Bug 432010 - SELinux is preventing the dbus-daemon from using potentially mislabeled files (/root/.xsession-errors). (/root/.xsession-errors).
Summary: SELinux is preventing the dbus-daemon from using potentially mislabeled files...
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy   
(Show other bugs)
Version: rawhide
Hardware: All Linux
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
Depends On:
TreeView+ depends on / blocked
Reported: 2008-02-08 13:09 UTC by Riku Seppala
Modified: 2008-02-08 15:51 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-02-08 15:51:15 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description Riku Seppala 2008-02-08 13:09:45 UTC

SELinux is preventing the dbus-daemon from using potentially mislabeled files

Detailed Description:

[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]

SELinux has denied dbus-daemon access to potentially mislabeled file(s)
(/root/.xsession-errors). This means that SELinux will not allow dbus-daemon to
use these files. It is common for users to edit files in their home directory or
tmp directories and then move (mv) them to system directories. The problem is
that the files end up with the wrong file context which confined applications
are not allowed to access.

Allowing Access:

If you want dbus-daemon to access this files, you need to relabel them using
restorecon -v '/root/.xsession-errors'. You might want to relabel the entire
directory using restorecon -R -v '/root'.

Additional Information:

Source Context                unconfined_u:unconfined_r:unconfined_dbusd_t:s0-s0
Target Context                system_u:object_r:admin_home_t:s0
Target Objects                /root/.xsession-errors [ file ]
Source                        dbus-daemon
Source Path                   /bin/dbus-daemon
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           dbus-1.1.4-4.fc9
Target RPM Packages           
Policy RPM                    selinux-policy-3.2.7-1.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   home_tmp_bad_labels
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 2.6.24-23.fc9 #1 SMP
                              Wed Feb 6 11:23:06 EST 2008 x86_64 x86_64
Alert Count                   5
First Seen                    Fri 08 Feb 2008 12:29:33 PM EET
Last Seen                     Fri 08 Feb 2008 04:58:27 PM EET
Local ID                      6f665c17-83fd-44fe-b2d9-9f708478b102
Line Numbers                  

Raw Audit Messages            

host=localhost.localdomain type=AVC msg=audit(1202482707.165:35): avc:  denied 
{ read append } for  pid=3647 comm="dbus-daemon" path="/root/.xsession-errors"
dev=dm-0 ino=2812663
tcontext=system_u:object_r:admin_home_t:s0 tclass=file

host=localhost.localdomain type=SYSCALL msg=audit(1202482707.165:35):
arch=c000003e syscall=59 success=yes exit=0 a0=40516b a1=7fff5540ca70
a2=7fff5540f038 a3=7fff5540e900 items=0 ppid=3646 pid=3647 auid=0 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="dbus-daemon"
subj=unconfined_u:unconfined_r:unconfined_dbusd_t:s0-s0:c0.c1023 key=(null)

Comment 1 Daniel Walsh 2008-02-08 15:51:15 UTC
THis is caused by logging as root via XWindows.  Not a good idea.  You can
safely ignore the SELinux avc, but we can not fix this since it is unsafe to do so.

Note You need to log in before you can comment on or make changes to this bug.