| Summary: | SELinux is preventing /usr/libexec/gdm-session-worker from read, append access on the file .../.xsession-errors | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | John Beranek <john> |
| Component: | gdm | Assignee: | Ray Strode [halfline] <rstrode> |
| Status: | CLOSED WONTFIX | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 15 | CC: | rstrode, skr, yann |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2012-08-07 18:28:21 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
Also:
SELinux is preventing /usr/libexec/gdm-session-worker from getattr access on the file /home2/guest/.xsession-errors.
***** Plugin catchall_labels (83.8 confidence) suggests ********************
If you want to allow gdm-session-worker to have getattr access on the .xsession-errors file
Then you need to change the label on /home2/guest/.xsession-errors
Do
# semanage fcontext -a -t FILE_TYPE '/home2/guest/.xsession-errors'
where FILE_TYPE is one of the following: selinux_config_t, bin_t, cert_t, lib_t, usr_t, var_t, wtmp_t, xserver_exec_t, default_context_t, pam_console_exec_t, sosreport_tmp_t, hwdata_t, locale_t, sssd_public_t, var_auth_t, rpm_tmp_t, etc_t, fonts_t, dbusd_exec_t, user_fonts_t, user_tmpfs_t, proc_t, logfile, sysfs_t, xdm_t, ld_so_cache_t, loadkeys_exec_t, krb5_keytab_t, xdm_dbusd_t, xdm_spool_t, fonts_cache_t, system_cronjob_var_lib_t, ssh_agent_exec_t, plymouthd_var_log_t, policykit_var_lib_t, crack_db_t, user_tmp_t, ssh_home_t, xserver_tmpfs_t, krb5_conf_t, iceauth_home_t, plymouth_exec_t, xauth_exec_t, xauth_home_t, auth_cache_t, alsa_etc_rw_t, xdm_tmpfs_t, user_cron_spool_t, sysctl_dev_t, sysctl_net_t, rpm_exec_t, admin_home_t, security_t, pulseaudio_exec_t, mount_exec_t, gconf_etc_t, shell_exec_t, consolekit_log_t, pam_exec_t, krb5_home_t, proc_afs_t, oddjob_mkhomedir_exec_t, xserver_log_t, dbusd_etc_t, abrt_var_run_t, var_lib_t, user_home_t, updpwd_exec_t, xdm_tmp_t, userdomain, xserver_t, fusermount_exec_t, configfile, domain, rpm_var_cache_t, faillog_t, logfile, lastlog_t, sysctl_crypto_t, proc_net_t, var_log_t, chkpwd_exec_t, policykit_reload_t, xdm_etc_t, xdm_log_t, gnome_home_type, user_tmp_t, hostname_exec_t, samba_var_t, initrc_var_run_t, gkeyringd_exec_t, pam_var_run_t, rpm_var_lib_t, xdm_var_lib_t, xdm_var_run_t, net_conf_t, abrt_t, init_exec_t, lib_t, etc_runtime_t, anon_inodefs_t, gconf_home_t, openct_var_run_t, sysctl_kernel_t, config_usr_t, abrt_helper_exec_t, pcscd_var_run_t, udev_var_run_t, alsa_exec_t, xkb_var_lib_t, shutdown_exec_t, consoletype_exec_t, user_home_t, xdm_rw_etc_t, ld_so_t, accountsd_var_lib_t, xdm_exec_t, xdm_home_t, xdm_lock_t, pam_var_console_t, textrel_shlib_t, system_dbusd_var_lib_t, policykit_auth_exec_t, cgroup_t, rpm_script_tmp_t, krb5_host_rcache_t, cert_t, init_t, security_t, systemd_systemctl_exec_t, net_conf_t, file_context_t, xsession_exec_t, shell_exec_t.
