Xfce i686 live media as of today (2009-05-12) has some gdm denials on boot: type=AVC msg=audit(1242203547.059:24642): avc: denied { read } for pid=1881 comm="gdm-simple-gree" name="liveuser" dev=dm-0 ino=93054 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=dir type=AVC msg=audit(1242203551.058:24643): avc: denied { read } for pid=1881 comm="gdm-simple-gree" name="liveuser" dev=dm-0 ino=93054 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=dir type=AVC msg=audit(1242203555.059:24644): avc: denied { read } for pid=1881 comm="gdm-simple-gree" name="liveuser" dev=dm-0 ino=93054 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=dir type=AVC msg=audit(1242203559.059:24645): avc: denied { read } for pid=1881 comm="gdm-simple-gree" name="liveuser" dev=dm-0 ino=93054 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=dir type=AVC msg=audit(1242203563.059:24646): avc: denied { read } for pid=1881 comm="gdm-simple-gree" name="liveuser" dev=dm-0 ino=93054 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=dir type=AVC msg=audit(1242203567.058:24647): avc: denied { read } for pid=1881 comm="gdm-simple-gree" name="liveuser" dev=dm-0 ino=93054 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=dir type=AVC msg=audit(1242203571.058:24648): avc: denied { read } for pid=1881 comm="gdm-simple-gree" name="liveuser" dev=dm-0 ino=93054 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=dir type=AVC msg=audit(1242203575.059:24649): avc: denied { read } for pid=1881 comm="gdm-simple-gree" name="liveuser" dev=dm-0 ino=93054 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=dir type=AVC msg=audit(1242203579.059:24650): avc: denied { read } for pid=1881 comm="gdm-simple-gree" name="liveuser" dev=dm-0 ino=93054 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=dir type=AVC msg=audit(1242203583.058:24651): avc: denied { read } for pid=1881 comm="gdm-simple-gree" name="liveuser" dev=dm-0 ino=93054 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=dir type=AVC msg=audit(1242203587.059:24652): avc: denied { read } for pid=1881 comm="gdm-simple-gree" name="liveuser" dev=dm-0 ino=93054 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=dir type=AVC msg=audit(1242203591.058:24653): avc: denied { read } for pid=1881 comm="gdm-simple-gree" name="liveuser" dev=dm-0 ino=93054 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=dir type=AVC msg=audit(1242203595.058:24654): avc: denied { read } for pid=1881 comm="gdm-simple-gree" name="liveuser" dev=dm-0 ino=93054 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=dir type=AVC msg=audit(1242203599.058:24655): avc: denied { read } for pid=1881 comm="gdm-simple-gree" name="liveuser" dev=dm-0 ino=93054 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=dir type=AVC msg=audit(1242203603.060:24656): avc: denied { read } for pid=1881 comm="gdm-simple-gree" name="liveuser" dev=dm-0 ino=93054 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=dir type=AVC msg=audit(1242203603.952:24662): avc: denied { read write } for pid=1983 comm="gdm-session-wor" name="liveuser" dev=dm-0 ino=93054 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=dir type=AVC msg=audit(1242203603.952:24663): avc: denied { write } for pid=1983 comm="gdm-session-wor" name="liveuser" dev=dm-0 ino=93054 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=dir type=AVC msg=audit(1242203603.952:24664): avc: denied { write } for pid=1983 comm="gdm-session-wor" name="liveuser" dev=dm-0 ino=93054 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=dir type=AVC msg=audit(1242203603.953:24665): avc: denied { write } for pid=1983 comm="gdm-session-wor" name="liveuser" dev=dm-0 ino=93054 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=dir
The liveuser directory is mislabeled. It should not be home_root_t it should be user_home_dir_t?
The x86 desktop image I built yesterday has things labeled fine. I'll kick off an XFCE one while I'm gone to lunch, but there shouldn't be anything different. Have a log of the image build? Any errors during boot (especially during the live initscript)?
yeah, I do have a log. Nothing leaps out there. We do a: chown -R liveuser:liveuser /home/liveuser at the end of the livesys, because we add some files (which get owned by root by default). Perhaps thats resetting the context?
Aha, that's exactly it. You're adding things in %post and not on boot. So yes, you'll also need a restorecon in the %post as well if that's how you want to do things in addition to the chown. That said, you also really probably don't _want_ to be doing that as part of %post and instead want to do it on each boot in the livesys initscript. Otherwise, the files are on the image that gets dd'd to the user's hard drive after they install rather than just being present in the overlay.
I'm not sure I understand. How can we modify the livesys initscript script except in %post? Its created in the post in fedora-live-base.ks, you want us to add our special cases there?
You can append to it with cat >> /etc/init.d/livesys << EOF [do stuff here] EOF in your %post (much as is already done for screensaver disabling)
Kevin, please ask whoever is responsible for bugzilla administration to reassign yourself instead of me as the owner of fedora xfce live component in bugzilla. Thanks.
ok. I did the one-liner fix for F11 here, and we will do the more proper fix for f12. Rahul: will do.
This was fixed for f11.