Description of problem: Maybe these are not real denials but potential denials (cause am presently 'setenforce 0'). Below are excerpts of selinux related enties in my message log file; setroubleshoot also shows them for me. This one is dueto nvidia driver, if I dont load nvidia module, I don't see it, (I get a lot of similar messages) >> Nov 24 00:48:16 agape setroubleshoot: SELinux is preventing /usr/bin/Xorg (xdm_t) "execmem" access to <Unknown> (xdm_t). For complete SELinux messages. run sealert -l 1a5ff924-0848-410a-a0e4-dc3c3d7970d5 Nov 24 00:48:16 agape setroubleshoot: SELinux is preventing /usr/bin/Xorg (xdm_t) "execstack" access to <Unknown> (xdm_t). For complete SELinux messages. run sealert -l ebe67bef-f0e6-4dc5-b48e-700bce366ffd <<< This one happens when I put in a music cd, >> Nov 24 00:52:48 agape setroubleshoot: SELinux is preventing /usr/bin/gnome-cd from changing a writable memory segment executable. For complete SELinux messages. run sealert -l b30859cf-3156-4371-998c-68f144f82f9a << This ones were written while doing a yum update, << Nov 24 00:54:55 agape setroubleshoot: SELinux is preventing /usr/sbin/groupadd (groupadd_t) "sys_tty_config" to <Unknown> (groupadd_t). For complete SELinux messages. run sealert -l 1bf6ed8a-1578-48fe-9ae7-8efb64b736c4 Nov 24 00:54:55 agape setroubleshoot: SELinux is preventing /usr/sbin/useradd (useradd_t) "sys_tty_config" to <Unknown> (useradd_t). For complete SELinux messages. run sealert -l 019ea4e3-fd4b-499a-b61b-5e701de930dc >> Also this << Nov 24 00:57:16 agape setroubleshoot: SELinux is preventing /usr/bin/mplayer from changing a writable memory segment executable. For complete SELinux messages. run sealert -l b30859cf-3156-4371-998c-68f144f82f9a and these from auditlog << type=AVC msg=audit(1164348519.756:63): avc: denied { execstack } for pid=3511 comm="mixer_applet2" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process type=AVC msg=audit(1164348519.756:63): avc: denied { execmem } for pid=3511 comm="mixer_applet2" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process << Setroubleshoot also reports << avc: denied { sys_tty_config } for comm="genhomedircon" egid=0 euid=0 exe="/usr/bin/python" exit=0 fsgid=0 fsuid=0 gid=0 items=0 pid=7664 scontext=system_u:system_r:semanage_t:s0 sgid=0 subj=system_u:system_r:semanage_t:s0 suid=0 tclass=capability tcontext=system_u:system_r:semanage_t:s0 tty=(none) uid=0 avc: denied { sys_tty_config } for comm="restorecon" egid=0 euid=0 exe="/sbin/restorecon" exit=0 fsgid=0 fsuid=0 gid=0 items=0 pid=3179 scontext=system_u:system_r:restorecon_t:s0 sgid=0 subj=system_u:system_r:restorecon_t:s0 suid=0 tclass=capability tcontext=system_u:system_r:restorecon_t:s0 tty=(none) uid=0 Version-Release number of selected component (if applicable): selinux-policy-targeted-2.4.5-3.fc7 How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
Please report these as separate bugzilla's or at least include the audit.log. Nov 24 00:52:48 agape setroubleshoot: SELinux is preventing /usr/bin/gnome-cd from changing a writable memory segment executable. For complete SELinux messages. run sealert -l b30859cf-3156-4371-998c-68f144f82f9a << This should be reported as a bugzilla against gnome-cd. and these from auditlog << type=AVC msg=audit(1164348519.756:63): avc: denied { execstack } for pid=3511 comm="mixer_applet2" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process type=AVC msg=audit(1164348519.756:63): avc: denied { execmem } for pid=3511 comm="mixer_applet2" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process << Should be reported against gnome-applets The others I will fix in selinux-policy-2.4.5-4
I got this too, for compiz; avc: denied { execstack } for comm="compiz" egid=500 euid=500 exe="/usr/bin/compiz" exit=0 fsgid=500 fsuid=500 gid=500 items=0 pid=2784 scontext=user_u:system_r:unconfined_t:s0 sgid=500 subj=user_u:system_r:unconfined_t:s0 suid=500 tclass=process tcontext=user_u:system_r:unconfined_t:s0 tty=(none) uid=500 should it be filed against compiz or you'll take care of it?
File a bug against compiz.
BTW you can chcon -t unconfined_execmem_t compiz if you want it to work without setting the allow_execstack boolean. Otherwise you can turn on allow_execstack boolean. setsebool allow_execstack=1
Since you've not closed this, (and setroubleshoot doesn't offere me a work-around), here is another avc denial; avc: denied { read } for comm="ifconfig" dev=pipefs egid=0 euid=0 exe="/sbin/ifconfig" exit=0 fsgid=0 fsuid=0 gid=0 items=0 name="[14565]" path="pipe:[15024]" pid=3102 scontext=system_u:system_r:ifconfig_t:s0 sgid=0 subj=system_u:system_r:ifconfig_t:s0 suid=0 tclass=fifo_file tcontext=system_u:system_r:unconfined_t:s0 tty=(none) uid=0
Fixed in selinux-policy-2.4.6-2
I hope you don't mind me adding more stuff to this bug ;). This one I just got while updating, avc: denied { ioctl } for comm="genhomedircon" dev=pipefs egid=0 euid=0 exe="/usr/bin/python" exit=-22 fsgid=0 fsuid=0 gid=0 items=0 name="[9971]" path="pipe:[9971]" pid=4071 scontext=system_u:system_r:semanage_t:s0 sgid=0 subj=system_u:system_r:semanage_t:s0 suid=0 tclass=fifo_file tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tty=(none) uid=0
I guess these are now all fixed one way or other.