Bug 468704 - Multiple entries in dmesg from SELinux
Multiple entries in dmesg from SELinux
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
: Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-10-27 11:21 EDT by Christopher D. Stover
Modified: 2008-10-29 13:26 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-10-29 13:26:35 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Christopher D. Stover 2008-10-27 11:21:55 EDT
Description of problem: Upon bootup, playing music in Rhythmbox and using Firefox, I get messages from SELinux.  Please let me know if I should break any of these into a separate bug report.


Version-Release number of selected component (if applicable):
selinux-policy-3.5.13-8.fc10

How reproducible:
Every time

Steps to Reproduce:
1. Boot computer
2. Play mp3s with Rhythmbox
3. Visit websites (Going to http://www.alsfamilyfarms.com/shopping/category.php/freshcitrus triggered the firefox messages once but it happens on multiple sites.)
  
Actual results:
I receive lots of avc messages

Expected results:
Receive no messages

Additional info:
type=1400 audit(1225111456.592:4): avc:  denied  { unlink } for  pid=2543 comm="gdm-binary" name="force-display-on-active-vt" dev=sda5 ino=188128 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_spool_t:s0 tclass=file

type=1400 audit(1225111466.173:5): avc:  denied  { execmem } for  pid=2721 comm="gnome-power-man" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=process
type=1400 audit(1225111466.272:6): avc:  denied  { execmem } for  pid=2721 comm="gnome-power-man" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=process
type=1400 audit(1225111466.348:7): avc:  denied  { execmem } for  pid=2721 comm="gnome-power-man" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=process
SELinux:  Context system_u:object_r:user_gnome_home_t:s0 is not valid (left unmapped).
SELinux:  Context unconfined_u:object_r:user_gnome_home_t:s0 is not valid (left unmapped).

type=1400 audit(1225111481.030:8): avc:  denied  { execstack } for  pid=2882 comm="gnome-settings-" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process

type=1400 audit(1225111490.860:9): avc:  denied  { execstack } for  pid=2994 comm="gnome-power-man" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process
type=1400 audit(1225111490.864:10): avc:  denied  { execstack } for  pid=2993 comm="mixer_applet2" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process
type=1400 audit(1225111493.469:11): avc:  denied  { execstack } for  pid=2980 comm="pidgin" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process
type=1400 audit(1225111514.104:12): avc:  denied  { execstack } for  pid=3036 comm="rhythmbox" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process
type=1400 audit(1225111539.991:13): avc:  denied  { execstack } for  pid=3085 comm="rhythmbox-metad" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process
__ratelimit: 588 callbacks suppressed

type=1400 audit(1225111701.836:830): avc:  denied  { execstack } for  pid=3056 comm="firefox" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process

Oct 27 08:54:01 localhost kernel: type=1400 audit(1225115641.041:1165): avc:  denied  { execstack } for  pid=3660 comm="gnome-screensav" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process

Oct 27 08:58:01 localhost kernel: type=1400 audit(1225115881.197:1167): avc:  denied  { getattr } for  pid=4719 comm="updatedb" path="/home/Chris/.gnome2" dev=sda6 ino=104840 scontext=system_u:system_r:locate_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir
Comment 1 Daniel Walsh 2008-10-27 15:34:55 EDT
Looks like you are using nvidia so you need to turn on the allow_execstack boolean

setsebool -P allow_execstack 1

gnome problem will be fixed by

restorecon -R -v ~/

gdm unlink error will be fixed by

restorecon -R -v /var/spool
Comment 2 Christopher D. Stover 2008-10-28 11:49:55 EDT
Hi Daniel,
Thanks for your last reply.  Doing what you said cleared up most of my problems.  However, with allow_execstack checked as active in the selinux gui I'm still getting the following:

Oct 28 09:48:22 localhost kernel: type=1400 audit(1225205302.457:4): avc:  denied  { execmem } for  pid=2710 comm="gnome-power-man" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=process
Oct 28 09:48:22 localhost kernel: type=1400 audit(1225205302.616:5): avc:  denied  { execmem } for  pid=2710 comm="gnome-power-man" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=process
Oct 28 09:48:22 localhost kernel: type=1400 audit(1225205302.657:6): avc:  denied  { execmem } for  pid=2710 comm="gnome-power-man" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=process

Also, I'm curious as to why restorecon -R -v ~/ fixed my problem.  I think I've read something about moving files around causes the security contexts to get jumbled.  Can you give me a link to somewhere you've talked about this before or explained it?  Thanks!
Comment 3 Daniel Walsh 2008-10-29 13:26:35 EDT
I will change xdm to be able to execmem and execstack if allow_execstack boolean is turned on.


Fixed in selinux-policy-3.5.13-10.fc10

As far as relabeling of the homedir.  At some point in Rawhide we added a label for gnome directories in your home dir that we later changed, but the relabel never caught it in you home dir.


Similarly /var/spool/gdm got mislabled.

Note You need to log in before you can comment on or make changes to this bug.