Bug 444478

Summary: SELinux prevents gdm-session-worker from accessing .dmrc
Product: [Fedora] Fedora Reporter: Andrew McNabb <amcnabb>
Component: gdmAssignee: jmccann
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: rawhideCC: cschalle, dwalsh, rstrode
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-04-28 19:28:15 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Andrew McNabb 2008-04-28 15:48:38 UTC 
I'm testing Fedora 9 Preview.  GDM can't read or write ~/.dmrc, so it can't
remember which session a user chose.  SELinux is preventing gdm-session-worker
from accessing the .dmrc file.  I haven't modified the default SELinux settings
in any way.

Here's a message from /var/log/messages:

Apr 28 09:41:57 maude gdm-session-worker[4805]: WARNING: unable to log session
Apr 28 09:41:57 maude gdm-session-worker[4805]: WARNING: could not save session 
and language settings: Failed to create file '/home/amcnabb/.dmrc.KK2CAU': Permi
ssion denied
Apr 28 09:41:57 maude setroubleshoot: SELinux is preventing gdm-session-wor (xdm
_t) "read append" to ./.xsession-errors (home_root_t). For complete SELinux mess
ages. run sealert -l b122017e-c4ff-4f51-8450-7ef8eb39c2f7
Apr 28 09:41:57 maude setroubleshoot: SELinux is preventing gdm-session-wor (xdm
_t) "write" to ./amcnabb (home_root_t). For complete SELinux messages. run seale
rt -l 43593f8b-7503-4ef2-9242-dfec108f4a77
Apr 28 09:41:57 maude setroubleshoot: SELinux is preventing gdm-session-wor (xdm
_t) "read" to .dmrc (home_root_t). For complete SELinux messages. run sealert -l
 633b3fc7-225e-44d8-acc2-d04ff8401df1
Apr 28 09:41:57 maude setroubleshoot: SELinux is preventing gdm-session-wor (xdm
_t) "write" to ./amcnabb (home_root_t). For complete SELinux messages. run seale
rt -l 43593f8b-7503-4ef2-9242-dfec108f4a77


Thanks.
Comment 1 Daniel Walsh 2008-04-28 19:28:15 UTC 
The problem here is the labeling on amcnabb is wrong.

restorecon -R -v /home 

Should fix.

Did you just create this directory by hand?
Comment 2 Andrew McNabb 2008-04-28 19:33:07 UTC 
It was restored from a tarball, which seems like a pretty normal thing to do. 
If selinux can't deal with that, it really seems like a problem.
Comment 3 Daniel Walsh 2008-04-28 19:40:37 UTC 
It can as long as you told your tar ball to contain xattrs.

man tar

...

 --selinux
              this option causes tar to store  each  file's  SELinux  security
              context information in the archive.

       --xattrs
              this  option causes tar to store each file's extended attributes
              in the archive. This option also enables --acls and--selinux  if
              they haven't been set already, due to the fact that the data for
              those are stored in special xattrs.