Then execute:
restorecon -v '/home2/guest/.xsession-errors'
***** Plugin catchall (17.1 confidence) suggests ***************************
If you believe that gdm-session-worker should be allowed getattr access on the .xsession-errors file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep gdm-session-wor /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context system_u:object_r:default_t:s0
Target Objects /home2/guest/.xsession-errors [ file ]
Source gdm-session-wor
Source Path /usr/libexec/gdm-session-worker
Port <Unknown>
Host localhost.localdomain
Source RPM Packages gdm-3.0.4-1.fc15
Target RPM Packages
Policy RPM selinux-policy-3.9.16-32.fc15
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name localhost.localdomain
Platform Linux localhost.localdomain
2.6.38.8-32.fc15.x86_64 #1 SMP Mon Jun 13 19:49:05
UTC 2011 x86_64 x86_64
Alert Count 3
First Seen Mon 27 Jun 2011 10:53:38 AM BST
Last Seen Tue 12 Jul 2011 04:44:25 PM BST
Local ID 74d62c51-e576-4308-b086-0a1bcde4ee9d
Raw Audit Messages
type=AVC msg=audit(1310485465.461:138): avc: denied { getattr } for pid=20601 comm="gdm-session-wor" path="/home2/guest/.xsession-errors" dev=dm-1 ino=262153 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=file
type=SYSCALL msg=audit(1310485465.461:138): arch=x86_64 syscall=fstat success=yes exit=0 a0=c a1=7fff8e9efa10 a2=7fff8e9efa10 a3=1 items=0 ppid=20581 pid=20601 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=3 comm=gdm-session-wor exe=/usr/libexec/gdm-session-worker subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
Hash: gdm-session-wor,xdm_t,default_t,file,getattr
audit2allow
#============= xdm_t ==============
allow xdm_t default_t:file getattr;
audit2allow -R
#============= xdm_t ==============
allow xdm_t default_t:file getattr;
and:
SELinux is preventing /usr/libexec/gdm-session-worker from write access on the file /home2/guest/.xsession-errors.
***** Plugin catchall_labels (83.8 confidence) suggests ********************
If you want to allow gdm-session-worker to have write access on the .xsession-errors file
Then you need to change the label on /home2/guest/.xsession-errors
Do
# semanage fcontext -a -t FILE_TYPE '/home2/guest/.xsession-errors'
where FILE_TYPE is one of the following: wtmp_t, locale_t, var_auth_t, user_fonts_t, user_tmpfs_t, sysfs_t, xdm_t, xdm_spool_t, fonts_cache_t, user_tmp_t, xserver_tmpfs_t, xauth_home_t, auth_cache_t, xdm_tmpfs_t, user_cron_spool_t, security_t, proc_afs_t, xserver_log_t, xdm_tmp_t, faillog_t, lastlog_t, xdm_log_t, gnome_home_type, initrc_var_run_t, pam_var_run_t, xdm_var_lib_t, xdm_var_run_t, etc_runtime_t, anon_inodefs_t, gconf_home_t, afs_cache_t, pcscd_var_run_t, xkb_var_lib_t, xdm_rw_etc_t, xdm_home_t, xdm_lock_t, pam_var_console_t, cgroup_t, krb5_host_rcache_t, security_t.
Then execute:
restorecon -v '/home2/guest/.xsession-errors'
***** Plugin catchall (17.1 confidence) suggests ***************************
If you believe that gdm-session-worker should be allowed write access on the .xsession-errors file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep gdm-session-wor /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context system_u:object_r:default_t:s0
Target Objects /home2/guest/.xsession-errors [ file ]
Source gdm-session-wor
Source Path /usr/libexec/gdm-session-worker
Port <Unknown>
Host localhost.localdomain
Source RPM Packages gdm-3.0.4-1.fc15
Target RPM Packages
Policy RPM selinux-policy-3.9.16-32.fc15
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name localhost.localdomain
Platform Linux localhost.localdomain
2.6.38.8-32.fc15.x86_64 #1 SMP Mon Jun 13 19:49:05
UTC 2011 x86_64 x86_64
Alert Count 3
First Seen Mon 27 Jun 2011 10:53:38 AM BST
Last Seen Tue 12 Jul 2011 04:44:25 PM BST
Local ID c81ac2cc-4b0a-42e0-9cfe-71fa7ce62a01
Raw Audit Messages
type=AVC msg=audit(1310485465.461:139): avc: denied { write } for pid=20601 comm="gdm-session-wor" name=".xsession-errors" dev=dm-1 ino=262153 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=file
type=SYSCALL msg=audit(1310485465.461:139): arch=x86_64 syscall=ftruncate success=yes exit=0 a0=c a1=0 a2=7fff8e9efa10 a3=1 items=0 ppid=20581 pid=20601 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=3 comm=gdm-session-wor exe=/usr/libexec/gdm-session-worker subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
Hash: gdm-session-wor,xdm_t,default_t,file,write
audit2allow
#============= xdm_t ==============
allow xdm_t default_t:file write;
audit2allow -R
#============= xdm_t ==============
allow xdm_t default_t:file write;
and:
SELinux is preventing /usr/libexec/gdm-session-worker from setattr access on the file /home2/guest/.xsession-errors.
