Bug 432010

Summary: SELinux is preventing the dbus-daemon from using potentially mislabeled files (/root/.xsession-errors). (/root/.xsession-errors).
Product: [Fedora] Fedora Reporter: Riku Seppala <riku.seppala>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED WONTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: low    
Version: rawhide   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-02-08 15:51:15 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Riku Seppala 2008-02-08 13:09:45 UTC 
Summary:

SELinux is preventing the dbus-daemon from using potentially mislabeled files
(/root/.xsession-errors).

Detailed Description:

[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]

SELinux has denied dbus-daemon access to potentially mislabeled file(s)
(/root/.xsession-errors). This means that SELinux will not allow dbus-daemon to
use these files. It is common for users to edit files in their home directory or
tmp directories and then move (mv) them to system directories. The problem is
that the files end up with the wrong file context which confined applications
are not allowed to access.

Allowing Access:

If you want dbus-daemon to access this files, you need to relabel them using
restorecon -v '/root/.xsession-errors'. You might want to relabel the entire
directory using restorecon -R -v '/root'.

Additional Information:

Source Context                unconfined_u:unconfined_r:unconfined_dbusd_t:s0-s0
                              :c0.c1023
Target Context                system_u:object_r:admin_home_t:s0
Target Objects                /root/.xsession-errors [ file ]
Source                        dbus-daemon
Source Path                   /bin/dbus-daemon
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           dbus-1.1.4-4.fc9
Target RPM Packages           
Policy RPM                    selinux-policy-3.2.7-1.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   home_tmp_bad_labels
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 2.6.24-23.fc9 #1 SMP
                              Wed Feb 6 11:23:06 EST 2008 x86_64 x86_64
Alert Count                   5
First Seen                    Fri 08 Feb 2008 12:29:33 PM EET
Last Seen                     Fri 08 Feb 2008 04:58:27 PM EET
Local ID                      6f665c17-83fd-44fe-b2d9-9f708478b102
Line Numbers                  

Raw Audit Messages            

host=localhost.localdomain type=AVC msg=audit(1202482707.165:35): avc:  denied 
{ read append } for  pid=3647 comm="dbus-daemon" path="/root/.xsession-errors"
dev=dm-0 ino=2812663
scontext=unconfined_u:unconfined_r:unconfined_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:admin_home_t:s0 tclass=file

host=localhost.localdomain type=SYSCALL msg=audit(1202482707.165:35):
arch=c000003e syscall=59 success=yes exit=0 a0=40516b a1=7fff5540ca70
a2=7fff5540f038 a3=7fff5540e900 items=0 ppid=3646 pid=3647 auid=0 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="dbus-daemon"
exe="/bin/dbus-daemon"
subj=unconfined_u:unconfined_r:unconfined_dbusd_t:s0-s0:c0.c1023 key=(null)
Comment 1 Daniel Walsh 2008-02-08 15:51:15 UTC 
THis is caused by logging as root via XWindows.  Not a good idea.  You can
safely ignore the SELinux avc, but we can not fix this since it is unsafe to do so.