Bug 524087

Summary: setroubleshoot: SELinux is preventing /usr/libexec/ck-get-x11-server-pid "read" access on .Xauthority.
Product: [Fedora] Fedora Reporter: Alexey Torkhov <atorkhov>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CANTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: dwalsh, jkubin, martin.nad89, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard: setroubleshoot_trace_hash:5b6c5df04050886e9b177076c50b04a2e98ca1b1904f4bc8e646383f8e775310
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-10-20 22:35:39 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Alexey Torkhov 2009-09-17 20:04:10 UTC 
The following was filed automatically by setroubleshoot:
audit2allow suggests:
Comment 1 Alexey Torkhov 2009-09-17 20:15:22 UTC 
Apparently, setroubleshoot didn't generate proper message. Here is audit message:
Happens in gnome session for root user.

node=rawhide.tortilla.ru type=AVC msg=audit(1253217723.568:26): avc: denied { read } for pid=1789 comm="ck-get-x11-serv" name=".Xauthority" dev=vda1 ino=107186 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file 

node=rawhide.tortilla.ru type=SYSCALL msg=audit(1253217723.568:26): arch=40000003 syscall=33 success=no exit=-13 a0=bfa51fbc a1=4 a2=584bb8 a3=bfa51fbc items=0 ppid=1788 pid=1789 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ck-get-x11-serv" exe="/usr/libexec/ck-get-x11-server-pid" subj=system_u:system_r:consolekit_t:s0-s0:c0.c1023 key=(null)
Comment 2 Daniel Walsh 2009-09-17 20:59:22 UTC 
Did you login in as root via X Windows?
Comment 3 Alexey Torkhov 2009-09-17 21:03:24 UTC 
Nope, gdm seems doesn’t allow this. I called startx from console.
Comment 4 Daniel Walsh 2009-09-17 21:07:10 UTC 
When logged in as root?

SELinux does not support that so I have to close these bugs as WONTFIX.
Comment 5 Martin Naď 2009-10-15 19:38:28 UTC 
*** Bug 529264 has been marked as a duplicate of this bug. ***
Comment 6 Daniel Walsh 2009-10-20 22:35:39 UTC 
restorecon -R -v /root 
should fix.Not sure how it got mislabled.  If you are logging in as root or running a session as root, that is not supported within SELinux.