Description of problem: My system keeps generating selinux denials of the form host=HOST-REDACTED type=AVC msg=audit(1213205770.625:15): avc: denied { read } for pid=3855 comm="lnusertemp" name="tmp-HOST-REDACTED" dev=dm-0 ino=569381 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=lnk_file host=HOST-REDACTED type=SYSCALL msg=audit(1213205770.625:15): arch=c000003e syscall=89 success=yes exit=13 a0=7fff08cff840 a1=7fff08cfd820 a2=1000 a3=ff2 items=0 ppid=3386 pid=3855 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="lnusertemp" exe="/usr/libexec/kde4/lnusertemp" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) I have the 'xdm_sysadm_login' boolean turned off. I notice in xserver.te that there are lots of dontaudit statements relating to admin_home_t, but nothing related to the lnk_file type that KDE seems so fond of (tmp-XXX, cache-XXX). Perhaps something like this is needed in the 'false' branch of the xdm_sysadm_login test (please advise): dontaudit xdm_t admin_home_t:lnk_file read_link_file_perms; I think that the default behavior of kdm is that it scrapes the user list (and possibly the user homedirs) to generate the login screen, so access attempt may be unavoidable. Version-Release number of selected component (if applicable): kde-settings-kdm-4.0-23.fc9.noarch selinux-policy-targeted-3.3.1-62.fc9.noarch How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
Is this happening when you try to login as root?
Donaudit added in selinux-policy-3.3.1-68.fc9.noarch
I'm not using the root login on this machine. In fact, several times after I saw this message I deleted the /root/.kde directory. I am wondering if this is a wierd side-effect of running kdm.
Just say no to kdm :^)
i guess now would not be a good time to also point out that kwin and plasma also generate execmem and execstack denials...
Please open bugzilla's on those packages, and cc me.
don't worry about those; I tracked them down to a known issue with execmem/execstack and the nVidia vendor GL libraries.
Closing all bugs that have been in modified for over a month. Please reopen if the bug is not actually fixed.