 13:18 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-03-12 16:56:56 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
/var/log/Xorg.0.log (32.87 KB, text/plain)
2008-03-10 13:15 EDT, Matěj Cepl
no flags Details
/etc/X11/xorg.conf (462 bytes, text/plain)
2008-03-10 13:16 EDT, Matěj Cepl
no flags Details
output of grep X /var/log/audit/audit.log (307.11 KB, text/plain)
2008-03-10 13:25 EDT, Matěj Cepl
no flags Details

  None (edit)
Description Matěj Cepl 2008-03-10 13:15:25 EDT
Description of problem:
not much to add to summary. This is current Rawhide out of static-repos in koji. 

Version-Release number of selected component (if applicable):
[matej@hubmaier ~]$ rpm -qa xorg-x11\*server\*
xorg-x11-server-debuginfo-1.4.99.1-0.23.20080222.fc9.x86_64
xorg-x11-server-common-1.4.99.901-1.20080307.fc9.x86_64
xorg-x11-server-Xorg-1.4.99.901-1.20080307.fc9.x86_64
xorg-x11-server-utils-7.3-3.fc9.x86_64
[matej@hubmaier ~]$ rpm -q selinux-policy-targeted
selinux-policy-targeted-3.3.1-12.fc9.noarch
[matej@hubmaier ~]$ 

How reproducible:
100%

Steps to Reproduce:
1.setenforce 1
2.
3.
  
Actual results:
wait for the crash

Expected results:
nothing, it should just work

Additional info:
I found a lot of the different AVC denials in my computer. More than I could
imagine. I will file a different bug for that.
Comment 1 Matěj Cepl 2008-03-10 13:15:25 EDT
Created attachment 297465 [details]
/var/log/Xorg.0.log
Comment 2 Matěj Cepl 2008-03-10 13:16:12 EDT
Created attachment 297466 [details]
/etc/X11/xorg.conf
Comment 3 Matěj Cepl 2008-03-10 13:22:33 EDT
all-problems-with-selinux bug is bug 436820
Comment 4 Matěj Cepl 2008-03-10 13:25:04 EDT
Created attachment 297469 [details]
output of grep X /var/log/audit/audit.log

[matej@hubmaier ~]$ grep X /tmp/audit.log |wc -l
1594
[matej@hubmaier ~]$
Comment 5 Daniel Walsh 2008-03-10 13:31:33 EDT
So you boot the machine in permissive mode and then turn on enforcing?
Comment 6 Matěj Cepl 2008-03-11 10:36:30 EDT
yes, that's what i did. Now I have to stay in the permissive mode all the time.
Comment 9 Matěj Cepl 2008-03-11 17:53:08 EDT
What? computer or X? Computer works like a charm (THANKS!), but X doesn't.
Comment 10 Daniel Walsh 2008-03-11 19:30:09 EDT
What avc messages are you seeing?

Please attach audit.log.
Comment 11 Matěj Cepl 2008-03-11 19:52:50 EDT
see bug 436820 where the audit.log is attached as the attachment 297468 [details]
Comment 12 Daniel Walsh 2008-03-11 19:59:16 EDT
Could you please update to todays rawhide and see if you still have probems in
enforcing mode.
Comment 13 Matěj Cepl 2008-03-12 08:04:31 EDT
OK, it didn't crash, but currently I am in 14251 times AVC denied this (and
counting ;-)):

Summary:

SELinux is preventing init (init_t) "sendto" to
002F636F6D2F7562756E74752F757073746172742F33353436 (initrc_t).

Detailed Description:

SELinux denied access requested by init. It is not expected that this access is
required by init and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:init_t
Target Context                system_u:system_r:initrc_t
Target Objects                002F636F6D2F7562756E74752F757073746172742F33353436
                              [ unix_dgram_socket ]
Source                        init
Source Path                   <Unknown>
Port                          <Unknown>
Host                          hubmaier.ceplovi.cz
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.3.1-15.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     hubmaier.ceplovi.cz
Platform                      Linux hubmaier.ceplovi.cz
                              2.6.25-0.113.rc5.git2.fc9 #1 SMP Tue Mar 11
                              22:33:43 EDT 2008 x86_64 x86_64
Alert Count                   13370
First Seen                    Wed 12 Mar 2008 12:52:49 CET
Last Seen                     Wed 12 Mar 2008 12:53:23 CET
Local ID                      cbc41da7-f5cc-42f4-9bd1-9c48be382efb
Line Numbers                  

Raw Audit Messages            

host=hubmaier.ceplovi.cz type=AVC msg=audit(1205322803.157:30035): avc:  denied
 { sendto } for  pid=1 comm="init"
path=002F636F6D2F7562756E74752F757073746172742F33353436
scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:initrc_t:s0
tclass=unix_dgram_socket


Comment 14 Matěj Cepl 2008-03-12 08:08:00 EDT
And it really doesn't matter that I have switched (from gnome-terminal) SELinux
to Permissive -- 17700+, now actually most of the activity of the computer seems
to be consumed by setroubleshootd :-) Will try to relabel if that helps.
Comment 15 Daniel Walsh 2008-03-12 08:41:22 EDT
Grab selinux-policy-3.3.1-16.fc9 out of Koji when it finishes building and see
if that fixes your problem.
Comment 16 Adam Jackson 2008-03-12 16:56:56 EDT
I'm just going to flip x-selinux off by default for F9.

*** This bug has been marked as a duplicate of 436404 ***
Comment 17 Matěj Cepl 2008-03-13 13:18:59 EDT
(In reply to comment #15)
> Grab selinux-policy-3.3.1-16.fc9 out of Koji when it finishes building and see
> if that fixes your problem.

Yes, now it works -- I have Xorg in the Enforcing mode again. Thanks.

Note You need to log in before you can comment on or make changes to this bug.