Bug 570306 - SELinux is preventing /usr/bin/gnome-session "write" access on .ICE-unix.
Summary: SELinux is preventing /usr/bin/gnome-session "write" access on .ICE-unix.
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 12
Hardware: x86_64
OS: Linux
low
medium
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:c5e551bd0be...
: 575072 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-03-03 20:14 UTC by Dario Castellarin
Modified: 2010-08-14 16:54 UTC (History)
85 users (show)

Fixed In Version: selinux-policy-3.6.32-103.fc12
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-03-20 03:31:22 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)
List of running services from chkconfig (1.99 KB, text/plain)
2010-03-09 20:25 UTC, Robert Nichols 		no flags Details
List of active services (2.02 KB, text/plain)
2010-03-09 22:57 UTC, Dario Castellarin 		no flags Details
List of running services (from chkconfig) (812 bytes, text/plain)
2010-03-12 08:43 UTC, Cristian Ciupitu 		no flags Details
View All

Description Dario Castellarin 2010-03-03 20:14:05 UTC 
I see this at every boot


Sommario:

SELinux is preventing /usr/bin/gnome-session "write" access on .ICE-unix.

Descrizione dettagliata:

[SELinux è in modalità permissiva. Questo accesso non è stato negato.]

SELinux denied access requested by gnome-session. It is not expected that this
access is required by gnome-session and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Abilitazione accesso in corso:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Informazioni aggiuntive:

Contesto della sorgente       system_u:system_r:xdm_t:s0-s0:c0.c1023
Contesto target               system_u:object_r:initrc_tmp_t:s0
Oggetti target                .ICE-unix [ dir ]
Sorgente                      gnome-session
Percorso della sorgente       /usr/bin/gnome-session
Porta                         <Sconosciuto>
Host                          (removed)
Sorgente Pacchetti RPM        gnome-session-2.28.0-2.fc12
Pacchetti RPM target          
RPM della policy              selinux-policy-3.6.32-97.fc12
Selinux abilitato             True
Tipo di policy                targeted
Modalità Enforcing           Permissive
Nome plugin                   catchall
Host Name                     (removed)
Piattaforma                   Linux (removed) 2.6.32.9-70.fc12.x86_64 #1 SMP
                              Wed Mar 3 04:40:41 UTC 2010 x86_64 x86_64
Conteggio avvisi              3
Primo visto                   mer 03 mar 2010 21:11:11 CET
Ultimo visto                  mer 03 mar 2010 21:11:11 CET
ID locale                     ea8d1d50-a695-4ab7-917c-367890b1c088
Numeri di linea               

Messaggi Raw Audit            

node=(removed) type=AVC msg=audit(1267647071.678:11809): avc:  denied  { write } for  pid=2051 comm="gnome-session" name=".ICE-unix" dev=dm-0 ino=14 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir

node=(removed) type=AVC msg=audit(1267647071.678:11809): avc:  denied  { add_name } for  pid=2051 comm="gnome-session" name="2051" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir

node=(removed) type=AVC msg=audit(1267647071.678:11809): avc:  denied  { create } for  pid=2051 comm="gnome-session" name="2051" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=sock_file

node=(removed) type=SYSCALL msg=audit(1267647071.678:11809): arch=c000003e syscall=49 success=yes exit=0 a0=8 a1=7fff6ed93e50 a2=15 a3=ffffffed items=0 ppid=1590 pid=2051 auid=4294967295 uid=42 gid=479 euid=42 suid=42 fsuid=42 egid=479 sgid=479 fsgid=479 tty=(none) ses=4294967295 comm="gnome-session" exe="/usr/bin/gnome-session" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)



Hash String generated from  catchall,gnome-session,xdm_t,initrc_tmp_t,dir,write
audit2allow suggests:

