When switching users, I get the following alerts. It doesn't seem to have any ill affect on the system (even when running in strict mode), so I've been ignoring them up to this point, but it would be nice to be able to get rid of them all together. Summary: SELinux is preventing gdm-session-wor (xdm_t) "rename" to ./.xsession-errors (var_t). Detailed Description: [SELinux is in permissive mode, the operation would have been denied but was permitted due to permissive mode.] SELinux denied access requested by gdm-session-wor. It is not expected that this access is required by gdm-session-wor and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for ./.xsession-errors, restorecon -v './.xsession-errors' If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023 Target Context system_u:object_r:var_t:s0 Target Objects ./.xsession-errors [ file ] Source gdm-session-wor Source Path /usr/libexec/gdm-session-worker Port <Unknown> Host puck Source RPM Packages gdm-2.24.0-12.fc10 Target RPM Packages Policy RPM selinux-policy-3.5.13-34.fc10 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Permissive Plugin Name catchall_file Host Name puck Platform Linux puck 2.6.27.9-159.fc10.x86_64 #1 SMP Tue Dec 16 14:47:52 EST 2008 x86_64 x86_64 Alert Count 1 First Seen Tue 06 Jan 2009 23:48:36 GMT Last Seen Tue 06 Jan 2009 23:48:36 GMT Local ID 0ef2a1cc-bc47-486f-a969-612adf02ed53 Line Numbers Raw Audit Messages node=puck type=AVC msg=audit(1231285716.283:533): avc: denied { rename } for pid=15560 comm="gdm-session-wor" name=".xsession-errors" dev=dm-1 ino=15376582 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_t:s0 tclass=file node=puck type=AVC msg=audit(1231285716.283:533): avc: denied { unlink } for pid=15560 comm="gdm-session-wor" name=".xsession-errors.old" dev=dm-1 ino=15376757 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_t:s0 tclass=file node=puck type=SYSCALL msg=audit(1231285716.283:533): arch=c000003e syscall=82 success=yes exit=0 a0=11af8f0 a1=11afad0 a2=11afaf0 a3=32fdb6da70 items=0 ppid=11787 pid=15560 auid=500 uid=500 gid=100 euid=500 suid=500 fsuid=500 egid=100 sgid=100 fsgid=100 tty=(none) ses=43 comm="gdm-session-wor" exe="/usr/libexec/gdm-session-worker" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) Summary: SELinux is preventing gdm-session-wor (xdm_t) "create" to ./.xsession-errors (var_t). Detailed Description: [SELinux is in permissive mode, the operation would have been denied but was permitted due to permissive mode.] SELinux denied access requested by gdm-session-wor. It is not expected that this access is required by gdm-session-wor and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for ./.xsession-errors, restorecon -v './.xsession-errors' If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023 Target Context system_u:object_r:var_t:s0 Target Objects ./.xsession-errors [ file ] Source gdm-session-wor Source Path /usr/libexec/gdm-session-worker Port <Unknown> Host puck Source RPM Packages gdm-2.24.0-12.fc10 Target RPM Packages Policy RPM selinux-policy-3.5.13-34.fc10 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Permissive Plugin Name catchall_file Host Name puck Platform Linux puck 2.6.27.9-159.fc10.x86_64 #1 SMP Tue Dec 16 14:47:52 EST 2008 x86_64 x86_64 Alert Count 1 First Seen Tue 06 Jan 2009 23:48:36 GMT Last Seen Tue 06 Jan 2009 23:48:36 GMT Local ID 75c5df60-a194-43f7-9310-8204dfaa3c03 Line Numbers Raw Audit Messages node=puck type=AVC msg=audit(1231285716.287:534): avc: denied { create } for pid=15560 comm="gdm-session-wor" name=".xsession-errors" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_t:s0 tclass=file node=puck type=AVC msg=audit(1231285716.287:534): avc: denied { append } for pid=15560 comm="gdm-session-wor" name=".xsession-errors" dev=dm-1 ino=15376757 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_t:s0 tclass=file node=puck type=SYSCALL msg=audit(1231285716.287:534): arch=c000003e syscall=2 success=yes exit=9 a0=11af8f0 a1=442 a2=180 a3=32fdb6da70 items=0 ppid=11787 pid=15560 auid=500 uid=500 gid=100 euid=500 suid=500 fsuid=500 egid=100 sgid=100 fsgid=100 tty=(none) ses=43 comm="gdm-session-wor" exe="/usr/libexec/gdm-session-worker" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) Summary: