Description of problem: When trying to change the keyboard layout with `sudo system-config-keyboard` I get a SELinux denial after clicking 'OK'. Version-Release number of selected component (if applicable): - Fedora 10 S3 (installed from KDE LiveCD-ISO on USB-key), updated to latest rawhide - selinux-policy-3.5.13-8.fc10.noarch How reproducible: Always. Steps to Reproduce: 1. `sudo system-config-keyboard` 2. choose layout (I used Swiss German) 3. click 'OK' Actual results: SELinux denial Expected results: No SELinux denial Additional info: /home/red_alert is my homedir (~). I've also been in my ~ when starting system-config-keyboard. --------------- Summary: SELinux is preventing loadkeys (loadkeys_t) "read" to ./red_alert (user_home_dir_t). Detailed Description: SELinux denied access requested by loadkeys. It is not expected that this access is required by loadkeys and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for ./red_alert, restorecon -v './red_alert' If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context unconfined_u:unconfined_r:loadkeys_t:s0-s0:c0.c102 3 Target Context system_u:object_r:user_home_dir_t:s0 Target Objects ./red_alert [ dir ] Source loadkeys Source Path /bin/loadkeys Port <Unknown> Host nebuchadnezzar Source RPM Packages kbd-1.12-31.fc9 Target RPM Packages Policy RPM selinux-policy-3.5.13-8.fc10 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall_file Host Name nebuchadnezzar Platform Linux nebuchadnezzar 2.6.27.4-51.fc10.i686 #1 SMP Sun Oct 26 21:04:43 EDT 2008 i686 i686 Alert Count 5 First Seen Wed 29 Oct 2008 10:19:10 PM CET Last Seen Wed 29 Oct 2008 10:19:10 PM CET Local ID 81c2aea8-34d4-42cc-966d-b94b37833071 Line Numbers Raw Audit Messages node=nebuchadnezzar type=AVC msg=audit(1225315150.229:51): avc: denied { read } for pid=3913 comm="loadkeys" name="red_alert" dev=dm-1 ino=131087 scontext=unconfined_u:unconfined_r:loadkeys_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=dir node=nebuchadnezzar type=SYSCALL msg=audit(1225315150.229:51): arch=40000003 syscall=5 success=no exit=-13 a0=8055aa7 a1=98800 a2=805ea80 a3=0 items=0 ppid=3908 pid=3913 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts3 ses=1 comm="loadkeys" exe="/bin/loadkeys" subj=unconfined_u:unconfined_r:loadkeys_t:s0-s0:c0.c1023 key=(null)
I explained the problem on #fedora-devel and wwoods was able to reproduce it. He also mentioned that he's getting the denial 7 times which could mean that system-config-keyboard wants to set the new layout on every existing VT. I seem to have 5 VT (tty[2-6], tty1 has just a blinking cursor, no VT for some reason) and I get the denial 5 times, too - confirming wwoods' theory.
loadkeys is trying to read the current working directory, from which it is launched. If you cd / and then run system-config-keyboard, do you get these avcs? You can allow this for now. # audit2allow -M mypol -l -i /var/log/audit/audit.log # semodule -i mypol.pp Fixed in selinux-policy-3.5.13-12.fc10