Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 159187 - configurable hotkey feature doesn't work on enforcing mode
Summary: configurable hotkey feature doesn't work on enforcing mode
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: policy
Version: rawhide
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Russell Coker
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-05-31 08:46 UTC by Akira TAGOH
Modified: 2007-11-30 22:11 UTC (History)
4 users (show)

Fixed In Version: 1.25.3-9
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2005-09-05 00:40:42 UTC


Attachments (Terms of Use)

Description Akira TAGOH 2005-05-31 08:46:46 UTC
Description of problem:
On enforcing mode, a per-user configurable hotkey feature doesn't work, which
the configuration file is placed on $HOME/.iiim.  It works after setenforce 0.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-1.23.16-6
iiimf-server-12.2-4

How reproducible:
always

Steps to Reproduce:
1.boot up the kernel with the enforcing mode
2.log into the Japanese desktop say and run iiimf-le-tools --add-hotkey
'<shift>space' --lang ja on the terminal.
3.run gedit and try to press ctrl+space to confirm it's disabled.
  
Actual results:
both of ctrl+space and shift+space works since it's set as default hotkeys.

Expected results:
only shift+space works to activate the input method.

Additional info:
exact filename for this configuration is $HOME/.iiim/le.xml.conf and it's used
to store the user-preferred key to activate.

Comment 1 Daniel Walsh 2005-05-31 20:59:20 UTC
What avc messages are you seeing?

Dan

Comment 2 Akira TAGOH 2005-06-02 09:25:56 UTC
Actually I haven't seen any avc messages in /var/log/messages. how can I get
more info on that?

Comment 3 Daniel Walsh 2005-06-02 12:17:16 UTC
Are you running audit?  If yes the avc messages will go to 
/usr/log/audit/audit.log.

Comment 4 Akira TAGOH 2005-06-02 13:44:14 UTC
Thanks. I got:
type=AVC msg=audit(1117719768.653:7061488): avc:  denied  { search } for 
pid=7584 comm="iiimd" name=/ dev=hda6 ino=2 scontext=root:system_r:i18n_input_t
tcontext=system_u:object_r:home_root_t tclass=dir
type=SYSCALL msg=audit(1117719768.653:7061488): arch=40000003 syscall=196
success=no exit=-13 a0=952c790 a1=b7ed50dc a2=3e6ff4 a3=b7ed50dc items=1
pid=7584 auid=4294967295 uid=100 gid=101 euid=100 suid=100 fsuid=100 egid=101
sgid=101 fsgid=101 comm="iiimd" exe="/usr/bin/iiimd"
type=PATH msg=audit(1117719768.653:7061488): item=0
name="/home/tagoh/.iiim/le.xml.conf" inode=2 dev=03:06 mode=040755 ouid=0 ogid=0
rdev=00:00

it was output when I run gedit say.
Hope this helps.

Comment 5 Daniel Walsh 2005-06-06 13:37:46 UTC
Can you run 
> setenforce 0
> gedit
and see if you get any other avc messages?



Comment 6 Akira TAGOH 2005-06-07 09:09:11 UTC
Sure.

type=AVC msg=audit(1118135184.663:4402919): avc:  denied  { search } for 
pid=13855 comm="iiimd" name=/ dev=hda6 ino=2 scontext=root:system_r:i18n_input_t
tcontext=system_u:object_r:home_root_t tclass=dir
type=AVC msg=audit(1118135184.663:4402919): avc:  denied  { search } for 
pid=13855 comm="iiimd" name=tagoh dev=hda6 ino=5242911
scontext=root:system_r:i18n_input_t tcontext=system_u:object_r:default_t tclass=dir
type=AVC msg=audit(1118135184.663:4402919): avc:  denied  { search } for 
pid=13855 comm="iiimd" name=.iiim dev=hda6 ino=5243004
scontext=root:system_r:i18n_input_t tcontext=user_u:object_r:default_t tclass=dir
type=AVC msg=audit(1118135184.663:4402919): avc:  denied  { getattr } for 
pid=13855 comm="iiimd" name=le.xml.conf dev=hda6 ino=5243380
scontext=root:system_r:i18n_input_t tcontext=user_u:object_r:default_t tclass=file
type=SYSCALL msg=audit(1118135184.663:4402919): arch=40000003 syscall=196
success=yes exit=0 a0=84afc60 a1=b7fa30dc a2=6a7ff4 a3=b7fa30dc items=1
pid=13855 auid=4294967295 uid=100 gid=101 euid=100 suid=100 fsuid=100 egid=101
sgid=101 fsgid=101 comm="iiimd" exe="/usr/bin/iiimd"
type=AVC_PATH msg=audit(1118135184.663:4402919): 
path="/home/tagoh/.iiim/le.xml.conf"
type=PATH msg=audit(1118135184.663:4402919): item=0
name="/home/tagoh/.iiim/le.xml.conf" inode=5243380 dev=03:06 mode=0100664
ouid=500 ogid=500 rdev=00:00
type=AVC msg=audit(1118135184.664:4402926): avc:  denied  { read } for 
pid=13855 comm="iiimd" name=le.xml.conf dev=hda6 ino=5243380
scontext=root:system_r:i18n_input_t tcontext=user_u:object_r:default_t tclass=file
type=SYSCALL msg=audit(1118135184.664:4402926): arch=40000003 syscall=5
success=yes exit=6 a0=84afc60 a1=0 a2=0 a3=84d7ce0 items=1 pid=13855
auid=4294967295 uid=100 gid=101 euid=100 suid=100 fsuid=100 egid=101 sgid=101
fsgid=101 comm="iiimd" exe="/usr/bin/iiimd"
type=PATH msg=audit(1118135184.664:4402926): item=0
name="/home/tagoh/.iiim/le.xml.conf" inode=5243380 dev=03:06 mode=0100664
ouid=500 ogid=500 rdev=00:00


Comment 7 Daniel Walsh 2005-06-07 18:10:35 UTC
This looks like you have a labeling problem.  Are your home directories labeled
correctly?  THe file in /home/tagoh.iim/.e.xml.conf should not be labeled default_t.

