Restorecond and .xsession-errors

Restorecond and .xsession-errors

[Alan Rouse]

[-- Attachment #1: Type: text/plain, Size: 874 bytes --]

I'm down to one AVC left booting to a desktop in OpenSUSE 11.3 milestone 6.

type=AVC msg=audit(127369094.093:8): avc: denied { relabelfrom } for pid=3089 comm="restorecond" name=".xsession-errors" dev=sda3 ino=127759 scontext=user_u:user_r:user_t:s0 tcontext=system_u:object_r:xauth_home_t:s0 tclass=file

It looks to me like somewhere late in the boot, a windowing error occurs and it attempts to log it to .xsession-errors.  For some reason at that point in time it attempts to relabel that file and is denied.

The file context on .xsession-errors in the unprivileged user's home directory is user_u:object_r:user_home_t:s0

However, when I run audit2allow on that avc, it says "This avc is a constraint violation.  You will need to add an attribute to either the source or target type to make it work."

Should I relabel .xsession-errors?  If so, to what?


[-- Attachment #2: Type: text/html, Size: 1488 bytes --]

Re: Restorecond and .xsession-errors

[Dominick Grift]

[-- Attachment #1: Type: text/plain, Size: 1513 bytes --]

On 05/12/2010 09:10 PM, Alan Rouse wrote:
> I'm down to one AVC left booting to a desktop in OpenSUSE 11.3 milestone 6.
> 
> type=AVC msg=audit(127369094.093:8): avc: denied { relabelfrom } for pid=3089 comm="restorecond" name=".xsession-errors" dev=sda3 ino=127759 scontext=user_u:user_r:user_t:s0 tcontext=system_u:object_r:xauth_home_t:s0 tclass=file
> 
> It looks to me like somewhere late in the boot, a windowing error occurs and it attempts to log it to .xsession-errors.  For some reason at that point in time it attempts to relabel that file and is denied.
> 
> The file context on .xsession-errors in the unprivileged user's home directory is user_u:object_r:user_home_t:s0
> 
> However, when I run audit2allow on that avc, it says "This avc is a constraint violation.  You will need to add an attribute to either the source or target type to make it work."
> 
> Should I relabel .xsession-errors?  If so, to what?
> 
> 

Here in Fedora that file is xdm_home_t but nonetheless both should have
the user_home_type attribute and $1_usertype (attribute for user
domains) should be able to relabelto and relabelfrom user_home_types.

In other words the user should be able to relabel the file.

However, since the audit2allow say's that it is a constraint violation,
i am guessing that UBAC is enabled.

That would mean the the user_u SELinux identity cannot interact with the
system_u SELinux identity of the files label.

In that case, either deal with UBAC or disable UBAC.


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 261 bytes --]

Re: Restorecond and .xsession-errors

[Dominick Grift]

[-- Attachment #1: Type: text/plain, Size: 2289 bytes --]

On 05/12/2010 10:44 PM, Dominick Grift wrote:
> On 05/12/2010 09:10 PM, Alan Rouse wrote:
>> I'm down to one AVC left booting to a desktop in OpenSUSE 11.3 milestone 6.
>>
>> type=AVC msg=audit(127369094.093:8): avc: denied { relabelfrom } for pid=3089 comm="restorecond" name=".xsession-errors" dev=sda3 ino=127759 scontext=user_u:user_r:user_t:s0 tcontext=system_u:object_r:xauth_home_t:s0 tclass=file
>>
>> It looks to me like somewhere late in the boot, a windowing error occurs and it attempts to log it to .xsession-errors.  For some reason at that point in time it attempts to relabel that file and is denied.
>>
>> The file context on .xsession-errors in the unprivileged user's home directory is user_u:object_r:user_home_t:s0
>>
>> However, when I run audit2allow on that avc, it says "This avc is a constraint violation.  You will need to add an attribute to either the source or target type to make it work."
>>
>> Should I relabel .xsession-errors?  If so, to what?
>>
>>
> 
> Here in Fedora that file is xdm_home_t but nonetheless both should have
> the user_home_type attribute and $1_usertype (attribute for user
> domains) should be able to relabelto and relabelfrom user_home_types.
> 
> In other words the user should be able to relabel the file.
> 
> However, since the audit2allow say's that it is a constraint violation,
> i am guessing that UBAC is enabled.
> 
> That would mean the the user_u SELinux identity cannot interact with the
> system_u SELinux identity of the files label.
> 
> In that case, either deal with UBAC or disable UBAC.
> 

Well actually. I bet the file context for this location has system_u
specified and restorecond just does what its told.

So restorecond (with runs as the user_u SELinux identity) is trying to
relabel the file ~/.xsession-errors (with the user_u SELinux identity)
to the specified context of system_u:object_r:xauth_home_t:s0. I am
guessing that is not allowed by the constraints. I wonder what the
proper solution is but my money say's the file context specification for
that and other locations in "user_u" home should have the user_u SELinux
identity. The question would then be how does genhomedircon know what
identity to use for the various different SELinux user homes.


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 261 bytes --]