Bug 442139 - AVC errors modifying X settings
AVC errors modifying X settings
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: system-config-display (Show other bugs)
rawhide
x86_64 Linux
low Severity low
: ---
: ---
Assigned To: Adam Jackson
Fedora Extras Quality Assurance
: SELinux
Depends On:
Blocks: F9Blocker
  Show dependency treegraph
 
Reported: 2008-04-11 20:23 EDT by John Poelstra
Modified: 2008-04-20 18:39 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-04-20 18:39:04 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description John Poelstra 2008-04-11 20:23:02 EDT
Description of problem:
see alert message from attempting to change screen resolution.  created a new
user when reproducing to verify that problem wasn't stale home dir file.

Version-Release number of selected component (if applicable):
# rpm -qa | grep selinux | sort
libselinux-2.0.61-1.fc9.i386
libselinux-2.0.61-1.fc9.x86_64
libselinux-python-2.0.61-1.fc9.x86_64
selinux-policy-3.3.1-33.fc9.noarch
selinux-policy-targeted-3.3.1-33.fc9.noarch

How reproducible:
100%

Steps to Reproduce:
1. attempt to change screen resolution
2. attempt fails
3. attempt to write to changes and error fails
  

Summary:

SELinux is preventing the Xorg from using potentially mislabeled files
(/home/goofball/.xsession-errors).

Detailed Description:

SELinux has denied Xorg access to potentially mislabeled file(s)
(/home/goofball/.xsession-errors). This means that SELinux will not allow Xorg
to use these files. It is common for users to edit files in their home directory
or tmp directories and then move (mv) them to system directories. The problem is
that the files end up with the wrong file context which confined applications
are not allowed to access.

Allowing Access:

If you want Xorg to access this files, you need to relabel them using restorecon
-v '/home/goofball/.xsession-errors'. You might want to relabel the entire
directory using restorecon -R -v '/home/goofball'.

Additional Information:

Source Context                unconfined_u:unconfined_r:xdm_xserver_t:s0-s0:c0.c
                              1023
Target Context                system_u:object_r:user_home_t:s0
Target Objects                /home/goofball/.xsession-errors [ file ]
Source                        Xorg
Source Path                   /usr/bin/Xorg
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           xorg-x11-server-Xorg-1.4.99.901-21.20080407.fc9
Target RPM Packages           
Policy RPM                    selinux-policy-3.3.1-33.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   home_tmp_bad_labels
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain
                              2.6.25-0.218.rc8.git7.fc9.x86_64 #1 SMP Wed Apr 9
                              19:55:19 EDT 2008 x86_64 x86_64
Alert Count                   1
First Seen                    Fri 11 Apr 2008 05:13:31 PM PDT
Last Seen                     Fri 11 Apr 2008 05:13:31 PM PDT
Local ID                      c76c1925-ae25-4b43-a569-3dd82f6e9066
Line Numbers                  

Raw Audit Messages            

host=localhost.localdomain type=AVC msg=audit(1207959211.814:15): avc:  denied 
{ append } for  pid=2965 comm="Xorg" path="/home/goofball/.xsession-errors"
dev=sdb1 ino=27459599
scontext=unconfined_u:unconfined_r:xdm_xserver_t:s0-s0:c0.c1023
tcontext=system_u:object_r:user_home_t:s0 tclass=file

host=localhost.localdomain type=AVC msg=audit(1207959211.814:15): avc:  denied 
{ read write } for  pid=2965 comm="Xorg" path="/var/log/Xorg.setup.log" dev=sda5
ino=9785 scontext=unconfined_u:unconfined_r:xdm_xserver_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:var_log_t:s0 tclass=file

host=localhost.localdomain type=SYSCALL msg=audit(1207959211.814:15):
arch=c000003e syscall=59 success=yes exit=0 a0=1114a20 a1=1195050
a2=7fff2c935620 a3=7fff2c934880 items=0 ppid=2964 pid=2965 auid=501 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="Xorg"
exe="/usr/bin/Xorg" subj=unconfined_u:unconfined_r:xdm_xserver_t:s0-s0:c0.c1023
key=(null)
Comment 1 Daniel Walsh 2008-04-14 09:07:18 EDT
system-config-display is creating the log file without the correct context. 
After it creates the file it should run restorecon on the file.

I will fix the output to .xsession in the next policy update.
Comment 2 Daniel Walsh 2008-04-15 09:43:36 EDT
This is a bug in system-config-display creation of the log files.
Comment 3 Bill Nottingham 2008-04-17 15:58:26 EDT
How is it supposed to create the log file?
Comment 4 Jeremy Katz 2008-04-18 13:54:01 EDT
John -- how were you changing the resolution?  This is looking fine to me with
the PR livecd
Comment 5 John Poelstra 2008-04-18 13:58:00 EDT
system-config-display

i'll do a free re-sinstall and see what happens
Comment 6 John Poelstra 2008-04-20 18:39:04 EDT
no AVC errors, but changing resolution is still broken in that you can change to
a lower resolution, but when you go to change it back the higher resolution it
is no longer an option.  Since AVCI was root cause for this bug i'll open a new bug.

Note You need to log in before you can comment on or make changes to this bug.