Bug 479106 - SELinux is preventing gdm-session-wor (xdm_t) rename/create/setattr/write to ./xsession-errors (var_t)
Summary: SELinux is preventing gdm-session-wor (xdm_t) rename/create/setattr/write to ...
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 10
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-01-07 09:06 UTC by Steven Côté
Modified: 2009-01-08 18:53 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-01-08 18:53:36 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Steven Côté 2009-01-07 09:06:37 UTC 
When switching users, I get the following alerts. It doesn't seem to have any ill affect on the system (even when running in strict mode), so I've been ignoring them up to this point, but it would be nice to be able to get rid of them all together.



Summary:

SELinux is preventing gdm-session-wor (xdm_t) "rename" to ./.xsession-errors
(var_t).

Detailed Description:

[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]

SELinux denied access requested by gdm-session-wor. It is not expected that this
access is required by gdm-session-wor and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for ./.xsession-errors,

restorecon -v './.xsession-errors'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context                system_u:object_r:var_t:s0
Target Objects                ./.xsession-errors [ file ]
Source                        gdm-session-wor
Source Path                   /usr/libexec/gdm-session-worker
Port                          <Unknown>
Host                          puck
Source RPM Packages           gdm-2.24.0-12.fc10
Target RPM Packages           
Policy RPM                    selinux-policy-3.5.13-34.fc10
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   catchall_file
Host Name                     puck
Platform                      Linux puck 2.6.27.9-159.fc10.x86_64 #1 SMP Tue Dec
                              16 14:47:52 EST 2008 x86_64 x86_64
Alert Count                   1
First Seen                    Tue 06 Jan 2009 23:48:36 GMT
Last Seen                     Tue 06 Jan 2009 23:48:36 GMT
Local ID                      0ef2a1cc-bc47-486f-a969-612adf02ed53
Line Numbers                  

Raw Audit Messages            

node=puck type=AVC msg=audit(1231285716.283:533): avc:  denied  { rename } for  pid=15560 comm="gdm-session-wor" name=".xsession-errors" dev=dm-1 ino=15376582 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_t:s0 tclass=file

node=puck type=AVC msg=audit(1231285716.283:533): avc:  denied  { unlink } for  pid=15560 comm="gdm-session-wor" name=".xsession-errors.old" dev=dm-1 ino=15376757 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_t:s0 tclass=file

node=puck type=SYSCALL msg=audit(1231285716.283:533): arch=c000003e syscall=82 success=yes exit=0 a0=11af8f0 a1=11afad0 a2=11afaf0 a3=32fdb6da70 items=0 ppid=11787 pid=15560 auid=500 uid=500 gid=100 euid=500 suid=500 fsuid=500 egid=100 sgid=100 fsgid=100 tty=(none) ses=43 comm="gdm-session-wor" exe="/usr/libexec/gdm-session-worker" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)




Summary:

SELinux is preventing gdm-session-wor (xdm_t) "create" to ./.xsession-errors
(var_t).

Detailed Description:

[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]

SELinux denied access requested by gdm-session-wor. It is not expected that this
access is required by gdm-session-wor and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for ./.xsession-errors,

restorecon -v './.xsession-errors'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context                system_u:object_r:var_t:s0
Target Objects                ./.xsession-errors [ file ]
Source                        gdm-session-wor
Source Path                   /usr/libexec/gdm-session-worker
Port                          <Unknown>
Host                          puck
Source RPM Packages           gdm-2.24.0-12.fc10
Target RPM Packages           
Policy RPM                    selinux-policy-3.5.13-34.fc10
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   catchall_file
Host Name                     puck
Platform                      Linux puck 2.6.27.9-159.fc10.x86_64 #1 SMP Tue Dec
                              16 14:47:52 EST 2008 x86_64 x86_64
Alert Count                   1
First Seen                    Tue 06 Jan 2009 23:48:36 GMT
Last Seen                     Tue 06 Jan 2009 23:48:36 GMT
Local ID                      75c5df60-a194-43f7-9310-8204dfaa3c03
Line Numbers                  

Raw Audit Messages            

node=puck type=AVC msg=audit(1231285716.287:534): avc:  denied  { create } for  pid=15560 comm="gdm-session-wor" name=".xsession-errors" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_t:s0 tclass=file

node=puck type=AVC msg=audit(1231285716.287:534): avc:  denied  { append } for  pid=15560 comm="gdm-session-wor" name=".xsession-errors" dev=dm-1 ino=15376757 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_t:s0 tclass=file

node=puck type=SYSCALL msg=audit(1231285716.287:534): arch=c000003e syscall=2 success=yes exit=9 a0=11af8f0 a1=442 a2=180 a3=32fdb6da70 items=0 ppid=11787 pid=15560 auid=500 uid=500 gid=100 euid=500 suid=500 fsuid=500 egid=100 sgid=100 fsgid=100 tty=(none) ses=43 comm="gdm-session-wor" exe="/usr/libexec/gdm-session-worker" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)




Summary:

SELinux is preventing gdm-session-wor (xdm_t) "setattr" to ./.xsession-errors
(var_t).

