The following was filed automatically by setroubleshoot: Summary: SELinux is preventing loadkeys (loadkeys_t) "write" /home/liveuser/.xsession-errors (user_home_t). Detailed Description: [SELinux is in permissive mode, the operation would have been denied but was permitted due to permissive mode.] SELinux denied access requested by the loadkeys command. It looks like this is either a leaked descriptor or loadkeys output was redirected to a file it is not allowed to access. Leaks usually can be ignored since SELinux is just closing the leak and reporting the error. The application does not use the descriptor, so it will run properly. If this is a redirection, you will not get output in the /home/liveuser/.xsession-errors. You should generate a bugzilla on selinux-policy, and it will get routed to the appropriate package. You can safely ignore this avc. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Additional Information: Source Context unconfined_u:unconfined_r:loadkeys_t:s0-s0:c0.c102 3 Target Context unconfined_u:object_r:user_home_t:s0 Target Objects /home/liveuser/.xsession-errors [ file ] Source loadkeys Source Path /bin/loadkeys Port <Unknown> Host (removed) Source RPM Packages kbd-1.15-7.fc11 Target RPM Packages Policy RPM selinux-policy-3.6.26-8.fc12 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Permissive Plugin Name leaks Host Name (removed) Platform Linux (removed) 2.6.31-0.125.4.2.rc5.git2.fc12.x86_64 #1 SMP Tue Aug 11 21:00:45 EDT 2009 x86_64 x86_64 Alert Count 2 First Seen Fri 28 Aug 2009 02:59:21 AM EDT Last Seen Fri 28 Aug 2009 02:59:21 AM EDT Local ID 51885092-82e2-4dda-abb0-ecbd2083f1bc Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1251442761.371:29422): avc: denied { write } for pid=2972 comm="loadkeys" path="/home/liveuser/.xsession-errors" dev=dm-0 ino=86475 scontext=unconfined_u:unconfined_r:loadkeys_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file node=(removed) type=AVC msg=audit(1251442761.371:29422): avc: denied { read write } for pid=2972 comm="loadkeys" path="/dev/mapper/control" dev=tmpfs ino=1925 scontext=unconfined_u:unconfined_r:loadkeys_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lvm_control_t:s0 tclass=chr_file node=(removed) type=SYSCALL msg=audit(1251442761.371:29422): arch=c000003e syscall=59 success=yes exit=0 a0=32d4660 a1=3426cf0 a2=2a8f160 a3=7fff2e820d80 items=0 ppid=2840 pid=2972 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="loadkeys" exe="/bin/loadkeys" subj=unconfined_u:unconfined_r:loadkeys_t:s0-s0:c0.c1023 key=(null) audit2allow suggests: #============= loadkeys_t ============== allow loadkeys_t lvm_control_t:chr_file { read write }; allow loadkeys_t user_home_t:file write;
This is a mislabeled file. /home/liveuser/.xsession-errors Something is either wrong with the livecd builder, if this file exists before the first login, or the login program that created it is not running under the correct context. The Second AVC is caused by a leak in with some program opening /dev/mapper/control. Maybe initrd?
On the livecd, is everything on a single partion?
looking at a live cd here: /tmp, /var/tmp and /var/cache/yum are tmpfs but the rest of / appears to be a single partition.
If you bring up the livecd in single user mode, does the /home/liveuser/.xsession-errors file exist? If yes, then there is a problem with the label build by livecd. If not then the program that is creating .xsession-errors is not running as xdm_t which would transition the file to the right context.
if you bring the livecd up in single-user mode, the entire liveuser homedir is not there, since that user is created in /etc/init.d/livesys
Ok does this script create the .xsessions-errors file? Does it run a restorecon after it sets up the users homedir?
the script calls useradd to create the user. .xsession-errors is created by gnome-session when you log in.
For what it's worth, this error was generated by the KDE live CD.
oh, in that case, I can't answer the question.
Moving to kdebase, which seems closer to the problem then.
Reassigning to Sebastian Vahl, the KDE Live CD maintainer.
I cannot reproduce this problem so I don't know what to do here. The kickstart of the KDE live images only creates some files inside the home directory and chown them to the liveuser. Maybe adding a simple 'restorecon -R /home/liveuser' after it fixes this? It would be the last line in /etc/init.d/livesys then and probably won't hurt. @Reporter: When does this selinux error appears? Right after login/boot?
Happening here on x86 Linux.
It was one of several SELinux errors I got when using the alpha live CD, so I can't remember the details or any triggering conditions. When the beta comes out, I'll also give it a go and report if it still comes up.
This bug appears to have been reported against 'rawhide' during the Fedora 12 development cycle. Changing version to '12'. More information and reason for this action is here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping
This bug has been triaged
This message is a reminder that Fedora 12 is nearing its end of life. Approximately 30 (thirty) days from now Fedora will stop maintaining and issuing updates for Fedora 12. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '12'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 12's end of life. Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 12 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora please change the 'version' of this bug to the applicable version. If you are unable to change the version, please add a comment here and someone will do it for you. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Fedora 12 changed to end-of-life (EOL) status on 2010-12-02. Fedora 12 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. Thank you for reporting this bug and we are sorry it could not be fixed.