***** Plugin catchall_labels (83.8 confidence) suggests ********************
If you want to allow gdm-session-worker to have setattr access on the .xsession-errors file
Then you need to change the label on /home2/guest/.xsession-errors
Do
# semanage fcontext -a -t FILE_TYPE '/home2/guest/.xsession-errors'
where FILE_TYPE is one of the following: locale_t, var_auth_t, user_fonts_t, user_tmpfs_t, xdm_spool_t, fonts_cache_t, user_tmp_t, xauth_home_t, auth_cache_t, xdm_tmpfs_t, xserver_log_t, xdm_tmp_t, faillog_t, lastlog_t, xdm_log_t, gnome_home_type, pam_var_run_t, xdm_var_lib_t, xdm_var_run_t, etc_runtime_t, gconf_home_t, pcscd_var_run_t, xkb_var_lib_t, xdm_rw_etc_t, xdm_home_t, xdm_lock_t, pam_var_console_t, cgroup_t, krb5_host_rcache_t.
Then execute:
restorecon -v '/home2/guest/.xsession-errors'
***** Plugin catchall (17.1 confidence) suggests ***************************
If you believe that gdm-session-worker should be allowed setattr access on the .xsession-errors file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep gdm-session-wor /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context system_u:object_r:default_t:s0
Target Objects /home2/guest/.xsession-errors [ file ]
Source gdm-session-wor
Source Path /usr/libexec/gdm-session-worker
Port <Unknown>
Host localhost.localdomain
Source RPM Packages gdm-3.0.4-1.fc15
Target RPM Packages
Policy RPM selinux-policy-3.9.16-32.fc15
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name localhost.localdomain
Platform Linux localhost.localdomain
2.6.38.8-32.fc15.x86_64 #1 SMP Mon Jun 13 19:49:05
UTC 2011 x86_64 x86_64
Alert Count 3
First Seen Mon 27 Jun 2011 10:53:38 AM BST
Last Seen Tue 12 Jul 2011 04:44:25 PM BST
Local ID ed8a29c5-3e86-474a-9837-a41eb318f866
Raw Audit Messages
type=AVC msg=audit(1310485465.461:140): avc: denied { setattr } for pid=20601 comm="gdm-session-wor" name=".xsession-errors" dev=dm-1 ino=262153 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=file
type=SYSCALL msg=audit(1310485465.461:140): arch=x86_64 syscall=fchmod success=yes exit=0 a0=c a1=180 a2=7fff8e9efa10 a3=1 items=0 ppid=20581 pid=20601 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=3 comm=gdm-session-wor exe=/usr/libexec/gdm-session-worker subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
Hash: gdm-session-wor,xdm_t,default_t,file,setattr
audit2allow
#============= xdm_t ==============
allow xdm_t default_t:file setattr;
audit2allow -R
#============= xdm_t ==============
allow xdm_t default_t:file setattr;
See also bug 667247 Any updates on this? I'm seeing the aleart now after every login. However, I'm rather sure it wasn't there in F17 Beta and showed up only recently. (On the other hand, I'm not 100% sure I had the sealert panel plugin running from the beginning, so maybe I just missed the error.) I'm on F17 final now with latest updates. This message is a notice that Fedora 15 is now at end of life. Fedora has stopped maintaining and issuing updates for Fedora 15. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At this time, all open bugs with a Fedora 'version' of '15' have been closed as WONTFIX. (Please note: Our normal process is to give advanced warning of this occurring, but we forgot to do that. A thousand apologies.) Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, feel free to reopen this bug and simply change the 'version' to a later Fedora version. Bug Reporter: Thank you for reporting this issue and we are sorry that we were unable to fix it before Fedora 15 reached end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged to click on "Clone This Bug" (top right of this page) and open it against that version of Fedora. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping |
