Bug 590461 - SELinux is preventing /usr/bin/system-setup-keyboard "write" access on xorg.conf.d.
Summary: SELinux is preventing /usr/bin/system-setup-keyboard "write" access on x...
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 13
Hardware: x86_64
OS: Linux
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
Whiteboard: setroubleshoot_trace_hash:c53a19e87d9...
Depends On:
TreeView+ depends on / blocked
Reported: 2010-05-09 17:02 UTC by Bastien Nocera
Modified: 2010-09-17 04:53 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2010-05-27 19:30:59 UTC
Type: ---

Attachments (Terms of Use)

Description Bastien Nocera 2010-05-09 17:02:56 UTC

SELinux is preventing /usr/bin/system-setup-keyboard "write" access on

Detailed Description:

[SELinux is in permissive mode. This access was not denied.]

SELinux denied access requested by system-setup-ke. It is not expected that this
access is required by system-setup-ke and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug

Additional Information:

Source Context                system_u:system_r:hald_t:s0
Target Context                system_u:object_r:etc_t:s0
Target Objects                xorg.conf.d [ dir ]
Source                        system-setup-ke
Source Path                   /usr/bin/system-setup-keyboard
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           system-setup-keyboard-0.7-1.fc12
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.32-84.fc12
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Plugin Name                   catchall
Host Name                     (removed)
Platform                      Linux (removed)
                     #1 SMP Thu Apr 29 09:46:07
                              UTC 2010 x86_64 x86_64
Alert Count                   2
First Seen                    Sat 08 May 2010 15:04:59 BST
Last Seen                     Sat 08 May 2010 16:26:14 BST
Local ID                      cc5f09bb-e86f-4483-a3dd-2da329b7189f
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1273332374.978:6): avc:  denied  { write } for  pid=1155 comm="system-setup-ke" name="xorg.conf.d" dev=sda4 ino=125593 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir

node=(removed) type=SYSCALL msg=audit(1273332374.978:6): arch=c000003e syscall=21 success=yes exit=128 a0=401838 a1=3 a2=7fff40c6ec48 a3=7fff40c6e650 items=0 ppid=1122 pid=1155 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="system-setup-ke" exe="/usr/bin/system-setup-keyboard" subj=system_u:system_r:hald_t:s0 key=(null)

Hash String generated from  catchall,system-setup-ke,hald_t,etc_t,dir,write
audit2allow suggests:

#============= hald_t ==============
#!!!! The source type 'hald_t' can write to a 'dir' of the following types:
# hald_cache_t, hald_var_lib_t, hald_var_run_t, hald_tmp_t, var_lock_t, mnt_t, root_t, tmp_t, virt_image_type, cardmgr_var_run_t, sysctl_vm_t, hald_log_t, device_t, fusefs_t, dosfs_t, var_run_t, var_log_t, root_t

allow hald_t etc_t:dir write;

Comment 1 Daniel Walsh 2010-05-10 18:22:12 UTC
Are you sure, this seems to be a partially updated system.

f12 policy and f13 kernel?

Comment 2 Steven Stern 2010-05-26 12:25:19 UTC
Got the same thing following an F12->F13 upgrade.

Comment 3 Daniel Walsh 2010-05-26 20:09:23 UTC
Right but does it still happen.  With F13 selinux policy?

Comment 4 Steven Stern 2010-05-26 21:14:26 UTC
I assume that the F13 policy replaced the F12 policy. I did the upgrade from the DVD.

Comment 5 Daniel Walsh 2010-05-27 18:58:21 UTC
It did but this AVC might have happened during the process.

rpm -q selinux-policy

Comment 6 Steven Stern 2010-05-27 19:25:29 UTC
$ rpm -q selinux-policy

Comment 7 Daniel Walsh 2010-05-27 19:30:59 UTC
Ok you look fine.  If this AVC happens again reopen the bug.

Note You need to log in before you can comment on or make changes to this bug.