Summary: SELinux is preventing gdm-session-wor (xdm_t) "search" to .X11-unix (initrc_tmp_t). Detailed Description: SELinux denied access requested by gdm-session-wor. The current boolean settings do not allow this access. If you have not setup gdm-session-wor to require this access this may signal an intrusion attempt. If you do intend this access you need to change the booleans on this system to allow the access. Allowing Access: Confined processes can be configured to to run requiring different access, SELinux provides booleans to allow you to turn on/off access as needed. The boolean allow_polyinstantiation is set incorrectly. Boolean Description: Enable polyinstantiated directory support. Fix Command: # setsebool -P allow_polyinstantiation 1 Additional Information: Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023 Target Context system_u:object_r:initrc_tmp_t:s0 Target Objects .X11-unix [ dir ] Source gdm-session-wor Source Path /usr/libexec/gdm-session-worker Port <Unknown> Host rhapsody Source RPM Packages gdm-2.26.1-13.fc11 Target RPM Packages Policy RPM selinux-policy-3.6.12-69.fc11 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall_boolean Host Name rhapsody Platform Linux rhapsody 2.6.29.6-217.jhe.fc11.x86_64-rhapsody #2 SMP Sun Jul 26 22:24:18 BST 2009 x86_64 x86_64 Alert Count 10 First Seen Tue 28 Jul 2009 18:19:27 BST Last Seen Wed 29 Jul 2009 20:24:47 BST Local ID d0cb540d-8acf-456e-a80d-909d99f11095 Line Numbers Raw Audit Messages node=rhapsody type=AVC msg=audit(1248895487.660:35): avc: denied { search } for pid=2833 comm="gdm-session-wor" name=".X11-unix" dev=dm-0 ino=10287 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir node=rhapsody type=SYSCALL msg=audit(1248895487.660:35): arch=c000003e syscall=6 success=no exit=-13 a0=7fffe431c5e0 a1=7fffe431c510 a2=7fffe431c510 a3=3fb items=0 ppid=2742 pid=2833 auid=500 uid=0 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=(none) ses=2 comm="gdm-session-wor" exe="/usr/libexec/gdm-session-worker" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) gdm-2.26.1-13.fc11.x86_64
.X11-unix was created by an initrc script? ps -eZ | grep initrc_t Something seems a little fishy on this box.
> .X11-unix was created by an initrc script? > > ps -eZ | grep initrc_t Nothing shows up.
Here's another denial: "SELinux is preventing the gdm-session-wor from using potentially mislabeled files (/tmp/.X11-unix/X0)." node=rhapsody type=AVC msg=audit(1248806062.589:64): avc: denied { getattr } for pid=4421 comm="gdm-session-wor" path="/tmp/.X11-unix/X0" dev=dm-0 ino=7572 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=sock_file node=rhapsody type=SYSCALL msg=audit(1248806062.589:64): arch=c000003e syscall=6 success=yes exit=0 a0=7fff2cf5ed30 a1=7fff2cf5ec60 a2=7fff2cf5ec60 a3=3fb items=0 ppid=4307 pid=4421 auid=500 uid=0 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=(none) ses=3 comm="gdm-session-wor" exe="/usr/libexec/gdm-session-worker" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
restorecon -R -v /tmp/.X11-unix should fix. Do you have freenx-server running on your box? Some init script is creating the directory with the wrong context.
(In reply to comment #4) > Do you have freenx-server running on your box? I do! I'll try turning it off and see if that helps. (This *seemed* to start after I installed the gdm from updates-tesing.)
Freenx should be fixing the label on the /tmp/.X11-unix directory after it is created. mkdir /tmp/.X11-unix restorecon /tmp/.X11-unix Should fix the problem.
Thanks for spotting this and reporting, see also bug #437655 comment#13. The latest builds https://admin.fedoraproject.org/updates/F11/FEDORA-2009-8022 https://admin.fedoraproject.org/updates/F10/FEDORA-2009-8023 have this fixed. Technically it's not a duplicate of bug #437655, but since the fix to bug #437655 caused the regression, which was reported there as well, I'm making this a duplicate. *** This bug has been marked as a duplicate of bug 437655 ***