Bug 444478 - SELinux prevents gdm-session-worker from accessing .dmrc
Summary: SELinux prevents gdm-session-worker from accessing .dmrc
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: gdm
Version: rawhide
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: jmccann
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-04-28 15:48 UTC by Andrew McNabb
Modified: 2015-01-14 23:21 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-04-28 19:28:15 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Andrew McNabb 2008-04-28 15:48:38 UTC 
I'm testing Fedora 9 Preview.  GDM can't read or write ~/.dmrc, so it can't
remember which session a user chose.  SELinux is preventing gdm-session-worker
from accessing the .dmrc file.  I haven't modified the default SELinux settings
in any way.

Here's a message from /var/log/messages:

Apr 28 09:41:57 maude gdm-session-worker[4805]: WARNING: unable to log session
Apr 28 09:41:57 maude gdm-session-worker[4805]: WARNING: could not save session 
and language settings: Failed to create file '/home/amcnabb/.dmrc.KK2CAU': Permi
ssion denied
Apr 28 09:41:57 maude setroubleshoot: SELinux is preventing gdm-session-wor (xdm
_t) "read append" to ./.xsession-errors (home_root_t). For complete SELinux mess
ages. run sealert -l b122017e-c4ff-4f51-8450-7ef8eb39c2f7
Apr 28 09:41:57 maude setroubleshoot: SELinux is preventing gdm-session-wor (xdm
_t) "write" to ./amcnabb (home_root_t). For complete SELinux messages. run seale
rt -l 43593f8b-7503-4ef2-9242-dfec108f4a77
Apr 28 09:41:57 maude setroubleshoot: SELinux is preventing gdm-session-wor (xdm
_t) "read" to .dmrc (home_root_t). For complete SELinux messages. run sealert -l
 633b3fc7-225e-44d8-acc2-d04ff8401df1
Apr 28 09:41:57 maude setroubleshoot: SELinux is preventing gdm-session-wor (xdm
_t) "write" to ./amcnabb (home_root_t). For complete SELinux messages. run seale
rt -l 43593f8b-7503-4ef2-9242-dfec108f4a77


Thanks.
Comment 1 Daniel Walsh 2008-04-28 19:28:15 UTC 
The problem here is the labeling on amcnabb is wrong.

restorecon -R -v /home 

Should fix.

Did you just create this directory by hand?
Comment 2 Andrew McNabb 2008-04-28 19:33:07 UTC 
It was restored from a tarball, which seems like a pretty normal thing to do. 
If selinux can't deal with that, it really seems like a problem.
Comment 3 Daniel Walsh 2008-04-28 19:40:37 UTC 
It can as long as you told your tar ball to contain xattrs.

man tar

...

 --selinux
              this option causes tar to store  each  file's  SELinux  security
              context information in the archive.

       --xattrs
              this  option causes tar to store each file's extended attributes
              in the archive. This option also enables --acls and--selinux  if
              they haven't been set already, due to the fact that the data for
              those are stored in special xattrs.
Note You need to log in before you can comment on or make changes to this bug.