Bug 520244 - SELinux is preventing chcon (unconfined_t) "relabelto" xdm_t
Summary: SELinux is preventing chcon (unconfined_t) "relabelto" xdm_t
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 11
Hardware: i586
OS: Linux
low
low
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-08-29 16:37 UTC by Dennis Reso
Modified: 2009-08-31 13:12 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-08-31 13:12:27 UTC


Attachments (Terms of Use)
Denial details for xdm_t access to /root, and chcon to xdm_t (1.90 KB, text/plain)
2009-08-29 16:37 UTC, Dennis Reso
no flags Details

Description Dennis Reso 2009-08-29 16:37:50 UTC
Created attachment 359158 [details]
Denial details for xdm_t access to /root, and chcon to xdm_t

Description of problem:
SELinux denials when logging in under xdm/gnome.  Access to /root/.Xauthority file is denied for context xdm_t on context admin_home_t.  Attempt to change the context of the file to xdm_t is denied.

Version-Release number of selected component (if applicable):
  Linux 2.6.29.6-217.2.16.fc11.i586
  kdebase-4.3.0-1.fc11.i586
  kdebase-libs-4.3.0-1.fc11.i586
  kdm-4.3.0-9.fc11.i586
  libselinux-2.0.80-1.fc11.i586
  selinux-policy-3.6.12-80.fc11

How reproducible:
  Attempt as "root" to 'chcon -t xdm_t /root/.Xauthority-c'.

Steps to Reproduce:

1. Install kde-base.
2. Configure 'kdm' as the logon greeter.
3. Logon as "root".
   Denial:
   SELinux is preventing the kdm from using potentially mislabeled files (/root/.Xauthority-c).

4. Attempt to 'chcon -t xdm_t /root/.Xauthority-c'.
   Denial:
   SELinux is preventing chcon (unconfined_t) "relabelto" xdm_t.

Actual results:
  chcon: failed to change context of `/root/.Xauthority-c' to `unconfined_u:object_r:xdm_t:s0': Permission denied

Expected results:
  Successful alteration to xdm_t and elmination of file access denials.

Additional info:

Comment 1 Daniel Walsh 2009-08-31 13:12:27 UTC
Use restorecon to reset the label.

xdm_t is a process type and is not allowed to be set on a file.

restorecon /root/.Xauthority-c 

should set the context to xauth_home_t


Note You need to log in before you can comment on or make changes to this bug.