Description of problem: After installing Sabayon, I created a new policy, that I was going to assign to my children's users ids to lock down their GNOME desktop. I received the following alert from the SELinux Alert tool, while creating a new profile with Sabayon. Version-Release number of selected component (if applicable): selinux-policy-3.0.8-101.fc8 (targeted) How reproducible: Steps to Reproduce: 1. Start Sabayon (User Profile Editor under the Administration menu) 2. Click on "New" to create new profile 3. SELinux prevents pam_timestamp_c access to a tmp file .xsession-errors under the /tmp/sabayon-temp-home-PBFHmt Actual results: Expected results: Additional info: Here is the alert copied from the SELinux alert tool: Summary: SELinux is preventing the pam_timestamp_c from using potentially mislabeled files (/tmp/sabayon-temp-home-PBfHmt/.xsession-errors). Detailed Description: SELinux has denied pam_timestamp_c access to potentially mislabeled file(s) (/tmp/sabayon-temp-home-PBfHmt/.xsession-errors). This means that SELinux will not allow pam_timestamp_c to use these files. It is common for users to edit files in their home directory or tmp directories and then move (mv) them to system directories. The problem is that the files end up with the wrong file context which confined applications are not allowed to access. Allowing Access: If you want pam_timestamp_c to access this files, you need to relabel them using restorecon -v '/tmp/sabayon-temp-home-PBfHmt/.xsession-errors'. You might want to relabel the entire directory using restorecon -R -v '/tmp/sabayon-temp-home-PBfHmt'. Additional Information: Source Context system_u:system_r:pam_t:s0 Target Context system_u:object_r:unconfined_tmp_t:s0 Target Objects /tmp/sabayon-temp-home-PBfHmt/.xsession-errors [ file ] Source pam_timestamp_c Source Path /sbin/pam_timestamp_check Port <Unknown> Host localhost.localdomain Source RPM Packages pam-0.99.8.1-17.1.fc8 Target RPM Packages Policy RPM selinux-policy-3.0.8-101.fc8 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name home_tmp_bad_labels Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.24.5-85.fc8 #1 SMP Sat Apr 19 11:18:09 EDT 2008 x86_64 x86_64 Alert Count 1 First Seen Mon 12 May 2008 09:33:41 AM MDT Last Seen Mon 12 May 2008 09:33:41 AM MDT Local ID 439f3349-7eaf-460e-8088-ae56289a54b7 Line Numbers Raw Audit Messages host=localhost.localdomain type=AVC msg=audit(1210606421.818:575): avc: denied { ioctl } for pid=23711 comm="pam_timestamp_c" path="/tmp/sabayon-temp-home-PBfHmt/.xsession-errors" dev=dm-0 ino=9142554 scontext=system_u:system_r:pam_t:s0 tcontext=system_u:object_r:unconfined_tmp_t:s0 tclass=file host=localhost.localdomain type=SYSCALL msg=audit(1210606421.818:575): arch=c000003e syscall=16 success=no exit=-13 a0=2 a1=5401 a2=7fff5c01e2c0 a3=0 items=0 ppid=23707 pid=23711 auid=500 uid=86 gid=86 euid=0 suid=0 fsuid=0 egid=86 sgid=86 fsgid=86 tty=(none) comm="pam_timestamp_c" exe="/sbin/pam_timestamp_check" subj=system_u:system_r:pam_t:s0 key=(null)
This can safely be ignored. Fixed in selinux-policy-3.0.8-103.fc8
Closing all bugs that have been in modified for over a month. Please reopen if the bug is not actually fixed.