SELinux is preventing polkit-read-aut (polkit_auth_t) "write" to /var/log/gdm/:1-greeter.log (xserver_log_t). Detailed Description: SELinux denied access requested by polkit-read-aut. It is not expected that this access is required by polkit-read-aut and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for /var/log/gdm/:1-greeter.log, restorecon -v '/var/log/gdm/:1-greeter.log' If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:polkit_auth_t:SystemLow- SystemHigh Target Context system_u:object_r:xserver_log_t Target Objects /var/log/gdm/:1-greeter.log [ file ] Source polkit-read-aut Source Path /usr/libexec/polkit-read-auth-helper Port <Unknown> Host <Unknown> Source RPM Packages PolicyKit-0.9-4.fc10 Target RPM Packages Policy RPM selinux-policy-3.5.13-39.fc10 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall_file Host Name viklef.ceplovi.cz Platform Linux viklef.ceplovi.cz 2.6.27.10-168.fc10.i686 #1 SMP Wed Jan 7 18:33:32 EST 2009 i686 i686 Alert Count 5 First Seen Mon Jan 19 18:23:41 2009 Last Seen Mon Jan 19 18:24:07 2009 Local ID b330152c-e02f-40f6-bd55-0fdfd1093d14 Line Numbers 927, 928, 929, 930, 940, 941, 942, 943, 1040, 1041 Raw Audit Messages type=AVC msg=audit(1232385847.306:3365): avc: denied { write } for pid=5535 comm="polkit-read-aut" path="/var/log/gdm/:1-greeter.log" dev=dm-0 ino=1306922 scontext=system_u:system_r:polkit_auth_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xserver_log_t:s0 tclass=file type=SYSCALL msg=audit(1232385847.306:3365): arch=40000003 syscall=11 success=yes exit=0 a0=5217fb4 a1=bf9160e0 a2=bf916afc a3=bf9160e0 items=0 ppid=5406 pid=5535 auid=4294967295 uid=42 gid=42 euid=42 suid=42 fsuid=42 egid=87 sgid=87 fsgid=87 tty=(none) ses=4294967295 comm="polkit-read-aut" exe="/usr/libexec/polkit-read-auth-helper" subj=system_u:system_r:polkit_auth_t:s0-s0:c0.c1023 key=(null) ========================== Summary: SELinux is preventing polkit-read-aut (polkit_auth_t) "write" to /var/log/gdm/:0-greeter.log (xserver_log_t). Detailed Description: SELinux denied access requested by polkit-read-aut. It is not expected that this access is required by polkit-read-aut and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for /var/log/gdm/:0-greeter.log, restorecon -v '/var/log/gdm/:0-greeter.log' If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:polkit_auth_t:SystemLow- SystemHigh Target Context system_u:object_r:xserver_log_t Target Objects /var/log/gdm/:0-greeter.log [ file ] Source polkit-read-aut Source Path /usr/libexec/polkit-read-auth-helper Port <Unknown> Host <Unknown> Source RPM Packages PolicyKit-0.9-4.fc10 Target RPM Packages Policy RPM selinux-policy-3.5.13-39.fc10 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall_file Host Name viklef.ceplovi.cz Platform Linux viklef.ceplovi.cz 2.6.27.10-168.fc10.i686 #1 SMP Wed Jan 7 18:33:32 EST 2009 i686 i686 Alert Count 5 First Seen Mon Jan 19 23:38:33 2009 Last Seen Mon Jan 19 23:38:41 2009 Local ID 893e7a70-3438-4b61-9bb6-c5d533d80619 Line Numbers 6187, 6188, 6189, 6190, 6191, 6192, 6193, 6194, 6195, 6196 Raw Audit Messages type=AVC msg=audit(1232404721.753:10): avc: denied { write } for pid=2914 comm="polkit-read-aut" path="/var/log/gdm/:0-greeter.log" dev=dm-0 ino=1306908 scontext=system_u:system_r:polkit_auth_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xserver_log_t:s0 tclass=file type=SYSCALL msg=audit(1232404721.753:10): arch=40000003 syscall=11 success=yes exit=0 a0=5217fb4 a1=bfccc480 a2=bfccce9c a3=bfccc480 items=0 ppid=2863 pid=2914 auid=4294967295 uid=42 gid=42 euid=42 suid=42 fsuid=42 egid=87 sgid=87 fsgid=87 tty=(none) ses=4294967295 comm="polkit-read-aut" exe="/usr/libexec/polkit-read-auth-helper" subj=system_u:system_r:polkit_auth_t:s0-s0:c0.c1023 key=(null) ========================= From #desktop: (21:17:59) mcepl: Jan 19 07:56:31 viklef setroubleshoot: SELinux is preventing polkit-read-aut (polkit_auth_t) "write" to /var/log/gdm/:0-greeter.log (xserver_log_t). (21:18:27) halfline: ah (21:18:47) halfline: i wonder why policykit is trying to read :0-greeter.log (21:18:52) halfline: err write to ! (21:19:16) halfline: oh (21:19:34) halfline: actually makes sense (21:19:57) halfline: :0-greeter.log should be xserver_log_t (21:20:08) mcepl: yes, it is (see the message) (21:20:30) halfline: *shouldn't (21:20:34) halfline: it's not an xserver log (21:20:36) mcepl: oh (21:20:42) halfline: it's the greeter session stdout (21:20:44) mcepl: no, /var/log/messages (21:20:55) mcepl: oh I see (21:21:53) halfline: should probably be a new xdm_var_log_t or some such (21:22:04) halfline: worth filing if you haven't already
Is this a leaked file descriptor or are you setting stdout of polkit-read-auth to /var/log/gdm/:0-greeter.log?
(In reply to comment #1) > Is this a leaked file descriptor or are you setting stdout of polkit-read-auth > to /var/log/gdm/:0-greeter.log? Halfline thought that it might be just wrong label for the file (should be xdm_var_log_t instead of xserver_log_t).
There is no xdm_var_log_t. This is the correct label. Or I can add a new one, but the question is whether this is intentional that we want to grab the output from polkit-read-auth, or is it a leak.
right, I wasn't saying there was a xdm_var_log_t, was saying there should be one: "(21:21:53) halfline: should probably be a new xdm_var_log_t or some such" See the irc conversation Matej pasted. :0-greeter.log is akin to ~/.xsession-errors but for the gdm user. It's where all programs in the greeter session (including things that use policykit) output their debug spew.
Created attachment 330841 [details] Here's another selinux_alert fyi
Summary for above attachment: SELinux is preventing polkit-read-aut (polkit_auth_t) "write" to /var/log/gdm/:0-greeter.log (xserver_log_t).
Ray and I have talked about making this append and relabeling /var/log/gdm to xdm_log_t. Then we can allow the confined domains to append to the log, rather then write. write allows you to truncate the log files. But for F10 this app should be able to write xserver_log_t. In F11 it will append to xdm_log_t. Miroslav and you fix this?
Fixed in selinux-policy-3.5.13-44.fc10
This looks like the same bug as 484564
Can we get this rolled over into fedora-updates-testing, so that we can actually get this fixed version?
*** Bug 484564 has been marked as a duplicate of this bug. ***
*** Bug 484451 has been marked as a duplicate of this bug. ***
It was pushed on Friday last week. I tested today and works fine. # yum install --enablerepo=updates-testing selinux-policy-targeted
*** Bug 485326 has been marked as a duplicate of this bug. ***
Created attachment 355968 [details] selinux_is_preventing_polkit-read-aut (polkit_auth_t) "gettattr" fs_t.txt mine looks slightly different; should I worry about this? linux newbie: so far I've only used Firefox & T-bird but will be doing other work incl web dev and adjusting network access, documents. **Haven't been able to print since upgrade from F10 to F11**
add'l notes: was having all kinds of problems, think before F11 upgrade, like constant dropped connection, couldn't read or save text anywhere but text editor, 30 min boot - now just have to login twice and about 10 min boot but lost printing after F11 upgrade. newbie not sure if has anything to do w/this. many more SELinux alerts since F11 but will check/file rpts separately. thanks
Faith, please send me email, and I will work with you on fixing your problem. dwalsh
I sent the email, but I don't know that anything ever got fixed. Remember, my error was slightly different (see above comment from me) than the original error filed in this bug report. Please advise how I can tell if my problem has been fixed. Last time my SELinux reported this error was on 8/17. Computer is used daily. Thanks
Sounds good Faith. You are probably all set. Reopen bug if you see any more problems.