Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-16716

SELinux prevents the systemd-localed from creating the /etc/X11/xorg.conf.d directory [rhel-9]

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • selinux-policy-38.1.28-1.el9
    • None
    • None
    • rhel-security-selinux
    • ssg_security
    • 14
    • None
    • QE ack
    • False
    • False
    • Hide

      None

      Show
      None
    • No
    • None
    • Hide

      SELinux policy allows the systemd-localed service to create the /etc/X11/xorg.conf.d/ if it does not exist yet. No SELinux denials are triggered during this scenario.

      Show
      SELinux policy allows the systemd-localed service to create the /etc/X11/xorg.conf.d/ if it does not exist yet. No SELinux denials are triggered during this scenario.
    • Pass
    • Automated
    • Release Note Not Required
    • None

      What were you trying to do that didn't work?

      already described in https://bugzilla.redhat.com/show_bug.cgi?id=2240159

      Please provide the package NVR for which bug is seen:

      selinux-policy-38.1.27-1.el9.noarch
      selinux-policy-targeted-38.1.27-1.el9.noarch

      How reproducible:

      always

      Steps to reproduce

      1. get a RHEL-9.4 machine (the targeted policy is active)
      2. run the automated test: https://src.fedoraproject.org/tests/selinux/blob/main/f/selinux-policy/systemd-localed
      3. search for SELinux denials

      Expected results

      No SELinux denials.

      Actual results

      ----
type=PROCTITLE msg=audit(11/15/2023 20:07:45.108:1648) : proctitle=/usr/lib/systemd/systemd-localed 
type=PATH msg=audit(11/15/2023 20:07:45.108:1648) : item=1 name=/etc/X11/xorg.conf.d nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(11/15/2023 20:07:45.108:1648) : item=0 name=/etc/X11/ inode=33600699 dev=fd:00 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:etc_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(11/15/2023 20:07:45.108:1648) : cwd=/ 
type=SYSCALL msg=audit(11/15/2023 20:07:45.108:1648) : arch=x86_64 syscall=mkdirat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x56495d1ff093 a2=0755 a3=0x0 items=2 ppid=1 pid=148407 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-localed exe=/usr/lib/systemd/systemd-localed subj=system_u:system_r:systemd_localed_t:s0 key=(null) 
type=AVC msg=audit(11/15/2023 20:07:45.108:1648) : avc:  denied  { create } for  pid=148407 comm=systemd-localed name=xorg.conf.d scontext=system_u:system_r:systemd_localed_t:s0 tcontext=system_u:object_r:xserver_etc_t:s0 tclass=dir permissive=0
---

      Additional information:

      https://beaker.engineering.redhat.com/tasks/executed?recipe_task_id=168831473&recipe_task_id=168831571&recipe_task_id=168831674&recipe_task_id=168831371&new_pkg_tasks=168831473,168831571,168831674,168831371

              rhn-support-zpytela Zdenek Pytela
              mmalik@redhat.com Milos Malik
              Zdenek Pytela Zdenek Pytela
              Milos Malik Milos Malik
              Votes:
              0 Vote for this issue
              Watchers:
              10 Start watching this issue

                Created:
                Updated:
                Resolved: