Description of problem: when changing settings in gnome-power-preferences and clicking "make default" I get an selinux error SELinux is preventing gconf-defaults- (gconfdefaultsm_t) "getattr" to /home/james/.gconf (user_home_t). Detailed Description: SELinux denied access requested by gconf-defaults-. /home/james/.gconf may be a mislabeled. /home/james/.gconf default SELinux type is gconf_home_t, but its current type is user_home_t. Changing this file back to the default type, may fix your problem. Version-Release number of selected component (if applicable): GConf2-2.26.0-2.fc11.x86_64 selinux-policy-3.6.12-39.fc11.noarch libselinux-2.0.80-1.fc11.x86_64 gnome-power-manager-2.26.1-3.fc11.x86_64 How reproducible: On a new install of F11 Steps to Reproduce: 1. open gnome-powerpreferences 2. change settings and click "Make default" 3. enter root password Actual results: setroubleshooter generates the selinux error above Expected results: ~/.gconf settings should be updated without selinux preventing it. Additional info:
restorecon -R -v ~/ Should fix. THe problem is the directory got created with the wrong label on it. You can run the restorecond service to watch for this type of thing in the future.
https://bugzilla.redhat.com/show_bug.cgi?id=507876 is probably a duplicate of this. By the way, I can confirm this behaviour on my fresh F11 install.
Did the restorecon fix the labeling? Does it work now?
No, the restorecon didn't fix things. The problem is still there. Here are the setroubleshootd logs: Source Context: system_u:system_r:gconfdefaultsm_t:s0-s0:c0.c1023 Target Context: system_u:object_r:security_t:s0 Target Objects: mls [ file ]Source: gconf-defaults- Source Path: /usr/libexec/gconf-defaults-mechanism Port: <Unknown> Host: laptop.unit2Source RPM Packages: GConf2-2.26.2-1.fc11 Target RPM Packages: Policy RPM: selinux-policy-3.6.12-53.fc11 Selinux Enabled: True Policy Type: targeted MLS Enabled: True Enforcing Mode: Permissive Plugin Name: catchall Host Name: laptop.unit2 Platform: Linux laptop.unit2 2.6.29.4-167.fc11.i586 #1 SMP Wed May 27 17:14:37 EDT 2009 i686 i686 Alert Count: 6 First Seen: Mon 29 Jun 2009 12:09:19 AM EDT Last Seen: Mon 29 Jun 2009 12:11:49 AM EDT Local ID: 6952298d-0566-4af8-b7e6-3f2ca1d6221b Line Numbers: Raw Audit Messages : node=laptop.unit2 type=AVC msg=audit(1246248709.298:61): avc: denied { read } for pid=7268 comm="gconf-defaults-" name="mls" dev=selinuxfs ino=12 scontext=system_u:system_r:gconfdefaultsm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:security_t:s0 tclass=file node=laptop.unit2 type=AVC msg=audit(1246248709.298:61): avc: denied { open } for pid=7268 comm="gconf-defaults-" name="mls" dev=selinuxfs ino=12 scontext=system_u:system_r:gconfdefaultsm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:security_t:s0 tclass=file node=laptop.unit2 type=SYSCALL msg=audit(1246248709.298:61): arch=40000003 syscall=5 success=yes exit=3 a0=bf8054a8 a1=8000 a2=0 a3=bf8054a8 items=0 ppid=7267 pid=7268 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="gconf-defaults-" exe="/usr/libexec/gconf-defaults-mechanism" subj=system_u:system_r:gconfdefaultsm_t:s0-s0:c0.c1023 key=(null)
Sorry, I should mention that it has changed slightly. Where the first error was "preventing gconf-defaults- (gconfdefaultsm_t) "getattr" to /home/james/.gconf (user_home_t). " It has now become: "preventing gconf-defaults- (gconfdefaultsm_t) "read" security_t. "
The security_t thing is a separate issue fixed in selinux-policy-3.6.12-57.fc11 It should not prevent anything from working.
I can confirm the new selinux error, if it doesn't prevent anything working why is selinux generating an error? selinux-policy-3.6.12-53.fc11 is the latest available in the repositories. can you push 3.6.12-57.fc11, so this can be resolved, thanks. This bug should be classified as "gnome-power-preferences is generating selinux errors", and it is not "NOTABUG" Opening until fixed in repos.
I have to ad a more annoying event. While booting ,just before gdm pops up I get a message like powermanager not properly configured .It blocks gdm ,and with some luck and 5-10 min. wait-time ,gdm comes up amid allot of windows which say "powermanager not properly configured" (was in Dutch ,have translated freely) It also mentioned Gconf2 etc ,but I couldn't read it. I will restart sometimes and see if a can make something from it. My OS is kernel linux 2.6.29.5-191.fc11.x86_64 . Ill happily give more info when asked. I also applied : restorecon -R -v ~/ as sugested by Daniel Walsh in comment #1 and as a result : [root@xxxx ~]# restorecon -R -v ~/ restorecon reset /root/.xauth9y2EsK context unconfined_u:object_r:admin_home_t:s0->system_u:object_r:xauth_home_t:s0 restorecon reset /root/.local/share/Trash/files/nphelix.so context system_u:object_r:lib_t:s0->system_u:object_r:admin_home_t:s0 restorecon reset /root/.xauthRKIDrH context unconfined_u:object_r:admin_home_t:s0->system_u:object_r:xauth_home_t:s0 restorecon reset /root/.xauthy5IImQ context unconfined_u:object_r:admin_home_t:s0->system_u:object_r:xauth_home_t:s0 restorecon reset /root/.gvfs context system_u:object_r:fusefs_t:s0->system_u:object_r:admin_home_t:s0 restorecon set context /root/.gvfs->system_u:object_r:admin_home_t:s0 failed:'Operation not supported' I think the last 2 lines are "normal" I hope this helps Martin
Martin please open a diffent bugzilla for this since it is a different problem. If you are logging in as root via GDM, this is not supported and is considered very dangerous from a security point of view. SELinux policy will not be altered to allow it, so you if you want to login via gdm as root, you will need to put SELinux in permissive mode.
I'm not ,couldn't login at all . I never (can) login as root via gdm ,I made it impossible . Have been on a live CD for nearly 3 day's ,surfing for equal cases ,and I don't want to destroy the installed (failing) F11. I have some more information now ,and will open a different bugzilla . I thought my problem was related with this bug. thanks anyway , Martin
This is now fixed with selinux-policy--3.6.12-62.fc11.noarch Thanks.