Bugzilla will be upgraded to version 5.0 on December 2, 2018. The outage period for the upgrade will start at 0:00 UTC and have a duration of 12 hours
Bug 252365 - xdm related denials
xdm related denials
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
: Reopened
Depends On:
  Show dependency treegraph
Reported: 2007-08-15 13:16 EDT by Orion Poplawski
Modified: 2008-04-06 06:55 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-04-06 06:55:15 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Orion Poplawski 2007-08-15 13:16:50 EDT
Description of problem:

Aug 15 10:46:39 lynx kernel: audit(1187196399.963:20): avc:  denied  { search }
for  pid=2867 comm="X" name="xauth" dev=sda6 ino=71455
tcontext=system_u:object_r:xdm_var_run_t:s0 tclass=dir
Aug 15 10:46:40 lynx kernel: audit(1187196400.012:21): avc:  denied  { ptrace }
for  pid=2907 comm="pidof" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=process

Version-Release number of selected component (if applicable):
Comment 1 Orion Poplawski 2007-08-15 13:29:38 EDT
restorecon -r -v /var yields:

restorecon reset /var/run/xauth context
restorecon reset /var/run/xauth/A:0-K73P5Q context

That seems to fix the xauth errors, but not the pidof errors.  Not sure why the
context isn't set properly during install or initial boot.
Comment 2 Daniel Walsh 2007-08-20 16:49:03 EDT
Fixed in selinux-policy-3.0.5-9
Comment 3 Daniel Walsh 2007-09-12 13:00:42 EDT
ALready fixed in rawhide
Comment 4 Orion Poplawski 2008-04-05 23:55:48 EDT
Seeing 5 of these on boot in current rawhide:

type=1400 audit(1207452763.258:9): avc:  denied  { ptrace } for  pid=3219
comm="pidof" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
tcontext=system_u:system_r:init_t:s0 tclass=process

Comment 5 Daniel Walsh 2008-04-06 06:55:15 EDT
You can allow this for now by executing 

# audit2allow -M mypol -i /var/log/audit/audit.log 
# semodule -i mypol.pp

Fixed in selinux-policy-3.3.1-29.fc9

Note You need to log in before you can comment on or make changes to this bug.