| Summary: | Selinux is preventing xdm from writing to xdm.log | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Peter Lemenkov <lemenkov> |
| Component: | xorg-x11-xdm | Assignee: | X/OpenGL Maintenance List <xgl-maint> |
| Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 15 | CC: | dwalsh, pertusus, xgl-maint |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-04-11 17:52:44 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
restorecon -R -v /var/log/xdm.log is a much better solution. Whereever that is located. Unfortuanteluy it doesn't work. Here is what I've got after reboot:
[root@work ~]# dmesg | grep xdm
[ 29.942053] type=1400 audit(1302292067.301:6): avc: denied { write } for pid=1025 comm="xdm" name="xdm.log" dev=sda3 ino=146296 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_log_t:s0 tclass=file
[root@work ~]#
Perhaps it has something with lates relocation of runtime files into /run.
Where is the xdm.log file located? Is there something in the startup that is creating it other then xdm? An init script or a xinit script? (In reply to comment #3) > Where is the xdm.log file located? /var/log/xdm.log work ~: cat /etc/mtab | grep /var /dev/sda3 /var ext3 rw,seclabel,noatime,nodiratime,errors=continue,user_xattr,acl,barrier=0,data=ordered 0 0 tmpfs /var/run tmpfs rw,seclabel,nosuid,nodev,noexec,relatime,mode=755 0 0 tmpfs /var/lock tmpfs rw,seclabel,nosuid,nodev,noexec,relatime,mode=755 0 0 sunrpc /var/lib/nfs/rpc_pipefs rpc_pipefs rw,relatime 0 0 work ~: (In reply to comment #4) > Is there something in the startup that is creating it other then xdm? > > An init script or a xinit script? Nope. I didn't even log in (from physical console) yet work ~: ps axf ... 1025 ? Ss 0:00 /usr/bin/xdm -nodaemon 1061 tty7 Ss+ 0:00 \_ /usr/bin/X :0 -auth /var/lib/xdm/authdir/authfiles/A:0-KfnmzN 1065 ? Ss 0:00 \_ -:0 ... work ~: No other X-clients were started - just xdm. ps -axfZ should show xdm running as xdm_t. there are rules in policy that says xdm_t creating a file in directory labeled var_log_t will create it labeled xdm_log_t. But you already have a file labeled var_log_t, which means something else created the log file before xdm started. Is there some mention of xdm.log in the scripts that start xdm? (In reply to comment #6) > ps -axfZ should show xdm running as xdm_t. there are rules in policy that says > xdm_t creating a file in directory labeled var_log_t will create it labeled > xdm_log_t. But you already have a file labeled var_log_t, which means > something else created the log file before xdm started. Is there some mention > of xdm.log in the scripts that start xdm? Daniel, I really sorry for the noise - I just found that this is completely my mistake. I'm sure this ticket must be closed now |
type=1400 audit(1302255128.965:6): avc: denied { write } for pid=1051 comm="xdm" name="xdm.log" dev=sda3 ino=146296 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_log_t:s0 tclass=file ============ Here is a custom selinux policy: [root@work ~]# cat xdm.te module xdm 1.0; require { type var_log_t; type xdm_t; class file write; } #============= xdm_t ============== allow xdm_t var_log_t:file write; [root@work ~]#