Bug 544909
| Summary: | SELinux is preventing the ck-get-x11-serv from using potentially mislabeled files (.Xauthority). | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | euroford <an.euroford> |
| Component: | selinux-policy | Assignee: | Daniel Walsh <dwalsh> |
| Status: | CLOSED DUPLICATE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | low | ||
| Version: | 12 | CC: | dwalsh, mgrepl |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | setroubleshoot_trace_hash:f88947e228d492a9bc2092a327b997774b0ae81e5c421c6060415298b8ca97f1 | ||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2009-12-07 21:04:53 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
*** This bug has been marked as a duplicate of bug 538428 *** |
概述: SELinux is preventing the ck-get-x11-serv from using potentially mislabeled files (.Xauthority). 详细描述: SELinux has denied ck-get-x11-serv access to potentially mislabeled file(s) (.Xauthority). This means that SELinux will not allow ck-get-x11-serv to use these files. It is common for users to edit files in their home directory or tmp directories and then move (mv) them to system directories. The problem is that the files end up with the wrong file context which confined applications are not allowed to access. 允许访问: If you want ck-get-x11-serv to access this files, you need to relabel them using restorecon -v '.Xauthority'. You might want to relabel the entire directory using restorecon -R -v ''. 附加信息: 源上下文 system_u:system_r:consolekit_t:s0-s0:c0.c1023 目标上下文 unconfined_u:object_r:admin_home_t:s0 目标对象 .Xauthority [ file ] 源 ck-get-x11-serv 源路径 /usr/libexec/ck-get-x11-server-pid 端口 <未知> 主机 (removed) 源 RPM 软件包 ConsoleKit-x11-0.3.0-8.fc11 目标 RPM 软件包 策略 RPM selinux-policy-3.6.12-85.fc11 启用 Selinux True 策略类型 targeted Enforcing 模式 Enforcing 插件名称 home_tmp_bad_labels 主机名 (removed) 平台 Linux (removed) 2.6.30.8-64.fc11.x86_64 #1 SMP Fri Sep 25 04:43:32 EDT 2009 x86_64 x86_64 警报计数 1 第一个 2009年10月23日 星期五 13时24分02秒 最后一个 2009年10月23日 星期五 13时24分02秒 本地 ID 3783ef4f-25de-4cdd-8a58-258b42bc2fa0 行号 原始核查信息 node=(removed) type=AVC msg=audit(1256275442.131:28594): avc: denied { read } for pid=13294 comm="ck-get-x11-serv" name=".Xauthority" dev=sda2 ino=20946 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file node=(removed) type=SYSCALL msg=audit(1256275442.131:28594): arch=c000003e syscall=21 success=no exit=-13 a0=7fffe9621fb8 a1=4 a2=0 a3=7fffe96217d3 items=0 ppid=13293 pid=13294 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ck-get-x11-serv" exe="/usr/libexec/ck-get-x11-server-pid" subj=system_u:system_r:consolekit_t:s0-s0:c0.c1023 key=(null) Hash String generated from selinux-policy-3.6.12-85.fc11,home_tmp_bad_labels,ck-get-x11-serv,consolekit_t,admin_home_t,file,read audit2allow suggests: #============= consolekit_t ============== allow consolekit_t admin_home_t:file read;