Description of problem: Aug 15 10:46:40 lynx kernel: audit(1187196400.066:26): avc: denied { create } for pid=2902 comm="kdm_greet" name="kdm" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir and then lots of (goes through lots of .desktop files), probably leaked fd: Aug 15 10:46:40 lynx kernel: audit(1187196400.085:27): avc: denied { write } for pid=2902 comm="kdm_greet" name="kde.desktop" dev=sda3 ino=342945 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=file Aug 15 10:46:40 lynx kernel: audit(1187196400.171:29): avc: denied { write } for pid=2902 comm="kdm_greet" name="9wm.desktop" dev=sda3 ino=992296 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=file .... Version-Release number of selected component (if applicable): selinux-policy-3.0.5-7.fc8
Based on the date this bug was created, it appears to have been reported during the development of Fedora 8. In order to refocus our efforts as a project we are changing the version of this bug to '8'. If this bug still exists in rawhide, please change the version back to rawhide. (If you're unable to change the bug's version, add a comment to the bug and someone will change it for you.) Thanks for your help and we apologize for the interruption. The process we're following is outlined here: http://fedoraproject.org/wiki/BugZappers/F9CleanUp We will be following the process here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping to ensure this doesn't happen again.
A few are still present in rawhide: type=1400 audit(1207452761.829:5): avc: denied { write } for pid=3208 comm="kdm_greet" name="fontconfig" dev=sda5 ino=47912 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fonts_t:s0 tclass=dir type=1400 audit(1207452762.706:6): avc: denied { write } for pid=3208 comm="kdm_greet" name="KdmGreeterTheme.desktop" dev=sda3 ino=136490 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=file type=1400 audit(1207452763.089:7): avc: denied { write } for pid=3208 comm="kdm_greet" name="entry.desktop" dev=sda3 ino=185161 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:locale_t:s0 tclass=file type=1400 audit(1207452763.130:8): avc: denied { write } for pid=3208 comm="kdm_greet" name="entry.desktop" dev=sda3 ino=15769 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:locale_t:s0 tclass=file type=1400 audit(1207452775.047:87): avc: denied { create } for pid=3208 comm="kdm_greet" name="kdm" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir
Also get this at login: type=1400 audit(1207452775.071:88): avc: denied { write } for pid=3234 comm="lnusertemp" name="root" dev=sda3 ino=106497 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir
/var/lib/kdm should be part of the kdm package and would there fore be labeled correctly and not need to be created. I will dontaudit the lnusertemp writing to the /root directory although this seems strange. I will allow it to manage fonts, allowing it to write to usr_t is a bit more problematic. The problem I have with a lot of this is giving a program that is run with not authentication power to manipulate the machine seems very dangerous.
Already triaged, removing cleanup tag.
Still (back) in rawhide: Sep 30 09:59:20 test kernel: type=1400 audit(1222790360.632:6): avc: denied { write } for pid=2661 comm="kdm_greet" name="fontconfig" dev=dm-1 ino=40991 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fonts_t:s0 tclass=dir Sep 30 10:00:06 test kernel: type=1400 audit(1222790406.262:8): avc: denied { write } for pid=3056 comm="lnusertemp" name="root" dev=dm-0 ino=335873 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir
Fixed in selinux-policy-3.5.9-3.fc10 Added dontaudits.