Description of problem: see alert message from attempting to change screen resolution. created a new user when reproducing to verify that problem wasn't stale home dir file. Version-Release number of selected component (if applicable): # rpm -qa | grep selinux | sort libselinux-2.0.61-1.fc9.i386 libselinux-2.0.61-1.fc9.x86_64 libselinux-python-2.0.61-1.fc9.x86_64 selinux-policy-3.3.1-33.fc9.noarch selinux-policy-targeted-3.3.1-33.fc9.noarch How reproducible: 100% Steps to Reproduce: 1. attempt to change screen resolution 2. attempt fails 3. attempt to write to changes and error fails Summary: SELinux is preventing the Xorg from using potentially mislabeled files (/home/goofball/.xsession-errors). Detailed Description: SELinux has denied Xorg access to potentially mislabeled file(s) (/home/goofball/.xsession-errors). This means that SELinux will not allow Xorg to use these files. It is common for users to edit files in their home directory or tmp directories and then move (mv) them to system directories. The problem is that the files end up with the wrong file context which confined applications are not allowed to access. Allowing Access: If you want Xorg to access this files, you need to relabel them using restorecon -v '/home/goofball/.xsession-errors'. You might want to relabel the entire directory using restorecon -R -v '/home/goofball'. Additional Information: Source Context unconfined_u:unconfined_r:xdm_xserver_t:s0-s0:c0.c 1023 Target Context system_u:object_r:user_home_t:s0 Target Objects /home/goofball/.xsession-errors [ file ] Source Xorg Source Path /usr/bin/Xorg Port <Unknown> Host localhost.localdomain Source RPM Packages xorg-x11-server-Xorg-1.4.99.901-21.20080407.fc9 Target RPM Packages Policy RPM selinux-policy-3.3.1-33.fc9 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name home_tmp_bad_labels Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.25-0.218.rc8.git7.fc9.x86_64 #1 SMP Wed Apr 9 19:55:19 EDT 2008 x86_64 x86_64 Alert Count 1 First Seen Fri 11 Apr 2008 05:13:31 PM PDT Last Seen Fri 11 Apr 2008 05:13:31 PM PDT Local ID c76c1925-ae25-4b43-a569-3dd82f6e9066 Line Numbers Raw Audit Messages host=localhost.localdomain type=AVC msg=audit(1207959211.814:15): avc: denied { append } for pid=2965 comm="Xorg" path="/home/goofball/.xsession-errors" dev=sdb1 ino=27459599 scontext=unconfined_u:unconfined_r:xdm_xserver_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_home_t:s0 tclass=file host=localhost.localdomain type=AVC msg=audit(1207959211.814:15): avc: denied { read write } for pid=2965 comm="Xorg" path="/var/log/Xorg.setup.log" dev=sda5 ino=9785 scontext=unconfined_u:unconfined_r:xdm_xserver_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_log_t:s0 tclass=file host=localhost.localdomain type=SYSCALL msg=audit(1207959211.814:15): arch=c000003e syscall=59 success=yes exit=0 a0=1114a20 a1=1195050 a2=7fff2c935620 a3=7fff2c934880 items=0 ppid=2964 pid=2965 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="Xorg" exe="/usr/bin/Xorg" subj=unconfined_u:unconfined_r:xdm_xserver_t:s0-s0:c0.c1023 key=(null)
system-config-display is creating the log file without the correct context. After it creates the file it should run restorecon on the file. I will fix the output to .xsession in the next policy update.
This is a bug in system-config-display creation of the log files.
How is it supposed to create the log file?
John -- how were you changing the resolution? This is looking fine to me with the PR livecd
system-config-display i'll do a free re-sinstall and see what happens
no AVC errors, but changing resolution is still broken in that you can change to a lower resolution, but when you go to change it back the higher resolution it is no longer an option. Since AVCI was root cause for this bug i'll open a new bug.