Attachment 308393 Details for Bug 450026 – Summary SELinux is preventing /usr/sbin/gdm-binary (xdm_t) "write" to <Unknown> (var_log_t). Detailed Description SELinux is preventing /usr/sbin/gdm-binary (xdm_t) "write" to <Unknown>

Summary SELinux is preventing /usr/sbin/gdm-binary (xdm_t) "write" to <Unknown> (var_log_t). Detailed Description SELinux is preventing /usr/sbin/gdm-binary (xdm_t) "write" to <Unknown>

selinux_alert.txt (text/plain), 3.06 KB, created by Taneisha Mitchell-Gayle on 2008-06-04 20:13:35 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Taneisha Mitchell-Gayle

Created: 2008-06-04 20:13:35 UTC

Size: 3.06 KB

patch

obsolete

>Summary
>    SELinux is preventing /usr/sbin/gdm-binary (xdm_t) "write" to <Unknown>
>    (var_log_t).
>
>Detailed Description
>    SELinux is preventing /usr/sbin/gdm-binary (xdm_t) "write" to <Unknown>
>    (var_log_t). The SELinux type var_log_t, is a generic type for all files in
>    the directory and very few processes (SELinux Domains) are allowed to write
>    to this SELinux type.  This type of denial usual indicates a mislabeled
>    file.  By default a file created in a directory has the gets the context of
>    the parent directory, but SELinux policy has rules about the creation of
>    directories, that say if a process running in one SELinux Domain (D1)
>    creates a file in a directory with a particular SELinux File Context (F1)
>    the file gets a different File Context (F2).  The policy usually allows the
>    SELinux Domain (D1) the ability to write or append on (F2).  But if for some
>    reason a file (<Unknown>) was created with the wrong context, this domain
>    will be denied.  The usual solution to this problem is to reset the file
>    context on the target file, restorecon -v <Unknown>.  If the file context
>    does not change from var_log_t, then this is probably a bug in policy.
>    Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against the
>    selinux-policy package. If it does change, you can try your application
>    again to see if it works.  The file context could have been mislabeled by
>    editing the file or moving the file from a different directory, if the file
>    keeps getting mislabeled, check the init scripts to see if they are doing
>    something to mislabel the file.
>
>Allowing Access
>    You can attempt to fix file context by executing restorecon -v <Unknown>
>
>    The following command will allow this access:
>    restorecon <Unknown>
>
>Additional Information        
>
>Source Context                system_u:system_r:xdm_t:s0-s0:c0.c1023
>Target Context                system_u:object_r:var_log_t:s0
>Target Objects                None [ file ]
>Affected RPM Packages         gdm-2.20.1-5.fc8 [application]
>Policy RPM                    selinux-policy-3.0.8-44.fc8
>Selinux Enabled               True
>Policy Type                   targeted
>MLS Enabled                   True
>Enforcing Mode                Enforcing
>Plugin Name                   plugins.mislabeled_file
>Host Name                     fc8-mthrld
>Platform                      Linux fc8-mthrld 2.6.24.3-50.fc8 #1 SMP Thu Mar 20
>                              14:47:10 EDT 2008 i686 i686
>Alert Count                   14
>First Seen                    Sat 05 Apr 2008 04:49:32 PM EST
>Last Seen                     Wed 04 Jun 2008 10:19:19 AM EST
>Local ID                      740fd756-a226-4ed7-8dcf-5dd15eebdd77
>Line Numbers                  
>
>Raw Audit Messages            
>
>avc: denied { write } for comm=gdm-binary dev=dm-0 egid=0 euid=0 exe=/usr/sbin
>/gdm-binary exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name=btmp pid=2794
>scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 sgid=0
>subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 suid=0 tclass=file
>tcontext=system_u:object_r:var_log_t:s0 tty=(none) uid=0
>

Actions: View

Attachments on bug 450026: 308393