815208 – SELinux is preventing /usr/bin/xrdb from 'connectto' accesses on the unix_stream_socket @/tmp/.X11-unix/X1.

Bug 815208 - SELinux is preventing /usr/bin/xrdb from 'connectto' accesses on the unix_stream_socket @/tmp/.X11-unix/X1.

Summary: SELinux is preventing /usr/bin/xrdb from 'connectto' accesses on the unix_str...

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	15
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	setroubleshoot_trace_hash:33e3781230a...
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2012-04-23 06:32 UTC by vikram goyal
Modified:	2012-05-08 13:47 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2012-05-07 14:49:17 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description vikram goyal 2012-04-23 06:32:31 UTC

SELinux is preventing /usr/bin/xrdb from 'connectto' accesses on the unix_stream_socket @/tmp/.X11-unix/X1.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that xrdb should be allowed connectto access on the X1 unix_stream_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep xrdb /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context                system_u:system_r:inetd_child_t:s0-s0:c0.c1023
Target Objects                @/tmp/.X11-unix/X1 [ unix_stream_socket ]
Source                        xrdb
Source Path                   /usr/bin/xrdb
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           xorg-x11-server-utils-7.5-5.fc15
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.16-52.fc15
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     (removed)
Platform                      Linux (removed)
                              2.6.42.12-1.fc15.x86_64 #1 SMP Tue Mar 20 16:30:08
                              UTC 2012 x86_64 x86_64
Alert Count                   2
First Seen                    Mon 23 Apr 2012 11:29:33 AM IST
Last Seen                     Mon 23 Apr 2012 11:30:14 AM IST
Local ID                      3e446ea9-5824-4001-b5fa-2bdf30568d99

Raw Audit Messages
type=AVC msg=audit(1335160814.617:84): avc:  denied  { connectto } for  pid=4738 comm="xrdb" path=002F746D702F2E5831312D756E69782F5831 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:inetd_child_t:s0-s0:c0.c1023 tclass=unix_stream_socket


type=SYSCALL msg=audit(1335160814.617:84): arch=x86_64 syscall=connect success=yes exit=0 a0=3 a1=7fff1d014240 a2=14 a3=7fff1d014243 items=0 ppid=4737 pid=4738 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=xrdb exe=/usr/bin/xrdb subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)

Hash: xrdb,xdm_t,inetd_child_t,unix_stream_socket,connectto

audit2allow

#============= xdm_t ==============
allow xdm_t inetd_child_t:unix_stream_socket connectto;

audit2allow -R

#============= xdm_t ==============
allow xdm_t inetd_child_t:unix_stream_socket connectto;

Comment 1 Daniel Walsh 2012-04-23 14:52:06 UTC

What are you doing?  Was this X running out of xineted?

Comment 2 vikram goyal 2012-05-06 12:56:56 UTC

I had to access the machine on remote. So I created a service in xinetd & took vnc through vncviewer of GDM on remote site. I think the machine was running on selinux permissive mode & this was only an informational log of access violation.

Comment 3 Daniel Walsh 2012-05-07 14:49:17 UTC

Ok that would explain.  If you wanted this to run in enforcing mode then you would have to write local custom policy.

Comment 4 vikram goyal 2012-05-08 13:47:22 UTC

It would be security wise very beneficial if a generalized policy be created for such scenarios. That was my primary purpose for reporting it.

Note You need to log in before you can comment on or make changes to this bug.