Description of problem: SELinux is preventing /usr/libexec/gdm-session-worker from read, append access on the file /home2/gue st/.xsession-errors. ***** Plugin catchall_labels (83.8 confidence) suggests ******************** If you want to allow gdm-session-worker to have read append access on the .xsess ion-errors file Then you need to change the label on /home2/guest/.xsession-errors Do # semanage fcontext -a -t FILE_TYPE '/home2/guest/.xsession-errors' where FILE_TYPE is one of the following: wtmp_t, locale_t, var_auth_t, user_font s_t, user_tmpfs_t, sysfs_t, xdm_t, xdm_spool_t, fonts_cache_t, user_tmp_t, xserv er_tmpfs_t, xauth_home_t, auth_cache_t, xdm_tmpfs_t, user_cron_spool_t, security _t, proc_afs_t, xserver_log_t, xdm_tmp_t, faillog_t, lastlog_t, xdm_log_t, gnome _home_type, initrc_var_run_t, pam_var_run_t, xdm_var_lib_t, xdm_var_run_t, etc_r untime_t, anon_inodefs_t, gconf_home_t, pcscd_var_run_t, xkb_var_lib_t, xdm_rw_e tc_t, xdm_home_t, xdm_lock_t, pam_var_console_t, cgroup_t, krb5_host_rcache_t, s ecurity_t. Then execute: restorecon -v '/home2/guest/.xsession-errors' ***** Plugin catchall (17.1 confidence) suggests *************************** If you believe that gdm-session-worker should be allowed read append access on the .xsession-errors file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep gdm-session-wor /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023 Target Context system_u:object_r:default_t:s0 Target Objects /home2/guest/.xsession-errors [ file ] Source gdm-session-wor Source Path /usr/libexec/gdm-session-worker Port <Unknown> Host (removed) Source RPM Packages gdm-3.0.4-1.fc15 Target RPM Packages Policy RPM selinux-policy-3.9.16-30.fc15 Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 2.6.38.8-32.fc15.x86_64 #1 SMP Mon Jun 13 19:49:05 UTC 2011 x86_64 x86_64 Alert Count 1 First Seen Tue 12 Jul 2011 03:55:44 PM BST Last Seen Tue 12 Jul 2011 03:55:44 PM BST Local ID ca7317ac-c3eb-4162-8be9-edb3fcf4e18c Raw Audit Messages type=AVC msg=audit(1310482544.771:51): avc: denied { read append } for pid=1227 comm="gdm-session-wor" name=".xsession-errors" dev=dm-1 ino=262153 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=file type=SYSCALL msg=audit(1310482544.771:51): arch=x86_64 syscall=open success=yes exit=ENOMEM a0=71a830 a1=442 a2=180 a3=1 items=0 ppid=1205 pid=1227 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm=gdm-session-wor exe=/usr/libexec/gdm-session-worker subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) Hash: gdm-session-wor,xdm_t,default_t,file,read,append audit2allow #============= xdm_t ============== allow xdm_t default_t:file { read open append }; audit2allow -R #============= xdm_t ============== allow xdm_t default_t:file { read open append }; Version-Release number of selected component (if applicable): gdm-3.0.4-1.fc15.x86_64 How reproducible: Always Steps to Reproduce: 1. Start GNOME 3 desktop Actual results: Get SELinux alert Expected results: Get no SELinux alert Additional info: