Bug 413421 - SELinux is preventing the /sbin/pam_timestamp_check from using potentially mislabeled files (~/.xsession-errors).
SELinux is preventing the /sbin/pam_timestamp_check from using potentially mi...
Product: Fedora
Classification: Fedora
Component: usermode (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: Miloslav Trmač
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2007-12-05 23:44 EST by Jim Cornette
Modified: 2007-12-21 23:57 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-12-21 23:57:20 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
.xsession timestamp error (2.18 KB, text/plain)
2007-12-05 23:44 EST, Jim Cornette
no flags Details

  None (edit)
Description Jim Cornette 2007-12-05 23:44:17 EST
Description of problem:
I am getting this error in both runlevel 3 and runlevel 5
SELinux is preventing the /sbin/pam_timestamp_check from using potentially
mislabeled files (/home/jim/.xsession-errors).

Version-Release number of selected component (if applicable):

How reproducible:
Login either runlevel 3 or 5 to use gnome

Steps to Reproduce:
1. login rl3 or rl5
2. load gnome
3. review troubleshooter for errors
Actual results:

See error in browser
Expected results:

See no problem with timestamps for files

Additional info:
Refer to attached report for error.
Comment 1 Jim Cornette 2007-12-05 23:44:17 EST
Created attachment 279191 [details]
.xsession timestamp error
Comment 2 Tomas Mraz 2007-12-06 02:42:34 EST
Either pam_panel_icon must use G_SPAWN_STDERR_TO_DEV_NULL when spawning
pam_timestamp_check or this must be allowed in policy. pam_timestamp_check can
write some error messages to stderr but I am not sure that enabling it to append
to user_home_t is worth it.
Comment 3 Daniel Walsh 2007-12-06 10:39:42 EST
Fixed in selinux-policy-3.0.8-66.fc8

You can ignore for now.
Comment 4 Miloslav Trmač 2007-12-06 14:50:00 EST
(In reply to comment #3)
> You can ignore for now.
"For now"?  Long term, what do you think we should do?

If the policy lets pam_timestamp_check write to ~/.xsession-errors, then I'd
prefer not redirecting stderr and letting pam_timestamp_check write error
messages there.

Or is the change only temporary, until usermode is changed?
Comment 5 Daniel Walsh 2007-12-06 15:20:09 EST
I think you should continue doing what you do.  pam_timestamp... should be
allowed to write to .xsession-errors.
Comment 6 Jim Cornette 2007-12-21 23:57:20 EST
This error no longer shows up in the logs with selinux-policy-3.2.5-3.fc9
installed. Closing bug ticket.

Note You need to log in before you can comment on or make changes to this bug.