Bug 504886 - SELinux Denials raised using live-installer on KDE
SELinux Denials raised using live-installer on KDE
Product: Fedora
Classification: Fedora
Component: LiveCD - KDE (Show other bugs)
All Linux
low Severity medium
: ---
: ---
Assigned To: Sebastian Vahl
Depends On:
  Show dependency treegraph
Reported: 2009-06-09 18:28 EDT by Yaakov Nemoy
Modified: 2013-01-10 00:14 EST (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2010-06-28 08:50:08 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
alert 1 (2.99 KB, text/plain)
2009-06-09 18:28 EDT, Yaakov Nemoy
no flags Details
alert 2 (3.91 KB, text/plain)
2009-06-09 18:29 EDT, Yaakov Nemoy
no flags Details

  None (edit)
Description Yaakov Nemoy 2009-06-09 18:28:25 EDT
Created attachment 347103 [details]
alert 1

Description of problem: SELinux Denials are thrown in the installer

This can be confusing to users.

Version-Release number of selected component (if applicable): Fedora 11 KDE Live Gold Release

How reproducible:
Haven't checked yet, first i want to install Fedora

Steps to Reproduce:
1. Boot up LiveCD, KDE 64-bit
2. Click on installer
3. Pick Dvorak keyboard layout
Actual results:
SELinux AVC denials popup

Expected results:
SELinux AVC denials shouldn't pop up at this stage, ever.

Additional info:
Denials attached.
Comment 1 Yaakov Nemoy 2009-06-09 18:29:12 EDT
Created attachment 347105 [details]
alert 2
Comment 2 Jeremy Katz 2009-06-10 09:46:27 EDT
It looks like there might be some mislabeling as things are created with the kde live image.  When anaconda execs loadkeys, we do close basically all the fds first (via a big huge hack that was done to work around anaconda leaking an fd to device-mapper stuff)
Comment 3 Ashok Gautham 2009-06-10 10:44:50 EDT
SummarySELinux is preventing loadkeys (loadkeys_t) "write" to /home/liveuser/.xsession-errors (user_home_t). Detailed Description[SELinux is in permissive mode, the operation would have been denied but was permitted due to permissive mode.]SELinux denied access requested by loadkeys. /home/liveuser/.xsession-errors may be a mislabeled. /home/liveuser/.xsession-errors default SELinux type is xdm_home_t, but its current type is user_home_t. Changing this file back to the default type, may fix your problem. File contexts can be assigned to a file in the following ways. Files created in a directory receive the file context of the parent directory by default. The SELinux policy might override the default label inherited from the parent directory by specifying a process running in context A which creates a file in a directory labeled B will instead create the file with label C. An example of this would be the dhcp client running with the dhclient_t type and creates a file in the directory /etc. This file would normally receive the etc_t type due to parental inheritance but instead the file is labeled with the net_conf_t type because the SELinux policy specifies this. Users can change the file context on a file using tools such as chcon, or restorecon. This file could have been mislabeled either by user error, or if an normally confined application was run under the wrong domain. However, this might also indicate a bug in SELinux because the file should not have been labeled with this type. If you believe this is a bug, please file a bug report against this package.
Comment 4 Ricky Burgin 2009-09-05 14:21:04 EDT
I'd like to also add that this is happening for me in the following circumstance:

- It is on an Asus eee 901
- I am using a Gnome Rawhide Live CD image
- SELinux actually interrupts the installation before it can complete and causes an unhandled exception in Anaconda
- I am using the image released as of today

It doesn't seem limited to KDE images (I can't see why it would be).
Comment 5 Ricky Burgin 2009-09-05 14:32:00 EDT
... Apologies, I wasn't paying attention, please remove my posts.
Comment 6 Daniel Walsh 2009-09-08 18:34:28 EDT
This is a labeling problem.  If you bring this up in single user mode does the .xsession-errors file exist.  If it does then the livecd labeled it wrong.  If it does not, then some process not labeled xdm_t is creating the file with the wrong label.
Comment 7 Bug Zapper 2010-04-27 10:42:28 EDT
This message is a reminder that Fedora 11 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 11.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '11'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 11's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 11 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
Comment 8 Bug Zapper 2010-06-28 08:50:08 EDT
Fedora 11 changed to end-of-life (EOL) status on 2010-06-25. Fedora 11 is 
no longer maintained, which means that it will not receive any further 
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of 
Fedora please feel free to reopen this bug against that version.

Thank you for reporting this bug and we are sorry it could not be fixed.

Note You need to log in before you can comment on or make changes to this bug.