Detailed Description:

[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]

SELinux denied access requested by gdm-session-wor. It is not expected that this
access is required by gdm-session-wor and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for ./.xsession-errors,

restorecon -v './.xsession-errors'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context                system_u:object_r:var_t:s0
Target Objects                ./.xsession-errors [ file ]
Source                        gdm-session-wor
Source Path                   /usr/libexec/gdm-session-worker
Port                          <Unknown>
Host                          puck
Source RPM Packages           gdm-2.24.0-12.fc10
Target RPM Packages           
Policy RPM                    selinux-policy-3.5.13-34.fc10
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   catchall_file
Host Name                     puck
Platform                      Linux puck 2.6.27.9-159.fc10.x86_64 #1 SMP Tue Dec
                              16 14:47:52 EST 2008 x86_64 x86_64
Alert Count                   1
First Seen                    Tue 06 Jan 2009 23:48:36 GMT
Last Seen                     Tue 06 Jan 2009 23:48:36 GMT
Local ID                      4847bbf5-d044-4987-a8b0-72e29dd3eb44
Line Numbers                  

Raw Audit Messages            

node=puck type=AVC msg=audit(1231285716.287:535): avc:  denied  { setattr } for  pid=15560 comm="gdm-session-wor" name=".xsession-errors" dev=dm-1 ino=15376757 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_t:s0 tclass=file

node=puck type=SYSCALL msg=audit(1231285716.287:535): arch=c000003e syscall=91 success=yes exit=0 a0=9 a1=180 a2=0 a3=32fdb6da70 items=0 ppid=11787 pid=15560 auid=500 uid=500 gid=100 euid=500 suid=500 fsuid=500 egid=100 sgid=100 fsgid=100 tty=(none) ses=43 comm="gdm-session-wor" exe="/usr/libexec/gdm-session-worker" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)




Summary:

SELinux is preventing gdm-session-wor (xdm_t) "write" to ./.xsession-errors
(var_t).

Detailed Description:

[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]

SELinux denied access requested by gdm-session-wor. It is not expected that this
access is required by gdm-session-wor and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for ./.xsession-errors,

restorecon -v './.xsession-errors'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context                system_u:object_r:var_t:s0
Target Objects                ./.xsession-errors [ file ]
Source                        gdm-session-wor
Source Path                   /usr/libexec/gdm-session-worker
Port                          <Unknown>
Host                          puck
Source RPM Packages           gdm-2.24.0-12.fc10
Target RPM Packages           
Policy RPM                    selinux-policy-3.5.13-34.fc10
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   catchall_file
Host Name                     puck
Platform                      Linux puck 2.6.27.9-159.fc10.x86_64 #1 SMP Tue Dec
                              16 14:47:52 EST 2008 x86_64 x86_64
Alert Count                   1
First Seen                    Tue 06 Jan 2009 23:48:36 GMT
Last Seen                     Tue 06 Jan 2009 23:48:36 GMT
Local ID                      cd98c32c-6fd6-4e32-9822-d100200593b7
Line Numbers                  

Raw Audit Messages            

node=puck type=AVC msg=audit(1231285716.264:532): avc:  denied  { write } for  pid=15560 comm="gdm-session-wor" name=".xsession-errors" dev=dm-1 ino=15376582 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_t:s0 tclass=file

node=puck type=SYSCALL msg=audit(1231285716.264:532): arch=c000003e syscall=21 success=yes exit=0 a0=11af8f0 a1=6 a2=1148da0 a3=0 items=0 ppid=11787 pid=15560 auid=500 uid=500 gid=100 euid=500 suid=500 fsuid=500 egid=100 sgid=100 fsgid=100 tty=(none) ses=43 comm="gdm-session-wor" exe="/usr/libexec/gdm-session-worker" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
Comment 1 Daniel Walsh 2009-01-07 18:46:48 UTC 
You seem to have an .xsession-errors file on your system labeled var_t?

locate .xsession-errors 
Then execute

ls -lZ PATHTO/.xsession-errors

This file should not have this label.
Comment 2 Steven Côté 2009-01-08 10:08:06 UTC 
That seems to be the case. Every user directory has an .xsession-errors file in it. It seems it was initially created as var_t. What should it be?

$ ls -lZ /home/smc/.xsession-errors
-rw-------  smc users system_u:object_r:var_t:s0       /home/smc/.xsession-errors


It's the same in all users directories.
Comment 3 Daniel Walsh 2009-01-08 14:38:29 UTC 
Run 

restorecon -R -v /home 

This will reset the file context on the home directories for all users.

It should be xdm_home_t.

I have no idea how you got var_t unless the entire home directories for users is var_t, which would be very wrong.
Note You need to log in before you can comment on or make changes to this bug.