Bug 590461 - SELinux is preventing /usr/bin/system-setup-keyboard "write" access on xorg.conf.d.
SELinux is preventing /usr/bin/system-setup-keyboard "write" access on x...
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
13
x86_64 Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
setroubleshoot_trace_hash:c53a19e87d9...
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-05-09 13:02 EDT by Bastien Nocera
Modified: 2010-09-17 00:53 EDT (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-05-27 15:30:59 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Bastien Nocera 2010-05-09 13:02:56 EDT
Summary:

SELinux is preventing /usr/bin/system-setup-keyboard "write" access on
xorg.conf.d.

Detailed Description:

[SELinux is in permissive mode. This access was not denied.]

SELinux denied access requested by system-setup-ke. It is not expected that this
access is required by system-setup-ke and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                system_u:system_r:hald_t:s0
Target Context                system_u:object_r:etc_t:s0
Target Objects                xorg.conf.d [ dir ]
Source                        system-setup-ke
Source Path                   /usr/bin/system-setup-keyboard
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           system-setup-keyboard-0.7-1.fc12
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.32-84.fc12
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Plugin Name                   catchall
Host Name                     (removed)
Platform                      Linux (removed)
                              2.6.33.3-73.fc13.x86_64 #1 SMP Thu Apr 29 09:46:07
                              UTC 2010 x86_64 x86_64
Alert Count                   2
First Seen                    Sat 08 May 2010 15:04:59 BST
Last Seen                     Sat 08 May 2010 16:26:14 BST
Local ID                      cc5f09bb-e86f-4483-a3dd-2da329b7189f
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1273332374.978:6): avc:  denied  { write } for  pid=1155 comm="system-setup-ke" name="xorg.conf.d" dev=sda4 ino=125593 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir

node=(removed) type=SYSCALL msg=audit(1273332374.978:6): arch=c000003e syscall=21 success=yes exit=128 a0=401838 a1=3 a2=7fff40c6ec48 a3=7fff40c6e650 items=0 ppid=1122 pid=1155 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="system-setup-ke" exe="/usr/bin/system-setup-keyboard" subj=system_u:system_r:hald_t:s0 key=(null)



Hash String generated from  catchall,system-setup-ke,hald_t,etc_t,dir,write
audit2allow suggests:

#============= hald_t ==============
#!!!! The source type 'hald_t' can write to a 'dir' of the following types:
# hald_cache_t, hald_var_lib_t, hald_var_run_t, hald_tmp_t, var_lock_t, mnt_t, root_t, tmp_t, virt_image_type, cardmgr_var_run_t, sysctl_vm_t, hald_log_t, device_t, fusefs_t, dosfs_t, var_run_t, var_log_t, root_t

allow hald_t etc_t:dir write;
Comment 1 Daniel Walsh 2010-05-10 14:22:12 EDT
Are you sure, this seems to be a partially updated system.

f12 policy and f13 kernel?
Comment 2 Steven Stern 2010-05-26 08:25:19 EDT
Got the same thing following an F12->F13 upgrade.
Comment 3 Daniel Walsh 2010-05-26 16:09:23 EDT
Right but does it still happen.  With F13 selinux policy?
Comment 4 Steven Stern 2010-05-26 17:14:26 EDT
I assume that the F13 policy replaced the F12 policy. I did the upgrade from the DVD.
Comment 5 Daniel Walsh 2010-05-27 14:58:21 EDT
It did but this AVC might have happened during the process.

rpm -q selinux-policy
Comment 6 Steven Stern 2010-05-27 15:25:29 EDT
$ rpm -q selinux-policy
selinux-policy-3.7.19-15.fc13.noarch
Comment 7 Daniel Walsh 2010-05-27 15:30:59 EDT
Ok you look fine.  If this AVC happens again reopen the bug.

Note You need to log in before you can comment on or make changes to this bug.