| Summary: | SELinux is preventing /usr/libexec/gdm-session-worker from read, append access on the plik /home/marek/.xsession-errors. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Marek Michał Mazur <marek90> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED CANTFIX | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 15 | CC: | dominick.grift, dwalsh, jjcf89, mgrepl |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | setroubleshoot_trace_hash:722903ee8e40bc15351b91cfafb1534f551985431ce0fe19290052663e5116d0 | ||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-05-23 19:47:29 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
Looks like you have mounted a partition on your home directory that has never been labelled yet. Are you migrating from a distribution that does not support SELinux? Have you tried the instructions given in the report?: Please try the following. touch /.autorelabel; reboot I have /home as separate partition (once in blue mooon I'm changing distr.). Partition was labelled during installation process, migration way: 1. Ubu 11.4 2. F 15a (no problem) 3. OpenSUSE 4. F 15b I'll try labeling it again. It might somehow not actually have been mounted at that point. See if this fixes it. If it does not we can try something else. Marek, the problem is probably caused by you booting with your homedir mounted on a Non SELinux box, which creates the .xsession-errors with the wrong label.(No Label.) The next time you boot on an SELinux machine it will complain. I guess you could just add a restorecon -R -v /home when you boot on an SELinux box. |
SELinux is preventing /usr/libexec/gdm-session-worker from read, append access on the plik /home/marek/.xsession-errors. ***** Plugin file (36.8 confidence) suggests ******************************* If jest to spowodowane przez błędnie nadane etykiety w komputerze. Then należy przeprowadzić pełne ponowne nadanie etykiet. Do touch /.autorelabel; reboot ***** Plugin file (36.8 confidence) suggests ******************************* If jest to spowodowane przez błędnie nadane etykiety w komputerze. Then należy przeprowadzić pełne ponowne nadanie etykiet. Do touch /.autorelabel; reboot ***** Plugin catchall_labels (23.2 confidence) suggests ******************** If należy zezwolić gdm-session-worker na dostęp read append w .xsession-errors file Then należy zmienić etykietę /home/marek/.xsession-errors Do # semanage fcontext -a -t TYP_PLIKU '/home/marek/.xsession-errors', gdzie TYP_PLIKU jest jednym z poniższych: user_tmp_t, xserver_tmpfs_t, xauth_home_t, auth_cache_t, xdm_tmpfs_t, security_t, proc_afs_t, xserver_log_t, xdm_tmp_t, faillog_t, lastlog_t, xdm_log_t, gnome_home_type, initrc_var_run_t, pam_var_run_t, xdm_var_lib_t, xdm_var_run_t, etc_runtime_t, anon_inodefs_t, gconf_home_t, pcscd_var_run_t, user_cron_spool_t, xkb_var_lib_t, xdm_rw_etc_t, xdm_home_t, xdm_lock_t, pam_var_console_t, cgroup_t, wtmp_t, locale_t, var_auth_t, user_fonts_t, user_tmpfs_t, sysfs_t, xdm_t, xdm_spool_t, fonts_cache_t, security_t, krb5_host_rcache_t. Następnie należy wykonać polecenie: restorecon -v '/home/marek/.xsession-errors' ***** Plugin catchall (5.04 confidence) suggests *************************** If aby gdm-session-worker powinno mieć domyślnie read append dostęp do .xsession-errors file. Then proszę to zgłosić jako błąd. Można utworzyć lokalny moduł polityki, aby umożliwić ten dostęp. Do można tymczasowo zezwolić na ten dostęp wykonując polecenia: # grep gdm-session-wor /var/log/audit/audit.log | audit2allow -M moja_polityka # semodule -i moja_polityka.pp Additional Information: Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023 Target Context system_u:object_r:file_t:s0 Target Objects /home/marek/.xsession-errors [ file ] Source gdm-session-wor Source Path /usr/libexec/gdm-session-worker Port <Nieznane> Host (removed) Source RPM Packages gdm-3.0.0-3.fc15 Target RPM Packages Policy RPM selinux-policy-3.9.16-24.fc15 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 2.6.38.6-27.fc15.x86_64 #1 SMP Sun May 15 17:23:28 UTC 2011 x86_64 x86_64 Alert Count 6 First Seen nie, 22 maj 2011, 23:16:11 Last Seen pon, 23 maj 2011, 20:09:14 Local ID c99d5c65-63d4-4eac-911e-603cf89dda11 Raw Audit Messages type=AVC msg=audit(1306174154.768:63): avc: denied { read append } for pid=1829 comm="gdm-session-wor" name=".xsession-errors" dev=sda7 ino=10354698 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file type=SYSCALL msg=audit(1306174154.768:63): arch=x86_64 syscall=open success=no exit=EACCES a0=105ba70 a1=442 a2=180 a3=72652d6e items=0 ppid=1781 pid=1829 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm=gdm-session-wor exe=/usr/libexec/gdm-session-worker subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) Hash: gdm-session-wor,xdm_t,file_t,file,read,append audit2allow #============= xdm_t ============== allow xdm_t file_t:file { read append }; audit2allow -R #============= xdm_t ============== allow xdm_t file_t:file { read append };