437126 – SELinux is preventing Xorg (xdm_xserver_t) "compute_av"

Bug 437126 - SELinux is preventing Xorg (xdm_xserver_t) "compute_av"

Summary: SELinux is preventing Xorg (xdm_xserver_t) "compute_av"

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy-targeted
Sub Component:
Version:	rawhide
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Daniel Walsh
QA Contact:	Ben Levenson
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2008-03-12 15:34 UTC by Joachim Frieben
Modified:	2008-03-17 19:39 UTC (History)
CC List:	0 users
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2008-03-17 19:39:54 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Joachim Frieben 2008-03-12 15:34:10 UTC

Description of problem:
Repeated complaints that "SELinux is preventing Xorg (xdm_xserver_t)
"compute_av" to <Unknown> (security_t)."

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.3.1-12.fc9

How reproducible:
Frequently.

Steps to Reproduce:
1. Log in to GNOME session.
2. Launch epiphany or perform similar action.
  
Actual results:
setroubleshoot applet comes up with an alert bubble.

Expected results:
Nothing.

Additional info:
Summary
SELinux is preventing Xorg (xdm_xserver_t) "compute_create" to <Unknown>
(security_t).

Detailed Description
SELinux denied access requested by Xorg. It is not expected that this
access is required by Xorg and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration
of the application is causing it to require additional access.

Allowing Access
You can generate a local policy module to allow this access - see FAQ
Or you can disable SELinux protection altogether. Disabling SELinux
protection is not recommended. Please file a bug report against this
package.

Additional Information
Source Context:  system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023
Target Context:  system_u:object_r:security_t:s0
Target Objects:  None [ security ]
Source:  Xorg
Source Path:  /usr/bin/Xorg
Port:  <Unknown>
Host:  fedora
Source RPM Packages:  xorg-x11-server-Xorg-1.4.99.901-1.20080307.fc9
Target RPM Packages:
Policy RPM:  selinux-policy-3.3.1-12.fc9
Selinux Enabled:  True
Policy Type:  targeted
MLS Enabled:  True
Enforcing Mode:  Permissive
Plugin Name:  catchall
Host Name:  fedora
Platform:  Linux fedora 2.6.25-0.107.rc5.fc9 #1 SMP Tue Mar 11
           08:07:35 EDT 2008 x86_64 x86_64
Alert Count:  2
First Seen:  Wed 12 Mar 2008 04:22:15 PM CET
Last Seen:  Wed 12 Mar 2008 04:25:03 PM CET
Local ID:  568d8c72-2b35-4b4b-9fa7-883746dc4f71
Line Numbers:
Raw Audit Messages :host=fedora type=AVC msg=audit(1205335503.1:221):
avc: denied { compute_create } for pid=2407 comm="Xorg"
scontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023
tcontext=system_u:object_r:security_t:s0 tclass=security host=fedora
type=SYSCALL msg=audit(1205335503.1:221): arch=c000003e syscall=1
success=yes exit=78 a0=36 a1=25aca70 a2=4e a3=0 items=0 ppid=2406
pid=2407 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=tty7 ses=4294967295 comm="Xorg" exe="/usr/bin/Xorg"
subj=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 key=(null)

Comment 1 Daniel Walsh 2008-03-17 19:39:54 UTC

We have turned off xselinux by default in Rawhide/FC9 Beta.

You need to boot in enforcing mode to make it work correctly.

Note You need to log in before you can comment on or make changes to this bug.