SELinux is preventing gdm-session-wor (xdm_t) "setattr" to ./.xsession-errors (var_t). Detailed Description: [SELinux is in permissive mode, the operation would have been denied but was permitted due to permissive mode.] SELinux denied access requested by gdm-session-wor. It is not expected that this access is required by gdm-session-wor and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for ./.xsession-errors, restorecon -v './.xsession-errors' If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023 Target Context system_u:object_r:var_t:s0 Target Objects ./.xsession-errors [ file ] Source gdm-session-wor Source Path /usr/libexec/gdm-session-worker Port <Unknown> Host puck Source RPM Packages gdm-2.24.0-12.fc10 Target RPM Packages Policy RPM selinux-policy-3.5.13-34.fc10 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Permissive Plugin Name catchall_file Host Name puck Platform Linux puck 2.6.27.9-159.fc10.x86_64 #1 SMP Tue Dec 16 14:47:52 EST 2008 x86_64 x86_64 Alert Count 1 First Seen Tue 06 Jan 2009 23:48:36 GMT Last Seen Tue 06 Jan 2009 23:48:36 GMT Local ID 4847bbf5-d044-4987-a8b0-72e29dd3eb44 Line Numbers Raw Audit Messages node=puck type=AVC msg=audit(1231285716.287:535): avc: denied { setattr } for pid=15560 comm="gdm-session-wor" name=".xsession-errors" dev=dm-1 ino=15376757 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_t:s0 tclass=file node=puck type=SYSCALL msg=audit(1231285716.287:535): arch=c000003e syscall=91 success=yes exit=0 a0=9 a1=180 a2=0 a3=32fdb6da70 items=0 ppid=11787 pid=15560 auid=500 uid=500 gid=100 euid=500 suid=500 fsuid=500 egid=100 sgid=100 fsgid=100 tty=(none) ses=43 comm="gdm-session-wor" exe="/usr/libexec/gdm-session-worker" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) Summary: SELinux is preventing gdm-session-wor (xdm_t) "write" to ./.xsession-errors (var_t). Detailed Description: [SELinux is in permissive mode, the operation would have been denied but was permitted due to permissive mode.] SELinux denied access requested by gdm-session-wor. It is not expected that this access is required by gdm-session-wor and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for ./.xsession-errors, restorecon -v './.xsession-errors' If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023 Target Context system_u:object_r:var_t:s0 Target Objects ./.xsession-errors [ file ] Source gdm-session-wor Source Path /usr/libexec/gdm-session-worker Port <Unknown> Host puck Source RPM Packages gdm-2.24.0-12.fc10 Target RPM Packages Policy RPM selinux-policy-3.5.13-34.fc10 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Permissive Plugin Name catchall_file Host Name puck Platform Linux puck 2.6.27.9-159.fc10.x86_64 #1 SMP Tue Dec 16 14:47:52 EST 2008 x86_64 x86_64 Alert Count 1 First Seen Tue 06 Jan 2009 23:48:36 GMT Last Seen Tue 06 Jan 2009 23:48:36 GMT Local ID cd98c32c-6fd6-4e32-9822-d100200593b7 Line Numbers Raw Audit Messages node=puck type=AVC msg=audit(1231285716.264:532): avc: denied { write } for pid=15560 comm="gdm-session-wor" name=".xsession-errors" dev=dm-1 ino=15376582 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_t:s0 tclass=file node=puck type=SYSCALL msg=audit(1231285716.264:532): arch=c000003e syscall=21 success=yes exit=0 a0=11af8f0 a1=6 a2=1148da0 a3=0 items=0 ppid=11787 pid=15560 auid=500 uid=500 gid=100 euid=500 suid=500 fsuid=500 egid=100 sgid=100 fsgid=100 tty=(none) ses=43 comm="gdm-session-wor" exe="/usr/libexec/gdm-session-worker" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
You seem to have an .xsession-errors file on your system labeled var_t? locate .xsession-errors Then execute ls -lZ PATHTO/.xsession-errors This file should not have this label.
That seems to be the case. Every user directory has an .xsession-errors file in it. It seems it was initially created as var_t. What should it be? $ ls -lZ /home/smc/.xsession-errors -rw------- smc users system_u:object_r:var_t:s0 /home/smc/.xsession-errors It's the same in all users directories.
Run restorecon -R -v /home This will reset the file context on the home directories for all users. It should be xdm_home_t. I have no idea how you got var_t unless the entire home directories for users is var_t, which would be very wrong.