Bug 407681

Summary: SELinux is preventing gdm-simple-gree (xdm_t) "getattr" to (inotifyfs_t).
Product: [Fedora] Fedora Reporter: Jim Cornette <jim.cornette>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: low    
Version: rawhide   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-12-04 02:52:14 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jim Cornette 2007-12-02 05:20:24 UTC
Description of problem:
errors in troubleshooter browser

Version-Release number of selected component (if applicable):
selinux-policy-3.1.2-2.fc9
kernel-2.6.23.1-49.fc8

How reproducible:
Login with enforcing=0 with kernel-2.6.23.1-49.fc8


Steps to Reproduce:
1. add enforcing=0 to boot stanza
2. login using gdm
3. start GNOME via gdm
  
Actual results:
errors in browser displayed

Expected results:
no errors of course. But since gdm is in bad shape, I am no surprised with errors.

Additional info:
Summary
    SELinux is preventing gdm-simple-gree (xdm_t) "getattr" to <Unknown>
    (inotifyfs_t).

Detailed Description
    SELinux denied access requested by gdm-simple-gree. It is not expected that
    this access is required by gdm-simple-gree and this access may signal an
    intrusion attempt. It is also possible that the specific version or
    configuration of the application is causing it to require additional access.

Allowing Access
    Sometimes labeling problems can cause SELinux denials.  You could try to
    restore the default system file context for <Unknown>, restorecon -v
    <Unknown> If this does not work, there is currently no automatic way to
    allow this access. Instead,  you can generate a local policy module to allow
    this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385
    Or you can disable SELinux protection altogether. Disabling SELinux
    protection is not recommended. Please file a
    http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.

Additional Information        

Source Context                system_u:system_r:xdm_t:SystemLow-SystemHigh
Target Context                system_u:object_r:inotifyfs_t
Target Objects                None [ dir ]
Affected RPM Packages         
Policy RPM                    selinux-policy-3.1.2-2.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   plugins.catchall_file
Host Name                     HP-JCF7
Platform                      Linux HP-JCF7 2.6.23.1-49.fc8 #1 SMP Thu Nov 8
                              21:41:26 EST 2007 i686 athlon
Alert Count                   1
First Seen                    Sat 01 Dec 2007 11:02:21 PM EST
Last Seen                     Sat 01 Dec 2007 11:02:21 PM EST
Local ID                      63e5b879-0fe1-4f27-a87f-25db72ecf0c8
Line Numbers                  

Raw Audit Messages            

avc: denied { getattr } for comm=gdm-simple-gree dev=inotifyfs path=inotify
pid=2428 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=dir
tcontext=system_u:object_r:inotifyfs_t:s0

Comment 1 Daniel Walsh 2007-12-03 02:17:12 UTC
Fixed in selinux-policy-3.2.1-2.fc9

Comment 2 Jim Cornette 2007-12-04 02:52:14 UTC
confirmed. Closed as Fixed in Rawhide.