Bug 524583
Summary: | setroubleshoot: SELinux is preventing the /usr/bin/kdm from using potentially mislabeled files (/home/mef/.Xauthority-c). | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Mary Ellen Foster <mefoster> |
Component: | kdebase-workspace | Assignee: | Than Ngo <than> |
Status: | CLOSED RAWHIDE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | rawhide | CC: | dwalsh, fedora, fedora, jreznik, kevin, lorenzo, ltinkl, mgrepl, olivares14031, rdieter, rstrode, sergei.litvinenko, smparrish, than |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | i386 | ||
OS: | Linux | ||
Whiteboard: | setroubleshoot_trace_hash:1840583d795c35ffed8153f9d359d1042cca1dedf42488950a7683acefd84fbc | ||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2009-09-21 15:15:34 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Mary Ellen Foster
2009-09-21 10:34:10 UTC
SELinux does not handle have two files written in the same directory at the same time with different security labels. I the case of kdm it is trying to write .xsession-errors and .Xauthority* .xsession-errors has to allow all processes in the user domain to write to it, since this is where they report their errors. .Xauthority wants very few processes to write to it, and most need to read. So I label them differently xauth_home_t and xdm_home_t. xdm was changed to write the Xauth file in /var/run/ echo $XAUTHORITY /var/run/gdm/auth-for-dwalsh-m67cxI/database I believe this solves other problems also, around kerberized NFS. Can we` get kdm to do something similar? Maybe? kdmrc contains the option: # Where to store authorization files. # Default is "/var/run/xauth" #AuthDir=/tmp it's putting something in /var/run/xauth on my box (though, oops, that's currently an unowned directory). Fwiw, is this something new to F-12? I don't see any selinux-related issues on my F-11 box. I don't know. But maybe this is an upgrade issue, so the user needs to change his defaults? This is not an upgrade install -- I installed the alpha freshly a few weeks ago and have been updating against Rawhide since. I have exactly the same content in my kdmrc as Rex mentions in Comment #2. Any preference for kdm using /var/run/xauth vs /var/run/kdm here? The latter would be easier for folks upgrading (no/less config change), if that makes any difference. There's also this option: # Where to put the user's X-server authorization file if ~/.Xauthority # cannot be created. # Default is "/tmp" #UserAuthDir= So, Dan, this is the one you'd rather be in /var/run somewhere too? I would rather /var/run/kdm, since I think we already have the correct label there. okie dokie, fixed in kde-settings-kdm-4.3-9 %changelog * Mon Sep 21 2009 Rex Dieter <rdieter> - 4.3-9 - kdmrc: ForceUserAuthDir=true (#524583) * Mon Sep 21 2009 Rex Dieter <rdieter> - 4.3-8 - kdmrc: use /var/run/kdm for pid/xauth (#524583) *** Bug 527843 has been marked as a duplicate of this bug. *** *** Bug 566582 has been marked as a duplicate of this bug. *** |