This service will be undergoing maintenance at 00:00 UTC, 2016-09-28. It is expected to last about 1 hours
Bug 440704 - SELinux - problem by trying to change Gnome's keyboard layout
SELinux - problem by trying to change Gnome's keyboard layout
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
rawhide
All Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-04-04 11:16 EDT by Gianluca Varisco
Modified: 2015-10-25 21:06 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-04-06 07:05:03 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Gianluca Varisco 2008-04-04 11:16:08 EDT
Description of problem:

"SELinux has denied loadkeys access to potentially mislabeled file(s)
(/home/gvarisco/.xsession-errors). This means that SELinux will not allow
loadkeys to use these files. It is common for users to edit files in their home
directory or tmp directories and then move (mv) them to system directories. The
problem is that the files end up with the wrong file context which confined
applications are not allowed to access. "


Version-Release number of selected component (if applicable):

selinux-policy-3.3.1-26.fc9.noarch
selinux-policy-targeted-3.3.1-26.fc9.noarch


Steps to Reproduce:
1. launch System-Administration-Keyboard
2. Select your keyboard's layout and click OK
3. An AVC denial will appear by showing this SELinux report.
  
Actual results:

SELinux is preventing the loadkeys from using potentially mislabeled files
(/home/gvarisco/.xsession-errors).

Detailed Description:

SELinux has denied loadkeys access to potentially mislabeled file(s)
(/home/gvarisco/.xsession-errors). This means that SELinux will not allow
loadkeys to use these files. It is common for users to edit files in their home
directory or tmp directories and then move (mv) them to system directories. The
problem is that the files end up with the wrong file context which confined
applications are not allowed to access.


Additional Information:

Source Context                unconfined_u:unconfined_r:loadkeys_t:SystemLow-
                              SystemHigh
Target Context                unconfined_u:object_r:user_home_t
Target Objects                /home/gvarisco/.xsession-errors [ file ]
Source                        loadkeys
Source Path                   /bin/loadkeys
Port                          <Unknown>
Host                          devbox
Source RPM Packages           kbd-1.12-31.fc9
Target RPM Packages           
Policy RPM                    selinux-policy-3.3.1-26.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   home_tmp_bad_labels
Host Name                     devbox
Platform                      Linux devbox 2.6.25-0.185.rc7.git6.fc9.i686 #1 SMP
                              Tue Apr 1 13:48:40 EDT 2008 i686 i686
Alert Count                   6
First Seen                    Fri 04 Apr 2008 05:01:14 PM CEST
Last Seen                     Fri 04 Apr 2008 05:03:01 PM CEST
Local ID                      19c80ae3-8898-4cd1-8e71-9a4894228bfb
Line Numbers                  

Raw Audit Messages            

host=devbox type=AVC msg=audit(1207321381.811:39): avc:  denied  { read append }
for  pid=2882 comm="loadkeys" path="/home/gvarisco/.xsession-errors" dev=dm-1
ino=139274 scontext=unconfined_u:unconfined_r:loadkeys_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file

host=devbox type=AVC msg=audit(1207321381.811:39): avc:  denied  { read append }
for  pid=2882 comm="loadkeys" path="/home/gvarisco/.xsession-errors" dev=dm-1
ino=139274 scontext=unconfined_u:unconfined_r:loadkeys_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file

host=devbox type=SYSCALL msg=audit(1207321381.811:39): arch=40000003 syscall=11
success=yes exit=0 a0=9964bb0 a1=95ee688 a2=bf99aee0 a3=9454c70 items=0
ppid=2767 pid=2882 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) ses=1 comm="loadkeys" exe="/bin/loadkeys"
subj=unconfined_u:unconfined_r:loadkeys_t:s0-s0:c0.c1023 key=(null)

Many thanks for your help ;-)
Comment 1 Daniel Walsh 2008-04-06 07:05:03 EDT
You can allow this for now by executing 

# audit2allow -M mypol -i /var/log/audit/audit.log 
# semodule -i mypol.pp

Fixed in selinux-policy-3.3.1-29.fc9

Note You need to log in before you can comment on or make changes to this bug.