Bug 480847
Summary: | SELinux is preventing polkit-read-aut (polkit_auth_t) "write" to /var/log/gdm/:1-greeter.log (xserver_log_t). | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Matěj Cepl <mcepl> | ||||||
Component: | gdm | Assignee: | Miroslav Grepl <mgrepl> | ||||||
Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||
Severity: | medium | Docs Contact: | |||||||
Priority: | low | ||||||||
Version: | 10 | CC: | acme, drago01, dwalsh, faithinfamilies, jbastian, jmccann, john.mellor, mcepl, mstuff, rstrode, silver_fox786, vikigoyal | ||||||
Target Milestone: | --- | Keywords: | SELinux | ||||||
Target Release: | --- | ||||||||
Hardware: | All | ||||||||
OS: | Linux | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2009-08-23 17:07:16 UTC | Type: | --- | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Attachments: |
|
Description
Matěj Cepl
2009-01-20 21:12:14 UTC
Is this a leaked file descriptor or are you setting stdout of polkit-read-auth to /var/log/gdm/:0-greeter.log? (In reply to comment #1) > Is this a leaked file descriptor or are you setting stdout of polkit-read-auth > to /var/log/gdm/:0-greeter.log? Halfline thought that it might be just wrong label for the file (should be xdm_var_log_t instead of xserver_log_t). There is no xdm_var_log_t. This is the correct label. Or I can add a new one, but the question is whether this is intentional that we want to grab the output from polkit-read-auth, or is it a leak. right, I wasn't saying there was a xdm_var_log_t, was saying there should be one: "(21:21:53) halfline: should probably be a new xdm_var_log_t or some such" See the irc conversation Matej pasted. :0-greeter.log is akin to ~/.xsession-errors but for the gdm user. It's where all programs in the greeter session (including things that use policykit) output their debug spew. Created attachment 330841 [details]
Here's another selinux_alert fyi
Summary for above attachment: SELinux is preventing polkit-read-aut (polkit_auth_t) "write" to /var/log/gdm/:0-greeter.log (xserver_log_t). Ray and I have talked about making this append and relabeling /var/log/gdm to xdm_log_t. Then we can allow the confined domains to append to the log, rather then write. write allows you to truncate the log files. But for F10 this app should be able to write xserver_log_t. In F11 it will append to xdm_log_t. Miroslav and you fix this? Fixed in selinux-policy-3.5.13-44.fc10 This looks like the same bug as 484564 Can we get this rolled over into fedora-updates-testing, so that we can actually get this fixed version? *** Bug 484564 has been marked as a duplicate of this bug. *** *** Bug 484451 has been marked as a duplicate of this bug. *** It was pushed on Friday last week. I tested today and works fine. # yum install --enablerepo=updates-testing selinux-policy-targeted *** Bug 485326 has been marked as a duplicate of this bug. *** Created attachment 355968 [details]
selinux_is_preventing_polkit-read-aut (polkit_auth_t) "gettattr" fs_t.txt
mine looks slightly different; should I worry about this? linux newbie: so far I've only used Firefox & T-bird but will be doing other work incl web dev and adjusting network access, documents. **Haven't been able to print since upgrade from F10 to F11**
add'l notes: was having all kinds of problems, think before F11 upgrade, like constant dropped connection, couldn't read or save text anywhere but text editor, 30 min boot - now just have to login twice and about 10 min boot but lost printing after F11 upgrade. newbie not sure if has anything to do w/this. many more SELinux alerts since F11 but will check/file rpts separately. thanks Faith, please send me email, and I will work with you on fixing your problem. dwalsh I sent the email, but I don't know that anything ever got fixed. Remember, my error was slightly different (see above comment from me) than the original error filed in this bug report. Please advise how I can tell if my problem has been fixed. Last time my SELinux reported this error was on 8/17. Computer is used daily. Thanks Sounds good Faith. You are probably all set. Reopen bug if you see any more problems. |