Red Hat Bugzilla – Bug 504886
SELinux Denials raised using live-installer on KDE
Last modified: 2013-01-10 00:14:29 EST
Created attachment 347103 [details]
Description of problem: SELinux Denials are thrown in the installer
This can be confusing to users.
Version-Release number of selected component (if applicable): Fedora 11 KDE Live Gold Release
Haven't checked yet, first i want to install Fedora
Steps to Reproduce:
1. Boot up LiveCD, KDE 64-bit
2. Click on installer
3. Pick Dvorak keyboard layout
SELinux AVC denials popup
SELinux AVC denials shouldn't pop up at this stage, ever.
Created attachment 347105 [details]
It looks like there might be some mislabeling as things are created with the kde live image. When anaconda execs loadkeys, we do close basically all the fds first (via a big huge hack that was done to work around anaconda leaking an fd to device-mapper stuff)
SummarySELinux is preventing loadkeys (loadkeys_t) "write" to /home/liveuser/.xsession-errors (user_home_t). Detailed Description[SELinux is in permissive mode, the operation would have been denied but was permitted due to permissive mode.]SELinux denied access requested by loadkeys. /home/liveuser/.xsession-errors may be a mislabeled. /home/liveuser/.xsession-errors default SELinux type is xdm_home_t, but its current type is user_home_t. Changing this file back to the default type, may fix your problem. File contexts can be assigned to a file in the following ways. Files created in a directory receive the file context of the parent directory by default. The SELinux policy might override the default label inherited from the parent directory by specifying a process running in context A which creates a file in a directory labeled B will instead create the file with label C. An example of this would be the dhcp client running with the dhclient_t type and creates a file in the directory /etc. This file would normally receive the etc_t type due to parental inheritance but instead the file is labeled with the net_conf_t type because the SELinux policy specifies this. Users can change the file context on a file using tools such as chcon, or restorecon. This file could have been mislabeled either by user error, or if an normally confined application was run under the wrong domain. However, this might also indicate a bug in SELinux because the file should not have been labeled with this type. If you believe this is a bug, please file a bug report against this package.
I'd like to also add that this is happening for me in the following circumstance:
- It is on an Asus eee 901
- I am using a Gnome Rawhide Live CD image
- SELinux actually interrupts the installation before it can complete and causes an unhandled exception in Anaconda
- I am using the image released as of today
It doesn't seem limited to KDE images (I can't see why it would be).
... Apologies, I wasn't paying attention, please remove my posts.
This is a labeling problem. If you bring this up in single user mode does the .xsession-errors file exist. If it does then the livecd labeled it wrong. If it does not, then some process not labeled xdm_t is creating the file with the wrong label.
This message is a reminder that Fedora 11 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 11. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as WONTFIX if it remains open with a Fedora
'version' of '11'.
Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version'
to a later Fedora version prior to Fedora 11's end of life.
Bug Reporter: Thank you for reporting this issue and we are sorry that
we may not be able to fix it before Fedora 11 is end of life. If you
would still like to see this bug fixed and are able to reproduce it
against a later version of Fedora please change the 'version' of this
bug to the applicable version. If you are unable to change the version,
please add a comment here and someone will do it for you.
Although we aim to fix as many bugs as possible during every release's
lifetime, sometimes those efforts are overtaken by events. Often a
more recent Fedora release includes newer upstream software that fixes
bugs or makes them obsolete.
The process we are following is described here:
Fedora 11 changed to end-of-life (EOL) status on 2010-06-25. Fedora 11 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.
If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version.
Thank you for reporting this bug and we are sorry it could not be fixed.