Description of problem: Upon bootup, playing music in Rhythmbox and using Firefox, I get messages from SELinux. Please let me know if I should break any of these into a separate bug report. Version-Release number of selected component (if applicable): selinux-policy-3.5.13-8.fc10 How reproducible: Every time Steps to Reproduce: 1. Boot computer 2. Play mp3s with Rhythmbox 3. Visit websites (Going to http://www.alsfamilyfarms.com/shopping/category.php/freshcitrus triggered the firefox messages once but it happens on multiple sites.) Actual results: I receive lots of avc messages Expected results: Receive no messages Additional info: type=1400 audit(1225111456.592:4): avc: denied { unlink } for pid=2543 comm="gdm-binary" name="force-display-on-active-vt" dev=sda5 ino=188128 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_spool_t:s0 tclass=file type=1400 audit(1225111466.173:5): avc: denied { execmem } for pid=2721 comm="gnome-power-man" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=process type=1400 audit(1225111466.272:6): avc: denied { execmem } for pid=2721 comm="gnome-power-man" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=process type=1400 audit(1225111466.348:7): avc: denied { execmem } for pid=2721 comm="gnome-power-man" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=process SELinux: Context system_u:object_r:user_gnome_home_t:s0 is not valid (left unmapped). SELinux: Context unconfined_u:object_r:user_gnome_home_t:s0 is not valid (left unmapped). type=1400 audit(1225111481.030:8): avc: denied { execstack } for pid=2882 comm="gnome-settings-" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process type=1400 audit(1225111490.860:9): avc: denied { execstack } for pid=2994 comm="gnome-power-man" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process type=1400 audit(1225111490.864:10): avc: denied { execstack } for pid=2993 comm="mixer_applet2" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process type=1400 audit(1225111493.469:11): avc: denied { execstack } for pid=2980 comm="pidgin" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process type=1400 audit(1225111514.104:12): avc: denied { execstack } for pid=3036 comm="rhythmbox" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process type=1400 audit(1225111539.991:13): avc: denied { execstack } for pid=3085 comm="rhythmbox-metad" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process __ratelimit: 588 callbacks suppressed type=1400 audit(1225111701.836:830): avc: denied { execstack } for pid=3056 comm="firefox" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process Oct 27 08:54:01 localhost kernel: type=1400 audit(1225115641.041:1165): avc: denied { execstack } for pid=3660 comm="gnome-screensav" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process Oct 27 08:58:01 localhost kernel: type=1400 audit(1225115881.197:1167): avc: denied { getattr } for pid=4719 comm="updatedb" path="/home/Chris/.gnome2" dev=sda6 ino=104840 scontext=system_u:system_r:locate_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir
Looks like you are using nvidia so you need to turn on the allow_execstack boolean setsebool -P allow_execstack 1 gnome problem will be fixed by restorecon -R -v ~/ gdm unlink error will be fixed by restorecon -R -v /var/spool
Hi Daniel, Thanks for your last reply. Doing what you said cleared up most of my problems. However, with allow_execstack checked as active in the selinux gui I'm still getting the following: Oct 28 09:48:22 localhost kernel: type=1400 audit(1225205302.457:4): avc: denied { execmem } for pid=2710 comm="gnome-power-man" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=process Oct 28 09:48:22 localhost kernel: type=1400 audit(1225205302.616:5): avc: denied { execmem } for pid=2710 comm="gnome-power-man" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=process Oct 28 09:48:22 localhost kernel: type=1400 audit(1225205302.657:6): avc: denied { execmem } for pid=2710 comm="gnome-power-man" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=process Also, I'm curious as to why restorecon -R -v ~/ fixed my problem. I think I've read something about moving files around causes the security contexts to get jumbled. Can you give me a link to somewhere you've talked about this before or explained it? Thanks!
I will change xdm to be able to execmem and execstack if allow_execstack boolean is turned on. Fixed in selinux-policy-3.5.13-10.fc10 As far as relabeling of the homedir. At some point in Rawhide we added a label for gnome directories in your home dir that we later changed, but the relabel never caught it in you home dir. Similarly /var/spool/gdm got mislabled.