924005 – SELinux is preventing /usr/libexec/uim-helper-server from 'create' accesses on the sock_file uim-helper.

Bug 924005 - SELinux is preventing /usr/libexec/uim-helper-server from 'create' accesses on the sock_file uim-helper.

Summary: SELinux is preventing /usr/libexec/uim-helper-server from 'create' accesses o...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	uim
Sub Component:
Version:	19
Hardware:	i686
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Akira TAGOH
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	abrt_hash:d658655a119bb7f2ceef233bfd1...
Duplicates (2):	948289 949749 (view as bug list)
Depends On:
Blocks:	948289
TreeView+	depends on / blocked

Reported:	2013-03-20 22:16 UTC by Nicolas Chauvet (kwizart)
Modified:	2013-05-03 02:47 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2013-05-03 01:53:15 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Nicolas Chauvet (kwizart) 2013-03-20 22:16:00 UTC

Description of problem:
SELinux is preventing /usr/libexec/uim-helper-server from 'create' accesses on the sock_file uim-helper.

*****  Plugin catchall (100. confidence) suggests  ***************************

If vous pensez que uim-helper-server devrait être autorisé à accéder create sur uim-helper sock_file par défaut.
Then vous devriez rapporter ceci en tant qu'anomalie.
Vous pouvez générer un module de stratégie local pour autoriser cet accès.
Do
autoriser cet accès pour le moment en exécutant :
# grep uim-helper-serv /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context                system_u:object_r:xserver_log_t:s0
Target Objects                uim-helper [ sock_file ]
Source                        uim-helper-serv
Source Path                   /usr/libexec/uim-helper-server
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           uim-1.8.4-3.fc19.i686
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-22.fc19.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.9.0-0.rc0.git3.1.fc19.i686.PAE
                              #1 SMP Thu Feb 21 23:51:23 UTC 2013 i686 i686
Alert Count                   20
First Seen                    2013-03-14 22:13:14 CET
Last Seen                     2013-03-20 23:07:09 CET
Local ID                      e551967b-6161-4a31-93b3-fb5d2a81ed1e

Raw Audit Messages
type=AVC msg=audit(1363817229.861:344): avc:  denied  { create } for  pid=1345 comm="uim-helper-serv" name="uim-helper" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xserver_log_t:s0 tclass=sock_file


type=SYSCALL msg=audit(1363817229.861:344): arch=i386 syscall=socketcall success=no exit=EACCES a0=2 a1=bfe8aeb0 a2=2b a3=0 items=0 ppid=1 pid=1345 auid=4294967295 uid=996 gid=994 euid=996 suid=996 fsuid=996 egid=994 sgid=994 fsgid=994 ses=4294967295 tty=(none) comm=uim-helper-serv exe=/usr/libexec/uim-helper-server subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)

Hash: uim-helper-serv,xdm_t,xserver_log_t,sock_file,create

audit2allow

#============= xdm_t ==============
allow xdm_t xserver_log_t:sock_file create;

audit2allow -R
require {
	type xserver_log_t;
	type xdm_t;
	class sock_file create;
}

#============= xdm_t ==============
allow xdm_t xserver_log_t:sock_file create;


Additional info:
hashmarkername: setroubleshoot
kernel:         3.9.0-0.rc0.git3.1.fc19.i686.PAE
type:           libreport

Comment 1 Daniel Walsh 2013-03-22 15:08:11 UTC

Why is uim-helper creating a socket in a log directory?

Comment 2 Daniel Walsh 2013-03-22 15:10:44 UTC

mgrepl uim looks like it needs policy written for it.

Comment 3 Akira TAGOH 2013-03-25 03:12:46 UTC

uim creates a socket under $HOME/.uim.d/socket and apparently it was about to run on some display manager.

Is there anything I can improve in uim for this issue?

Comment 4 Daniel Walsh 2013-03-25 14:27:27 UTC

No that is fine, and would actually work well for us if we needed to label it.

Ray do you know anything about this?

Comment 5 Akira TAGOH 2013-04-09 01:45:29 UTC

*** Bug 949749 has been marked as a duplicate of this bug. ***

Comment 6 Miroslav Grepl 2013-04-09 08:59:29 UTC

*** Bug 948289 has been marked as a duplicate of this bug. ***

Comment 7 Ray Strode [halfline] 2013-04-10 17:55:30 UTC

nope, i don't even know what uim is

Comment 8 Daniel Walsh 2013-04-10 18:03:30 UTC

Some kind of translation tool for fancy keyboards, 


Uim is a multilingual input method library. Uim aims to
provide secure and useful input methods for all
languages. Currently, it can input to applications which
support Gtk+'s immodule, Qt's immodule and XIM.

This package provides the input method library, the XIM
bridge and most of the input methods.

For the Japanese input methods you need to install
- uim-anthy for Anthy
- uim-canna for Canna
- uim-skk for SKK.

Comment 9 Ray Strode [halfline] 2013-04-10 20:46:12 UTC

what's its relationship to ibus?

It shouldn't be putting dot directories directly in user's $HOME (that's what $HOME/.local and $HOME/.config are for) and it shouldn't be putting socket files in $HOME at all (that's what /run/user/.../ is for)

Comment 10 Fedora Update System 2013-04-15 10:46:13 UTC

uim-1.8.5-3.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/uim-1.8.5-3.fc19

Comment 11 Fedora Update System 2013-04-15 10:47:28 UTC

uim-1.8.5-2.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/uim-1.8.5-2.fc18

Comment 12 Fedora Update System 2013-04-15 10:48:28 UTC

uim-1.8.5-2.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/uim-1.8.5-2.fc17

Comment 13 Fedora Update System 2013-04-15 16:17:44 UTC

Package uim-1.8.5-3.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing uim-1.8.5-3.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-5683/uim-1.8.5-3.fc19
then log in and leave karma (feedback).

Comment 14 Fedora Update System 2013-05-03 01:53:17 UTC

uim-1.8.5-2.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 15 Fedora Update System 2013-05-03 01:56:12 UTC

uim-1.8.5-2.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 16 Fedora Update System 2013-05-03 02:47:41 UTC

uim-1.8.5-4.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.