Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-16715

SELinux prevents the systemd-localed from creating the /etc/X11/xorg.conf.d directory [rhel-8]

XMLWordPrintable

    • selinux-policy-3.14.3-132.el8
    • sst_security_selinux
    • ssg_security
    • 14
    • QE ack
    • False
    • Hide

      None

      Show
      None
    • No
    • Hide

      SELinux policy allows the systemd-localed service to create the /etc/X11/xorg.conf.d/ if it does not exist yet. No SELinux denials are triggered during this scenario.

      Show
      SELinux policy allows the systemd-localed service to create the /etc/X11/xorg.conf.d/ if it does not exist yet. No SELinux denials are triggered during this scenario.
    • Pass
    • Yes

      What were you trying to do that didn't work?

      already described in https://bugzilla.redhat.com/show_bug.cgi?id=2240159

      Please provide the package NVR for which bug is seen:

      selinux-policy-3.14.3-131.el8.noarch
      selinux-policy-targeted-3.14.3-131.el8.noarch
      systemd-239-78.el8.x86_64

      How reproducible:

      always

      Steps to reproduce

      1. get a RHEL-8.10 machine (the targeted policy is active)
      2. run the automated test: https://src.fedoraproject.org/tests/selinux/blob/main/f/selinux-policy/systemd-localed
      3. search for SELinux denials

      Expected results

      No SELinux denials.

      Actual results

      ----
type=PROCTITLE msg=audit(11/09/2023 11:27:07.474:934) : proctitle=/usr/lib/systemd/systemd-localed 
type=PATH msg=audit(11/09/2023 11:27:07.474:934) : item=1 name=/etc/X11/xorg.conf.d nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(11/09/2023 11:27:07.474:934) : item=0 name=/etc/X11/ inode=67159963 dev=fd:00 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:etc_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(11/09/2023 11:27:07.474:934) : cwd=/ 
type=SYSCALL msg=audit(11/09/2023 11:27:07.474:934) : arch=x86_64 syscall=mkdir success=no exit=EACCES(Permission denied) a0=0x561d03657496 a1=0755 a2=0x561d0466e010 a3=0x0 items=2 ppid=1 pid=123176 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-localed exe=/usr/lib/systemd/systemd-localed subj=system_u:system_r:systemd_localed_t:s0 key=(null) 
type=AVC msg=audit(11/09/2023 11:27:07.474:934) : avc:  denied  { create } for  pid=123176 comm=systemd-localed name=xorg.conf.d scontext=system_u:system_r:systemd_localed_t:s0 tcontext=system_u:object_r:xserver_etc_t:s0 tclass=dir permissive=0
----

      Additional information:

      https://beaker.engineering.redhat.com/tasks/executed?recipe_task_id=168831473&recipe_task_id=168831571&recipe_task_id=168831674&recipe_task_id=168831371&new_pkg_tasks=168831473,168831571,168831674,168831371

            rhn-support-zpytela Zdenek Pytela
            mmalik@redhat.com Milos Malik
            Zdenek Pytela Zdenek Pytela
            Milos Malik Milos Malik
            Votes:
            0 Vote for this issue
            Watchers:
            9 Start watching this issue

              Created:
              Updated:
              Resolved: