If the session is _not_ Gnome, kdm's /usr/share/config/kdm/Xsession redirects the stdout and stderr to $HOME/.xsession-errors, which has the default type user_home_t (or staff_home_t). The current policy (1.9-15) would not allow such a file to be written to be certain programs. In particular, - ssh-agent is unable to write to it, which causes it to start using up all the CPU time - utemper is unable to write to it, so it fails to list the user's session in utmp. I believe that the best solution woukd be to change /usr/share/config/kdm/Xsession to use a file in /tmp, not $HOME/.xsession-errors. Alternatively, the policy could be changed to mark the $HOME/.xsession-errors specially. Finally, a possible solution would be to grant utemper and ssh-agent write/append permissions to arbitrary user files, but I am not sure this is a good idea.
I am changing policy for xdm to dontaudit on writes to the $1_home_t, which should cause the xsession-errors file to be created on /tmp. Dan
Will the xauth stuff still work? Just making sure.
Well that actually looks like a bug also. Seems xdm is not transitioning to xauth_t, to allow it to write to the home dir. So I am trying to fix that also. If the transition happens properly xauth_t can write to the home dir and xdm will fail forcing it to write to /tmp dir. I believe that is the way it should work. Dan
What about utemper? I am getting audit(1080711300.469:0): avc: denied { getattr } for pid=27008 exe=/usr/sbin/utempter path=/tmp/xses-aleksey.OU2533 dev=hda2 ino=343507 scontext=aleksey:staff_r:utempter_t tcontext=aleksey:object_r:staff_tmp_t tclass=file and I was getting similar write denied messages until I added an allow for them.
kdebase just uses Xsession file in xinitrc. It assign it to correct component
*** Bug 119506 has been marked as a duplicate of this bug. ***
It would be nice if this could go in the release notes (the fact that your .xsession-errors in now in /tmp).
Please try Fedora Core 3 test 2 or later, as this problem may be fixed now. If the problem persists, please update the status. Thanks in advance.