Bug 550364

Summary: SELinux is preventing /usr/libexec/gdm-session-worker "read write" access on root.
Product: [Fedora] Fedora Reporter: dazeminu
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 12CC: dwalsh, mgrepl, rockworldmi
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard: setroubleshoot_trace_hash:d65f36a722e379a3fca51328f93d8454ef074fef5c5f84e6dc374101af434b35
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-12-27 13:02:46 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description dazeminu 2009-12-24 18:45:00 UTC 
요약:

SELinux is preventing /usr/libexec/gdm-session-worker "read write" access on
root.

상세 설명:

SELinux denied access requested by gdm-session-wor. It is not expected that this
access is required by gdm-session-wor and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

액세스 허용:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Please file a bug
report.

자세한 정보:

소스 문맥                 system_u:system_r:xdm_t:s0-s0:c0.c1023
대상 문맥                 system_u:object_r:admin_home_t:s0
대상 객체                 root [ dir ]
소스                        gdm-session-wor
소스 경로                 /usr/libexec/gdm-session-worker
포트                        <알려지지 않음>
호스트                     (removed)
소스 RPM 패키지          gdm-2.28.1-25.fc12
대상 RPM 패키지          filesystem-2.4.30-2.fc12
정책 RPM                    selinux-policy-3.6.32-56.fc12
Selinux 활성화             True
정책 유형                 targeted
강제 모드                 Enforcing
플러그인명               catchall
호스트명                  (removed)
플랫폼                     Linux (removed)
                              2.6.31.5-127.fc12.i686.PAE #1 SMP Sat Nov 7
                              21:25:57 EST 2009 i686 athlon
통지 카운트              7
초기 화면                 2009년 12월 24일 (목) 오후 07시 24분 36초
마지막 화면              2009년 12월 25일 (금) 오전 03시 43분 37초
로컬 ID                     9e064302-b5de-40f8-a200-aa0113b7106c
줄 번호                    

원 감사 메세지          

node=(removed) type=AVC msg=audit(1261680217.935:24421): avc:  denied  { read write } for  pid=1488 comm="gdm-session-wor" name="root" dev=sda2 ino=2326529 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir

node=(removed) type=SYSCALL msg=audit(1261680217.935:24421): arch=40000003 syscall=33 success=no exit=-13 a0=9aee2a8 a1=7 a2=6301a4 a3=9b58a78 items=0 ppid=1431 pid=1488 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="gdm-session-wor" exe="/usr/libexec/gdm-session-worker" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)



Hash String generated from  selinux-policy-3.6.32-56.fc12,catchall,gdm-session-wor,xdm_t,admin_home_t,dir,read,write
audit2allow suggests:

#============= xdm_t ==============
allow xdm_t admin_home_t:dir { read write };
Comment 1 Daniel Walsh 2009-12-27 13:02:46 UTC 

*** This bug has been marked as a duplicate of bug 543970 ***