Re: SELinux mystery

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Joe Smith wrote:
> Last week, I was doing an X server update and I wanted to test the
> config. I wanted to run X as a normal user, so (logged in as root) I did
> this:
> 
> # (su - joe -c "xinit -- :1 >x.log.my 2>&1")
> 
> Some time after that (I think it was the next day, after a reboot), I
> got a flag from setroubleshoot:
> 
> Nov  6 21:25:09 duros setroubleshoot: SELinux is preventing the
> /sbin/modprobe from using potentially mislabeled files
> (/home/joe/x.log.my). For complete SELinux messages. run ...
> 
> At the time, I just removed the log file (I didn't need it anymore) and
> forgot about it, but it kept bugging me:
> 
> Why was this flagged as an access problem? The file was not owned by
> root--it was created under a normal user's environment.
> 
> What was modprobe doing (or trying to do) with a file in a user's home
> directory?
> 
> Hmmm...
> 
> <Joe
> 
You redirected stdout/stderr to a file labeled user_home_t and started
the Xserver.  From that point on ever app that starts by default get its
stdout/stderr redirected to user_home_t.  The kernel checks when
confined apps start up whether they have read/write access to all open
file descriptors including stderr/stdout.  So eventually modprobe gets
executed while in your X session.  The kernel sees that you need
read/write to user_home_t, and it says that is not allowed generating
the AVC.  The kernel then closes the file descriptor and reopens
stderr/stdout to /dev/null.  So You can safely ignore this avc.
modprobe was not trying to do anything evil.  This is the most common
source of AVC's in SELinux and something we would like to be able to
eliminate.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFHOx8xrlYvE4MpobMRAmonAKC1Oe961GlU582IL8UrQ08jNCr+LQCg3lf2
Ze7mAE7/g1I1wZZHbTvSSy4=
=oA5s
-----END PGP SIGNATURE-----


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux