Description of problem: scim-bridge seems to be causing avc denials whenever IM is started under GNOME: ie when the first gtk application using scim-bridge is started, when Chinese IMEs are installed. How reproducible: every time Steps to Reproduce: 1. sudo yum groupinstall chinese-support 2. start SCIM with im-chooser 2. restart desktop 3. press F2 or open a gtk or gnome application like gedit or gnome-terminal Actual results: 3. avc denial and setroubleshooting star icon in notification area. Expected results: 3. no selinux warning
Meant to add that this doesn't happen if scim-bridge is removed.
Created attachment 300387 [details] selinux_alert.txt (sorry the output is in Japanese)
Looks like scim-bridge is leaking open file descriptors that ldconfig is looking at. fcntl(fd, F_SETFD, FD_CLOEXEC)
The file was denied access has same context as normal: $ ll -Z /usr/share/chewing/us_freq.dat -rw-r--r-- root root system_u:object_r:usr_t:s0 /usr/share/chewing/us_freq.dat $ ll -Z /usr/share/scim-python/helper/__init__.py -rw-r--r-- root root system_u:object_r:usr_t:s0 /usr/share/scim-python/helper/__init__.py
Yes but ldconfig would not try to access this file. So the problem is someone is leaking an open file descriptor to ldconfig, and SELinux checks the access on the open file descriptor causing the AVC.
Hmm seems fixed in rawhide anyway. Thanks
*** Bug 441177 has been marked as a duplicate of this bug. ***