#============= xdm_t ==============
#!!!! The source type 'xdm_t' can write to a 'dir' of the following types:
# xdm_home_t, pam_var_console_t, pcscd_var_run_t, var_lock_t, xkb_var_lib_t, xdm_rw_etc_t, root_t, tmp_t, var_t, user_fonts_t, user_tmpfs_t, xdm_spool_t, fonts_cache_t, user_home_dir_t, locale_t, var_auth_t, tmpfs_t, var_spool_t, var_lib_t, var_run_t, user_tmp_t, xdm_tmp_t, auth_cache_t, xdm_tmpfs_t, xserver_log_t, var_log_t, xdm_log_t, pam_var_run_t, xdm_var_lib_t, xdm_var_run_t, nfs_t, root_t

allow xdm_t initrc_tmp_t:dir { write add_name };
allow xdm_t initrc_tmp_t:sock_file create;
Comment 1 Daniel Walsh 2010-03-04 13:04:26 UTC 
Are you using freenx?
Comment 2 Dario Castellarin 2010-03-04 14:24:38 UTC 
(In reply to comment #1)
> Are you using freenx?    

No. vnc (vino+vinagre)) sometimes.
Comment 3 Daniel Walsh 2010-03-04 15:09:05 UTC 
But this is your desktop machine?

restorecon -R -v /tmp/.ICE-unix

Should fix the label

When you get a chance
Destroy the directory and reboot and log in and see if the label is user_tmp_t.

initrc_tmp_t means it is a temporary director create during bootup at some point.
If a user process created the directory, it would be labelled user_tmp_t.

I was guessing that you had some remove Xserver like freenx that was creating the directory.
Comment 4 Dario Castellarin 2010-03-04 23:49:39 UTC 
It's my main laptop, I will try what you suggest tomorrow, thank you!
Comment 5 Dario Castellarin 2010-03-09 17:05:46 UTC 
Sorry for the delay, I did as you told me. I deleted /tmp/.ICE-unix, rebooted and the directory got created again, with initrc_tmp_t label. So same selinux warning.

Anything else I can do? I really don't know what is creating this folder.
Comment 6 Daniel Walsh 2010-03-09 18:40:35 UTC 
Do you have any services running that could be causing this directory to be created.

# chkconfig --list | grep on
Comment 7 Robert Nichols 2010-03-09 20:25:09 UTC 
Created attachment 398919 [details]
List of running services from chkconfig

chkconfig --list output attached
Comment 8 Robert Nichols 2010-03-09 20:41:58 UTC 
If I go to runlevel 3, delete the directory, then go to runlevel 5, I do get the system_u:object_r:xdm_tmp_t:s0 context.

If I go to runlevel 3, delete the directory, and then reboot to runlevel 5, the directory comes back with the system_u:object_r:initrc_tmp_t:s0 context.
Comment 9 Daniel Walsh 2010-03-09 21:06:43 UTC 
I am seeing the same behavior here or a RHEL6 box.
Comment 10 Dario Castellarin 2010-03-09 22:57:44 UTC 
Created attachment 398961 [details]
List of active services
Comment 11 Cristian Ciupitu 2010-03-12 08:35:24 UTC 
I'm getting the same SELinux message after upgrading to selinux-policy-targeted-3.6.32-99.fc12.noarch.rpm (followed by an autorelabel). I'm not using freenx, VNC or something else. It's a plain local login (from GDM).
Comment 12 Cristian Ciupitu 2010-03-12 08:43:51 UTC 
Created attachment 399583 [details]
List of running services (from chkconfig)

chkconfig --list | grep 5:on
Comment 13 Daniel Walsh 2010-03-12 13:59:57 UTC 
I have found the problem.  

/tmp/.ICE-unix is actually being created in /etc/rc.sysinit

Adding the following labeling

/tmp/\.ICE-unix(/.*)?			gen_context(system_u:object_r:xdm_tmp_t,s0)


And remove the labeling from userdomain.fc will fix the problem.
Comment 14 zimon 2010-03-14 16:42:49 UTC 
@DW: How do you do that "adding the following labeling"? To where to add that line?
Comment 15 Daniel Walsh 2010-03-15 03:37:38 UTC 
I am asking Miroslav, the bugzilla assignee to make the change.

