Bug 520022 - [KDE Live] setroubleshoot: SELinux is preventing loadkeys (loadkeys_t) "write" /home/liveuser/.xsession-errors (user_home_t).
Summary: [KDE Live] setroubleshoot: SELinux is preventing loadkeys (loadkeys_t) "...
Alias: None
Product: Fedora
Classification: Fedora
Component: kdebase
Version: 12
Hardware: x86_64
OS: Linux
Target Milestone: ---
Assignee: Sebastian Vahl
QA Contact: Fedora Extras Quality Assurance
Whiteboard: setroubleshoot_trace_hash:0fb2c415c4e...
Depends On:
TreeView+ depends on / blocked
Reported: 2009-08-28 02:59 UTC by Eric Springer
Modified: 2013-01-10 05:26 UTC (History)
13 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2010-12-05 06:32:18 UTC
Type: ---

Attachments (Terms of Use)

Description Eric Springer 2009-08-28 02:59:51 UTC
The following was filed automatically by setroubleshoot:


SELinux is preventing loadkeys (loadkeys_t) "write"
/home/liveuser/.xsession-errors (user_home_t).

Detailed Description:

[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]

SELinux denied access requested by the loadkeys command. It looks like this is
either a leaked descriptor or loadkeys output was redirected to a file it is not
allowed to access. Leaks usually can be ignored since SELinux is just closing
the leak and reporting the error. The application does not use the descriptor,
so it will run properly. If this is a redirection, you will not get output in
the /home/liveuser/.xsession-errors. You should generate a bugzilla on
selinux-policy, and it will get routed to the appropriate package. You can
safely ignore this avc.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ

Additional Information:

Source Context                unconfined_u:unconfined_r:loadkeys_t:s0-s0:c0.c102
Target Context                unconfined_u:object_r:user_home_t:s0
Target Objects                /home/liveuser/.xsession-errors [ file ]
Source                        loadkeys
Source Path                   /bin/loadkeys
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           kbd-1.15-7.fc11
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.26-8.fc12
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   leaks
Host Name                     (removed)
Platform                      Linux (removed)
                              2.6.31- #1 SMP Tue
                              Aug 11 21:00:45 EDT 2009 x86_64 x86_64
Alert Count                   2
First Seen                    Fri 28 Aug 2009 02:59:21 AM EDT
Last Seen                     Fri 28 Aug 2009 02:59:21 AM EDT
Local ID                      51885092-82e2-4dda-abb0-ecbd2083f1bc
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1251442761.371:29422): avc:  denied  { write } for  pid=2972 comm="loadkeys" path="/home/liveuser/.xsession-errors" dev=dm-0 ino=86475 scontext=unconfined_u:unconfined_r:loadkeys_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file

node=(removed) type=AVC msg=audit(1251442761.371:29422): avc:  denied  { read write } for  pid=2972 comm="loadkeys" path="/dev/mapper/control" dev=tmpfs ino=1925 scontext=unconfined_u:unconfined_r:loadkeys_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lvm_control_t:s0 tclass=chr_file

node=(removed) type=SYSCALL msg=audit(1251442761.371:29422): arch=c000003e syscall=59 success=yes exit=0 a0=32d4660 a1=3426cf0 a2=2a8f160 a3=7fff2e820d80 items=0 ppid=2840 pid=2972 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="loadkeys" exe="/bin/loadkeys" subj=unconfined_u:unconfined_r:loadkeys_t:s0-s0:c0.c1023 key=(null)

audit2allow suggests:

#============= loadkeys_t ==============
allow loadkeys_t lvm_control_t:chr_file { read write };
allow loadkeys_t user_home_t:file write;

Comment 1 Daniel Walsh 2009-08-28 13:07:05 UTC
This is a mislabeled file.


Something is either wrong with the livecd builder, if this file exists before the first login, or the login program that created it is not running under the correct context.

The Second AVC is caused by a leak in with some program opening /dev/mapper/control.  Maybe initrd?

Comment 2 Daniel Walsh 2009-08-28 13:26:42 UTC
On the livecd, is everything on a single partion?

Comment 3 Matthias Clasen 2009-09-02 13:53:03 UTC
looking at a live cd here:

/tmp, /var/tmp and /var/cache/yum are tmpfs but the rest of / appears to be a single partition.

Comment 4 Daniel Walsh 2009-09-08 10:07:41 UTC
If you bring up the livecd in single user mode, does the /home/liveuser/.xsession-errors file exist?  If yes, then there is a problem with the label build by livecd.  If not then the program that is creating .xsession-errors is not running as xdm_t which would transition the file to the right context.

Comment 5 Matthias Clasen 2009-10-02 02:29:26 UTC
if you bring the livecd up in single-user mode, the entire liveuser homedir is not there, since that user is created in /etc/init.d/livesys

Comment 6 Daniel Walsh 2009-10-02 11:30:10 UTC
Ok does this script create the .xsessions-errors file?  Does it run a restorecon after it sets up the users homedir?

Comment 7 Matthias Clasen 2009-10-03 00:42:34 UTC
the script calls useradd to create the user.
.xsession-errors is created by gnome-session when you log in.

Comment 8 Eric Springer 2009-10-03 03:37:15 UTC
For what it's worth, this error was generated by the KDE live CD.

Comment 9 Matthias Clasen 2009-10-03 04:26:29 UTC
oh, in that case, I can't answer the question.

Comment 10 Matthias Clasen 2009-10-03 16:11:07 UTC
Moving to kdebase, which seems closer to the problem then.

Comment 11 Kevin Kofler 2009-10-03 16:13:34 UTC
Reassigning to Sebastian Vahl, the KDE Live CD maintainer.

Comment 12 Sebastian Vahl 2009-10-06 14:34:24 UTC
I cannot reproduce this problem so I don't know what to do here. The kickstart
of the KDE live images only creates some files inside the home directory and
chown them to the liveuser. Maybe adding a simple 'restorecon -R
/home/liveuser' after it fixes this? It would be the last line in
/etc/init.d/livesys then and probably won't hurt.

@Reporter: When does this selinux error appears? Right after login/boot?

Comment 13 Tony White 2009-10-06 14:37:22 UTC
Happening here on x86 Linux.

Comment 14 Eric Springer 2009-10-06 22:00:03 UTC
It was one of several SELinux errors I got when using the alpha live CD, so I can't remember the details or any triggering conditions. When the beta comes out, I'll also give it a go and report if it still comes up.

Comment 15 Bug Zapper 2009-11-16 11:47:18 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 12 development cycle.
Changing version to '12'.

More information and reason for this action is here:

Comment 16 Steven M. Parrish 2009-11-19 20:31:57 UTC
This bug has been triaged

Comment 18 Bug Zapper 2010-11-04 10:19:49 UTC
This message is a reminder that Fedora 12 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 12.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '12'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 12's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 12 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 

Comment 19 Bug Zapper 2010-12-05 06:32:18 UTC
Fedora 12 changed to end-of-life (EOL) status on 2010-12-02. Fedora 12 is 
no longer maintained, which means that it will not receive any further 
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of 
Fedora please feel free to reopen this bug against that version.

Thank you for reporting this bug and we are sorry it could not be fixed.

Note You need to log in before you can comment on or make changes to this bug.