Bug 438285

Summary: Lots of AVC denials during basic use of system (as root)
Product: [Fedora] Fedora Reporter: Frank Thingholm <frank>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED WONTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: rawhideCC: jkubin
Target Milestone: ---   
Target Release: ---   
Hardware: i686   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-03-20 13:12:50 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
setroubleshoot browser messages dump - appx 25 total none

Description Frank Thingholm 2008-03-20 05:23:35 UTC 
Description of problem:
AVC denial announcements during simple use of system:
- Browsing in FF3 (related to fonts)
- Changing keyboard layout
- Viewing the ABOUT menu item in SETROUBLESHOOT browser

Version-Release number of selected component (if applicable):
Installed from rawhide after the 19MAR2008 replication.

How reproducible:
The last 4 daily rawhide installs (from scratch, over-the-net installs) had this.

Steps to Reproduce:
1. Do install from scratch, select DANISH language and "dk" keyboard layout.
2. Restart system and log in as root
3. Use the system as directed above
  
Actual results:
Lots of AVC denial balloons, really large number of entries in setroubleshoot
browser. 25 entries, with appx. half of them having >100 occurrences.

Expected results:
Very few or none AVC denials with the abovementioned usage and login.

Additional info:
Will attach dump of message from setroubleshoot browser. Seems to be lots of
mislabeled files.
Comment 1 Frank Thingholm 2008-03-20 05:28:59 UTC 
Created attachment 298634 [details]
setroubleshoot browser messages dump - appx 25 total

Messages dumped from setroubleshoot browser. About 25 in total, with half of
them having >100 occurrences.

Not all are related to npviewer.bin although the first few are :)
Comment 2 Daniel Walsh 2008-03-20 13:12:50 UTC 
If you are logging into a machine as root via XWindows, then you should just
turn off SELinux it is not supported and not a good idea.  To make it work would
invalidate all the controls, by allowing confined applications to write to the
/root directory.

Logging in via X Windows as root is a very bad idea.