Basically it is a software configuration change in the selinux-policy package.
Comment 16 Miroslav Grepl 2010-03-15 09:30:38 UTC 
Fixed in selinux-policy-3.6.32-102.fc12
Comment 17 Fedora Update System 2010-03-15 22:17:26 UTC 
selinux-policy-3.6.32-103.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-103.fc12
Comment 18 Dario Castellarin 2010-03-16 14:16:34 UTC 
selinux-policy-3.6.32-103.fc12 fixes it, thank you!
Comment 19 Robert Nichols 2010-03-16 16:08:11 UTC 
No, it's NOT fixed.  I've installed selinux-policy-3.6.32-103.fc12.noarch, removed the /tmp/.ICE-unix directory, and rebooted.  I still see this AVC:


Summary:

SELinux is preventing /usr/bin/gnome-session "write" access on .ICE-unix.

Detailed Description:

[SELinux is in permissive mode. This access was not denied.]

SELinux denied access requested by gnome-session. It is not expected that this
access is required by gnome-session and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context                system_u:object_r:initrc_tmp_t:s0
Target Objects                .ICE-unix [ dir ]
Source                        gnome-session
Source Path                   /usr/bin/gnome-session
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           gnome-session-2.28.0-2.fc12
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.32-103.fc12
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Plugin Name                   catchall
Host Name                     (removed)
Platform                      Linux omega-3a.local 2.6.32.9-70.fc12.x86_64 #1
                              SMP Wed Mar 3 04:40:41 UTC 2010 x86_64 x86_64
Alert Count                   12
First Seen                    Tue 16 Mar 2010 10:55:58 AM CDT
Last Seen                     Tue 16 Mar 2010 10:57:12 AM CDT
Local ID                      55030c91-7aad-4b43-aac7-8a955a0330d6
Line Numbers                  

Raw Audit Messages            

node=omega-3a.local type=AVC msg=audit(1268755032.597:15887): avc:  denied  { write } for  pid=7455 comm="gnome-session" name=".ICE-unix" dev=sda2 ino=42109 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir

node=omega-3a.local type=AVC msg=audit(1268755032.597:15887): avc:  denied  { remove_name } for  pid=7455 comm="gnome-session" name="7455" dev=sda2 ino=42184 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir

node=omega-3a.local type=AVC msg=audit(1268755032.597:15887): avc:  denied  { unlink } for  pid=7455 comm="gnome-session" name="7455" dev=sda2 ino=42184 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=sock_file

node=omega-3a.local type=SYSCALL msg=audit(1268755032.597:15887): arch=c000003e syscall=87 success=yes exit=0 a0=11adb92 a1=11a9d20 a2=0 a3=1 items=0 ppid=7432 pid=7455 auid=4294967295 uid=42 gid=475 euid=42 suid=42 fsuid=42 egid=475 sgid=475 fsgid=475 tty=(none) ses=4294967295 comm="gnome-session" exe="/usr/bin/gnome-session" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
Comment 20 Daniel Walsh 2010-03-16 18:33:31 UTC 
What does matchpathcon /tmp/.ICE-unix say?
Comment 21 Dario Castellarin 2010-03-16 20:19:59 UTC 
That's weird, it really fixed it for me. Are you sure it's not some older report that you didn't delete from setroubleshoot? (it happened to me once)
Comment 22 Robert Nichols 2010-03-16 20:30:37 UTC 
matchpathcon shows "/tmp/.ICE-unix system_u:object_r:xdm_tmp_t:s0"
and that agrees with what 'ls' shows as the current context.

I think I may just be seeing an anomaly in the timestamps.  The stamp on that
latest AVC is just a few seconds after what /var/run/utmp shows as the boot
time, and gnome-session doesn't get started that fast.

Indeed, when I look at the audit log, it claims that the next start of auditd
occurs _before_ the AVC that is recorded earlier in the file.  Looks like I
just picked a bad moment to get my clock synchronized via NTP for the first
time.