Dan

Comment 8 Akira TAGOH 2005-06-08 07:22:36 UTC
Hmm, I just did make reload and make relabel under
/etc/selinux/targeted/src/policy/. but it's still labeled default_t.

Comment 9 Daniel Walsh 2005-06-08 11:54:06 UTC
What is the output of 
ls -lZd /home /home/tagoh.iim
ls -lZ /home/tagoh.iim/e.xml.conf

Comment 10 Daniel Walsh 2005-06-08 11:54:59 UTC
Also do a 
restorecon -R -v /home/tagoh.iim

Comment 11 Akira TAGOH 2005-06-08 14:47:27 UTC
]$ ls -lZd /home/ /home/tagoh/.iiim/
drwxr-xr-x  root     root     system_u:object_r:default_t      /home/
drwxrwxr-x  tagoh    tagoh    user_u:object_r:default_t        /home/tagoh/.iiim
$ ls -lZ /home/tagoh/.iiim/le.xml.conf
-rw-rw-r--  tagoh    tagoh    user_u:object_r:default_t       
/home/tagoh/.iiim/le.xml.conf
# restorecon -R -v /home/tagoh/.iiim/
restorecon reset /home/tagoh/.iiim context
user_u:object_r:default_t->user_u:object_r:user_home_t
restorecon reset /home/tagoh/.iiim/le.xml.conf context
user_u:object_r:default_t->user_u:object_r:user_home_t
$ ls -lZd /home/ /home/tagoh/ /home/tagoh/.iiim/
drwxr-xr-x  root     root     system_u:object_r:default_t      /home/
drwxr-xr-x  tagoh    tagoh    system_u:object_r:default_t      /home/tagoh/
drwxrwxr-x  tagoh    tagoh    user_u:object_r:user_home_t      /home/tagoh/.iiim/
$ ls -lZ /home/tagoh/.iiim/le.xml.conf
-rw-rw-r--  tagoh    tagoh    user_u:object_r:user_home_t     
/home/tagoh/.iiim/le.xml.conf

Ok, let me try again:
# setenforce 1

still doesn't work.

# setenforce 0
type=AVC msg=audit(1118241917.468:13949755): avc:  denied  { search } for 
pid=884 comm="iiimd" name=.iiim dev=hda6 ino=5243004
scontext=root:system_r:i18n_input_t tcontext=user_u:object_r:user_home_t tclass=dir
type=AVC msg=audit(1118241917.468:13949755): avc:  denied  { search } for 
pid=884 comm="iiimd" name=/ dev=hda6 ino=2 scontext=root:system_r:i18n_input_t
tcontext=system_u:object_r:default_t tclass=dir
type=AVC msg=audit(1118241917.468:13949755): avc:  denied  { getattr } for 
pid=884 comm="iiimd" name=le.xml.conf dev=hda6 ino=5243380
scontext=root:system_r:i18n_input_t tcontext=user_u:object_r:user_home_t tclass=file
type=SYSCALL msg=audit(1118241917.468:13949755): arch=40000003 syscall=196
success=yes exit=0 a0=84f6148 a1=b75810dc a2=6a7ff4 a3=b75810dc items=1 pid=884
auid=4294967295 uid=100 gid=101 euid=100 suid=100 fsuid=100 egid=101 sgid=101
fsgid=101 comm="iiimd"
exe=2F7573722F62696E2F6969696D642E237072656C696E6B232E514F66576A62202864656C6574656429
type=AVC_PATH msg=audit(1118241917.468:13949755): 
path="/home/tagoh/.iiim/le.xml.conf"
type=PATH msg=audit(1118241917.468:13949755): item=0
name="/home/tagoh/.iiim/le.xml.conf" inode=5243380 dev=03:06 mode=0100664
ouid=500 ogid=500 rdev=00:00
type=AVC msg=audit(1118241917.468:13949771): avc:  denied  { read } for  pid=884
comm="iiimd" name=le.xml.conf dev=hda6 ino=5243380
scontext=root:system_r:i18n_input_t tcontext=user_u:object_r:user_home_t tclass=file
type=SYSCALL msg=audit(1118241917.468:13949771): arch=40000003 syscall=5
success=yes exit=8 a0=84f6148 a1=0 a2=0 a3=85000e0 items=1 pid=884
auid=4294967295 uid=100 gid=101 euid=100 suid=100 fsuid=100 egid=101 sgid=101
fsgid=101 comm="iiimd"
exe=2F7573722F62696E2F6969696D642E237072656C696E6B232E514F66576A62202864656C6574656429
type=PATH msg=audit(1118241917.468:13949771): item=0
name="/home/tagoh/.iiim/le.xml.conf" inode=5243380 dev=03:06 mode=0100664
ouid=500 ogid=500 rdev=00:00


Comment 12 Daniel Walsh 2005-06-08 14:57:26 UTC
Ok we are closer.  You need to restorecon at the home dir though

restorecon -R -v /home

That will eliminate one of your messages.  Now the bigger question isn't there a
better way then allowing i18n_input to read the users home directories.  This is
a server application that has to go rooting around in the users home dir for
config files????

Dan

Comment 13 Daniel Walsh 2005-08-25 14:50:56 UTC
Removing i18n_input from targeted policy so it will run unconfined.
selinux-policy-targeted-1.25.3-9


Note You need to log in before you can comment on or make changes to this bug.