Bug 477781 - SELinux issues blocking start of X
SELinux issues blocking start of X
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: xorg-x11-server (Show other bugs)
10
All Linux
low Severity medium
: ---
: ---
Assigned To: Adam Jackson
Fedora Extras Quality Assurance
: SELinux
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-12-23 12:36 EST by Matěj Cepl
Modified: 2009-01-05 12:20 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-01-05 12:20:35 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
/var/log/Xorg.1.log (before the additional module) (37.15 KB, text/plain)
2008-12-23 12:36 EST, Matěj Cepl
no flags Details
/var/log/Xorg.0.log (with the additional module) (68.24 KB, text/plain)
2008-12-23 12:37 EST, Matěj Cepl
no flags Details
/var/log/audit/audit.log (3.12 MB, text/plain)
2008-12-23 12:44 EST, Matěj Cepl
no flags Details

  None (edit)
Description Matěj Cepl 2008-12-23 12:36:58 EST
Created attachment 327760 [details]
/var/log/Xorg.1.log (before the additional module)

When trying to start X (either as telinit 5 or startx) it doesn't start, saying that:

SELinux: Failed to set label property on window!

(whole Xorg.1.log which contains the message is attached).

This is even in the permissive mode! (note to Dan -- this is NOT staff_u user, just plain SELinux from the package with regular users)

ausearch -m AVC -ts today |audit2allow

generates this:

[root@hubmaier ~]# ausearch -m AVC -ts today |audit2allow


#============= audisp_t ==============
allow audisp_t self:capability sys_nice;
allow audisp_t self:process setsched;

#============= auditd_t ==============
allow auditd_t anon_inodefs_t:file write;

#============= load_policy_t ==============
allow load_policy_t semanage_store_t:file { read getattr };

#============= postfix_master_t ==============
allow postfix_master_t var_lib_t:file { read write getattr lock };

#============= setroubleshootd_t ==============
allow setroubleshootd_t rpm_t:process signull;
allow setroubleshootd_t semanage_store_t:file read;

#============= sshd_t ==============
allow sshd_t unlabeled_t:dir { search getattr };
allow sshd_t unlabeled_t:file { read getattr open };

#============= system_dbusd_t ==============
allow system_dbusd_t NetworkManager_t:dir search;
allow system_dbusd_t NetworkManager_t:file { read open };
allow system_dbusd_t avahi_t:dir search;
allow system_dbusd_t avahi_t:file read;
allow system_dbusd_t consolekit_t:dir search;
allow system_dbusd_t consolekit_t:file read;
allow system_dbusd_t cupsd_t:dir search;
allow system_dbusd_t hald_t:dir search;
allow system_dbusd_t hald_t:file { read open };
allow system_dbusd_t initrc_t:dir search;
allow system_dbusd_t initrc_t:file { read open };
allow system_dbusd_t kerneloops_t:dir search;
allow system_dbusd_t kerneloops_t:file read;
allow system_dbusd_t local_login_t:dir search;
allow system_dbusd_t local_login_t:file read;
allow system_dbusd_t polkit_auth_t:dir search;
allow system_dbusd_t polkit_auth_t:file { read open };
allow system_dbusd_t rpm_script_t:dir search;
allow system_dbusd_t rpm_t:dir search;
allow system_dbusd_t rpm_t:file read;
allow system_dbusd_t setroubleshootd_t:dir search;
allow system_dbusd_t setroubleshootd_t:file read;
allow system_dbusd_t system_crond_t:dir search;
allow system_dbusd_t system_crond_t:file read;
allow system_dbusd_t unconfined_dbusd_t:dir search;
allow system_dbusd_t unconfined_dbusd_t:file read;
allow system_dbusd_t unconfined_t:dir search;
allow system_dbusd_t unconfined_t:file { read open };
allow system_dbusd_t virtd_t:dir search;
allow system_dbusd_t virtd_t:file read;
allow system_dbusd_t xdm_t:dir search;
allow system_dbusd_t xdm_t:file read;
allow system_dbusd_t xserver_t:dir search;
allow system_dbusd_t xserver_t:file { read open };

#============= virtd_t ==============
allow virtd_t ifconfig_exec_t:file { read execute execute_no_trans };
allow virtd_t proc_t:filesystem mount;
allow virtd_t self:netlink_route_socket nlmsg_write;
allow virtd_t user_home_t:dir read;

I have generated this package with audit2allow:

module dbusFix 1.0;

require {
        type unconfined_t;
        type unconfined_dbusd_t;
        type kerneloops_t;
        type consolekit_t;
        type rpm_script_t;
        type setroubleshootd_t;
        type cupsd_t;
        type virtd_t;
        type local_login_t;
        type initrc_t;
        type hald_t;
        type rpm_t;
        type system_dbusd_t;
        type xdm_t;
        type avahi_t;
        class dir search;
        class file read;
}

#============= system_dbusd_t ==============
allow system_dbusd_t avahi_t:dir search;
allow system_dbusd_t avahi_t:file read;
allow system_dbusd_t consolekit_t:dir search;
allow system_dbusd_t consolekit_t:file read;
allow system_dbusd_t cupsd_t:dir search;
allow system_dbusd_t hald_t:dir search;
allow system_dbusd_t hald_t:file read;
allow system_dbusd_t initrc_t:dir search;
allow system_dbusd_t initrc_t:file read;
allow system_dbusd_t kerneloops_t:dir search;
allow system_dbusd_t kerneloops_t:file read;
allow system_dbusd_t local_login_t:dir search;
allow system_dbusd_t local_login_t:file read;
allow system_dbusd_t rpm_script_t:dir search;
allow system_dbusd_t rpm_t:dir search;

and Xorg then starts but without keyboard (that's Xorg.0.log).

Version of packages:
selinux-policy-targeted-3.5.13-35.fc10.noarch
xorg-x11-server-Xorg-1.5.3-6.fc10.i386
Comment 1 Matěj Cepl 2008-12-23 12:37:31 EST
Created attachment 327761 [details]
/var/log/Xorg.0.log (with the additional module)
Comment 2 Matěj Cepl 2008-12-23 12:44:01 EST
Created attachment 327762 [details]
/var/log/audit/audit.log
Comment 3 Matěj Cepl 2008-12-23 12:45:02 EST
I totally don't discard a possibility that there is something very broken with my computer, but no idea what.

I will take a liberty to call my bug triaged ;-).
Comment 4 Peter Hutterer 2008-12-23 18:19:06 EST
wait. the log says "X.Org X Server 1.5.99.3". This is the rawhide X server, yet you say it's supposed to be package xorg-x11-server-Xorg-1.5.3-6.fc10.i386.
Comment 5 Daniel Walsh 2008-12-24 05:45:34 EST
I don't know what policy you have but most of these are in policy 35 on F10.  It also looks to me like you have a partially upgraded rawhide system
Comment 6 Matěj Cepl 2009-01-05 12:03:29 EST
(In reply to comment #4)
> wait. the log says "X.Org X Server 1.5.99.3". This is the rawhide X server, yet
> you say it's supposed to be package xorg-x11-server-Xorg-1.5.3-6.fc10.i386.

???

[matej@hubmaier ~]$ rpm -q xorg-x11-server-Xorg
xorg-x11-server-Xorg-1.5.99.3-5.fc11.x86_64
[matej@hubmaier ~]$
Comment 7 Matěj Cepl 2009-01-05 12:20:35 EST
Upgraded everything, restarted, and now it works. No idea, what has changed.

Note You need to log in before you can comment on or make changes to this bug.