Objection withdrawn.  The change does work.
Comment 23 Fedora Update System 2010-03-16 23:23:41 UTC 
selinux-policy-3.6.32-103.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-103.fc12
Comment 24 Jose 2010-03-17 02:19:08 UTC 
I made the installation of: su -c 'yum --enablerepo=updates-testing update selinux-policy'.  but the problem continued.
Comment 25 Peter Holmes 2010-03-17 12:42:59 UTC 
I'm also still seeing this.
Comment 26 Daniel Walsh 2010-03-17 13:01:54 UTC 
You guys removed the directory and then rebooted and the directory came up mislabeled?
Comment 27 Peter Holmes 2010-03-17 13:26:43 UTC 
I stand corrected.

  restorecon -R -v /tmp/.ICE-unix

appears to have fixed it.
Comment 28 Ralf Schneider 2010-03-17 20:56:50 UTC 
Hi,

removed /tmp/.ICE-unix

Installed fix as suggested in Coment 23 with
su -c 'yum --enablerepo=updates-testing update selinux-policy'

After reboot /tmp/.ICE-unix didn't appear again so I think
problem fixed for me.
Comment 29 Jose 2010-03-18 02:57:48 UTC 
(In reply to comment #28)
> Hi,
> 
> removed /tmp/.ICE-unix
> 
> Installed fix as suggested in Coment 23 with
> su -c 'yum --enablerepo=updates-testing update selinux-policy'
> 
> After reboot /tmp/.ICE-unix didn't appear again so I think
> problem fixed for me.    

after restart on five occasions, I think the problem is fixed.
Comment 30 homertreddi 2010-03-18 13:09:37 UTC 
Installed fix 
(su -c 'yum --enablerepo=updates-testing update selinux-policy'),
removed /tmp/.ICE-unix like comment #29, reboot, but on restart i had the same bug... Can anybody help me? Thz...
Comment 31 Daniel Walsh 2010-03-18 13:28:06 UTC 
speedxx,

What does matchpathcon /tmp/.ICE-unix

say?
Comment 32 Jose 2010-03-18 13:54:14 UTC 
(In reply to comment #30)
> Installed fix 
> (su -c 'yum --enablerepo=updates-testing update selinux-policy'),
> removed /tmp/.ICE-unix like comment #29, reboot, but on restart i had the same
> bug... Can anybody help me? Thz...    

Speedxx.
My procedure was as follows:
1.- mv /tmp/.ICE-unix /tmp/.ICE-unix1
2.- su -c 'yum --enablerepo=updates-testing update selinux-policy'
3.- reboot.
and the problem fixed for me too.
Comment 33 homertreddi 2010-03-18 21:18:00 UTC 
Jose, i'll try now... many thz for now...
Comment 34 homertreddi 2010-03-18 21:26:45 UTC 
Nothing to do... The bug still remains... :((((
Comment 35 Smartqa 2010-03-19 00:14:27 UTC 
I tried the following commands and it worked:

1. yum remove selinux-policy
2. yum install selinux-policy
3. yum --enablerepo=updates-testing update selinux-policy
Comment 36 homertreddi 2010-03-19 10:51:14 UTC 
Smartqa many thanks, you helped me!!! :D
Comment 37 Daniel Walsh 2010-03-19 12:46:00 UTC 
*** Bug 575072 has been marked as a duplicate of this bug. ***
Comment 38 Fedora Update System 2010-03-20 03:29:39 UTC 
selinux-policy-3.6.32-103.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 39 Ivor Jones 2010-03-22 02:22:54 UTC 
(In reply to comment #35)
> I tried the following commands and it worked:
> 
> 1. yum remove selinux-policy
> 2. yum install selinux-policy
> 3. yum --enablerepo=updates-testing update selinux-policy    

That worked for me too, thanks.

Ivor
Note You need to log in before you can comment on or make changes to this bug.