From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040312 Description of problem: When I try to make changes to my desktop I get selinux denied messages Version-Release number of selected component (if applicable): GConf2-2.6.0-3 How reproducible: Sometimes Steps to Reproduce: 1.select add to panel 2.select amusements 3.select fish Actual Results: Apr 12 06:09:59 dad kernel: audit(1081764599.661:0): avc: denied { search } for pid=1914 exe=/usr/libexec/gconfd-2 name=.gconfd dev=hdd1 ino=16663 scontext=user_u:user_r:user_t tcontext=system_u:object_r:file_t tclass=dir Apr 12 06:09:59 dad kernel: audit(1081764599.661:0): avc: denied { append } for pid=1914 exe=/usr/libexec/gconfd-2 name=saved_state dev=hdd1 ino=17171 scontext=user_u:user_r:user_t tcontext=user_u:object_r:file_t tclass=file Apr 12 06:09:59 dad kernel: audit(1081764599.661:0): avc: denied { getattr } for pid=1914 exe=/usr/libexec/gconfd-2 path=/home/tmolina/.gconfd/saved_state dev=hdd1 ino=17171 scontext=user_u:user_r:user_t tcontext=user_u:object_r:file_t tclass=fileApr 12 06:09:59 dad kernel: audit(1081764599.754:0): avc: denied { getattr } for pid=5189 exe=/usr/libexec/fish-applet-2 path=/home/tmolina/.gnome dev=hdd1 ino=16746 scontext=user_u:user_r:user_t tcontext=system_u:object_r:file_t tclass=dir Apr 12 06:09:59 dad kernel: audit(1081764599.757:0): avc: denied { setattr } for pid=5189 exe=/usr/libexec/fish-applet-2 name=.gnome2_private dev=hdd1 ino=16753 scontext=user_u:user_r:user_t tcontext=system_u:object_r:file_t tclass=dir Additional info: The above is an example of messages I get in my log. It doesn't happen with every desktop change, but I see a regular series of gconfd-2 messages in the log.
Colin, you're looking into this, right ?
Thomas: It looks like your filesystem is mislabeled. Did you upgrade from a previous installation and keep your /home partition? Files in your home directory shouldn't be file_t. Can you try running: /sbin/fixfiles relabel Alternatively you could just fix your home directory by doing: /usr/sbin/setfiles /etc/security/selinux/file_contexts /home
/home is a partition on a second IDE hard drive in this system. It has been mounted under several versions of RedHat and Fedora OSs. I have done the fixfiles relabel command more than once and the problem remains. I have only mounted it with Fedora Core 2 Test 2 since I started testing this revision.
Hmmm. Can you try running: /usr/sbin/setfiles -v -n /etc/security/selinux/file_contexts /home/tmolina/.gnome Does it give any messages about relabeling?
Does it matter what state the system is in when these actions are performed? I certainly relabeled /home when I installed test2/selinux. I've also done it several times since then. I am running selinux in permissive mode and Fedora is in run level 5. I log in as a regular user, open a gnome-terminal, and do a "su -" before performing these actions. id -Z confirms I am running in sysadm role. Last night I tried something different; I dropped down into single user mode. This time the relabel appears to have succeeded. I am not getting the same avc messages I was before. I am going to continue monitoring the situation.
You should try to avoid using the filesystem you're relabeling, if possible. So in this case I would have switched back to a virtual console (Ctrl-Alt-F1), logged in as root/sysadm_r, and done the relabel from there. That way the files on your /home for your regular user account wouldn't be in use. I don't think it was necessary to go all the way down to single user mode. I'm going to reassign this bug to policy (since it's not really directly related to GConf), and mark it NEEDINFO. If you could follow up in a few days and let us know whether your system works still, that'd be good.
You are probably right, but it wouldn't be almost impossible to do a full relabel without using at least one of the filesystems being relabeled. Going all the way down to single user may not have been necessary, but I wanted to be sure. Doing so, I believe, eliminated most of my issues making it easier to deal with the ones remaining. Thanks for your effort. I will report back in a few days.
The reported messages have not reappeared after following the given advice. Files in my home directory have the correct labels and all is good with the world. This report can probably be marked closed.
Cool, thanks for following up.