Bug 699090

Description of problem:
SELinux is preventing /usr/bin/iceauth from read access on the file /home/error/.DCOPserver_localhost.localdomain__0 (deleted).

*****  Plugin restorecon (99.5 confidence) suggests  *************************

If you want to fix the label. 
/home/error/.DCOPserver_localhost.localdomain__0 (deleted) default label should be iceauth_home_t.
Then you can run restorecon.
Do
# /sbin/restorecon -v /home/error/.DCOPserver_localhost.localdomain__0 (deleted)

*****  Plugin catchall (1.49 confidence) suggests  ***************************

If you believe that iceauth should be allowed read access on the .DCOPserver_localhost.localdomain__0 (deleted) file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep iceauth /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:iceauth_t:s0-s0:c0.c1023
Target Context                unconfined_u:object_r:user_home_dir_t:s0
Target Objects                /home/error/.DCOPserver_localhost.localdomain__0
                              (deleted) [ file ]
Source                        iceauth
Source Path                   /usr/bin/iceauth
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           xorg-x11-server-utils-7.5-5.fc15
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.16-15.fc15
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain
                              2.6.38.2-9.fc15.x86_64 #1 SMP Wed Mar 30 16:55:57
                              UTC 2011 x86_64 x86_64
Alert Count                   1
First Seen                    Fri 22 Apr 2011 07:01:50 PM EDT
Last Seen                     Fri 22 Apr 2011 07:01:50 PM EDT
Local ID                      0e19eab2-e8fc-4b07-b8ac-2eda4ab67636

Raw Audit Messages
type=AVC msg=audit(1303513310.195:1521): avc:  denied  { read } for  pid=4031 comm="iceauth" path=2F686F6D652F6572726F722F2E44434F507365727665725F756E64657267726F756E642E696F6572726F722E75735F5F30202864656C6574656429 dev=dm-3 ino=34866948 scontext=unconfined_u:unconfined_r:iceauth_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=file


type=SYSCALL msg=audit(1303513310.195:1521): arch=x86_64 syscall=execve success=yes exit=0 a0=1a9c8d0 a1=1a9bb20 a2=1a9a6c0 a3=8 items=0 ppid=4030 pid=4031 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm=iceauth exe=/usr/bin/iceauth subj=unconfined_u:unconfined_r:iceauth_t:s0-s0:c0.c1023 key=(null)

Hash: iceauth,iceauth_t,user_home_dir_t,file,read

audit2allow

#============= iceauth_t ==============
allow iceauth_t user_home_dir_t:file read;

audit2allow -R

#============= iceauth_t ==============
allow iceauth_t user_home_dir_t:file read;


Version-Release number of selected component (if applicable):
selinux-policy-3.9.16-15.fc15
xorg-x11-server-utils-7.5-5.fc15


How reproducible:
Always


Steps to Reproduce:
1. Upgrade Fedora 14 KDE spin to Fedora 15 Beta.
2. Use KDM and KDE desktop by default.
3. Log in to KDE from the KDM login screen.
  
Actual results:
AVC denial as shown above


Expected results:
No AVC denial


Additional info:
For privacy reasons the actual hostname of the system has been replaced with localhost.localdomain in the details above. The referenced file does not actually exist in the filesystem.