Description of problem: While skimming through the logs looking for an unrelated issue, I discovered a bunch of new selinux denials (there were not there before I upgraded to rawhide). First part is connected with salsa: audit(1192029420.860:6): avc: denied { execstack } for pid=2559 comm="X" scontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 tclass=process audit(1192029430.600:7): avc: denied { ioctl } for pid=2559 comm="X" path="inotify" dev=inotifyfs ino=1 scontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 tcontext=system_u:object_r:inotifyfs_t:s0 tclass=dir audit(1192029530.658:8): avc: denied { read } for pid=2559 comm="X" path="inotify" dev=inotifyfs ino=1 scontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 tcontext=system_u:object_r:inotifyfs_t:s0 tclass=dir audit(1192029716.599:9): avc: denied { search } for pid=2559 comm="X" name="3009" dev=proc ino=11841 scontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 tcontext=system_u:system_r:unconfined_t:s0 tclass=dir audit(1192029716.599:10): avc: denied { getattr } for pid=2559 comm="X" path="/proc/3009/cmdline" dev=proc ino=11842 scontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 tcontext=system_u:system_r:unconfined_t:s0 tclass=file audit(1192030517.267:12): avc: denied { read write } for pid=2559 comm="X" path=2F535953563030303030303030202864656C6574656429 dev=tmpfs ino=1474596 scontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rpm_tmpfs_t:s0 tclass=file Version-Release number of selected component (if applicable): selinux-policy-3.0.8-18.fc8 How reproducible: always Additional info: obtained with dmesg | grep audit
Forgive me the stupid copy-paste error. The errors concern X, of course.
I added policy to selinux-policy-3.0.8-21 for inotify. X should not required execstack. Are you using an NVIDIA Drivers? xserver reading rpm_tmpfs_t looks like a file descriptor leak. How was this package upgraded? Any idea why xserver would be reading the cmdline of the login user?
(In reply to comment #2) > I added policy to selinux-policy-3.0.8-21 for inotify. > > X should not required execstack. Are you using an NVIDIA Drivers? > Yes, I am. FYI, this was not the issue in f7. > xserver reading rpm_tmpfs_t looks like a file descriptor leak. How was this > package upgraded? > I upgraded from f7 to f8t3 and then ran yum update several times. > Any idea why xserver would be reading the cmdline of the login user? Thinkfinger maybe?
f7 ran an unconfined xserver, so this would be new in f8. You will need to turn on allow_xserver_execmem on setsebool -P allow_xserver_execmem=1 Well if you continue to see rpm_tmpfs_t you should report this as a bug in yum. Does thinkfinger work?
Yes, thinkfinger does work. On the second peek, it looks it is unrelated, as setroubleshoot screamed about this denial in the middle of being logged in, when no swipe prompt is present. The reason must be different then.
OK, inotify seems to be gone. What exactly can I do about rpm_tmpfs_t?
Ok I looked at it again, and I decided to add policy fixed in selinux-policy-3.0.8-23.fc8.src.rpm
Things that were supposed to are fixed. I'll open a separate bug report for cmdline issue.