The following was filed automatically by setroubleshoot: Summary: SELinux is preventing the /usr/bin/kdm from using potentially mislabeled files (.Xauthority). Detailed Description: SELinux has denied kdm access to potentially mislabeled file(s) (.Xauthority). This means that SELinux will not allow kdm to use these files. It is common for users to edit files in their home directory or tmp directories and then move (mv) them to system directories. The problem is that the files end up with the wrong file context which confined applications are not allowed to access. Allowing Access: If you want kdm to access this files, you need to relabel them using restorecon -v '.Xauthority'. You might want to relabel the entire directory using restorecon -R -v ''. Additional Information: Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023 Target Context unconfined_u:object_r:xauth_home_t:s0 Target Objects .Xauthority [ file ] Source kdm Source Path /usr/bin/kdm Port <Unknown> Host (removed) Source RPM Packages kdm-4.3.1-7.fc12 Target RPM Packages Policy RPM selinux-policy-3.6.32-11.fc12 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name home_tmp_bad_labels Host Name (removed) Platform Linux (removed) 2.6.31.1-48.fc12.x86_64 #1 SMP Fri Sep 25 16:57:40 EDT 2009 x86_64 x86_64 Alert Count 2 First Seen Sun 27 Sep 2009 04:50:24 PM CDT Last Seen Sun 27 Sep 2009 05:53:00 PM CDT Local ID 93cb6e01-766c-4a25-b6a3-5eb61f8c6cae Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1254091980.236:60): avc: denied { unlink } for pid=3757 comm="kdm" name=".Xauthority" dev=dm-0 ino=86112 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:xauth_home_t:s0 tclass=file node=(removed) type=SYSCALL msg=audit(1254091980.236:60): arch=c000003e syscall=87 success=no exit=-13 a0=7fff94a5da40 a1=7fff94a5d630 a2=0 a3=1 items=0 ppid=2321 pid=3757 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=2 comm="kdm" exe="/usr/bin/kdm" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) Hash String generated from selinux-policy-3.6.32-11.fc12,home_tmp_bad_labels,kdm,xdm_t,xauth_home_t,file,unlink audit2allow suggests: #============= xdm_t ============== allow xdm_t xauth_home_t:file unlink;
I will allow this in selinux-policy-3.6.32-23.fc12.noarch But kdm will not work well with SELinux if it needs to create the .xsession-errors and .Xauthority files in the user home directory directly. Gdm has changed to creating the .Xauthority file in /var/run/gdm echo $XAUTHORITY /var/run/gdm/auth-for-dwalsh-rBMTD8/database Which allows us to label these differently, so all apps can read the Xautority file and all apps can append to the .xsession_errors file. Can we do something similar with kdm?
Don't we have a bug filed for this already? AFAIK, rdieter already changed the default configuration, the problem is that we don't replace the config file on upgrades because we don't want to clobber user configuration.
Ok then we can close this as fixed in Rawhide.
yes, kde-settings-4.3-8 was supposed to fix this: * Mon Sep 21 2009 Rex Dieter <rdieter> - 4.3-8 - kdmrc: use /var/run/kdm for pid/xauth (#524583) Reporter, rpm -q kde-settings-kdm please.
In particular, look for these items in /etc/kde/kdm/kdmrc: AuthDir=/var/run/kdm UserAuthDir=/var/run/kdm ForceUserAuthDir=true
*** This bug has been marked as a duplicate of bug 524583 ***
[olivares@n6355-19134 ~]$ rpm -q kde-settings-kdm kde-settings-kdm-4.3-10.1.noarch [olivares@n6355-19134 ~]$ uname -r 2.6.31.1-56.fc12.x86_64 [olivares@n6355-19134 ~]$ cat /etc/kde/kdm/kdmrc [General] AuthDir=/var/run/kdm ConfigVersion=2.3 ConsoleTTYs=tty2,tty3,tty4,tty5,tty6 PidFile=/var/run/kdm/kdm.pid ReserveServers=:1,:2,:3 ServerVTs=1 StaticServers=:0 [Shutdown] BootManager=None HaltCmd=/sbin/poweroff RebootCmd=/sbin/reboot [X-*-Core] AllowShutdown=Root AutoReLogin=false ClientLogFile=.xsession-errors-%d ForceUserAuthDir=true Resources=/etc/X11/xdm/Xresources Session=/etc/kde/kdm/Xsession SessionsDirs=/usr/share/xsessions,/usr/share/kde4/apps/kdm/sessions Setup=/etc/X11/xdm/Xsetup_0 UserAuthDir=/var/run/kdm [X-*-Greeter] AntiAliasing=true BackgroundCfg=/etc/kde/kdm/backgroundrc ColorScheme= EchoPasswd=true FaceSource=PreferUser FailFont=Abyssinica SIL,12,-1,5,50,0,0,0,0,0 FocusPasswd=true ForgingSeed=1108476160 GUIStyle= GreetFont=Abyssinica SIL,16,-1,5,50,0,0,0,0,0 GreetString=Fedora 12 (Constantine) GreeterPos=50,50 HiddenUsers=root Language=en_US LogoArea=Logo LogoPixmap=/usr/share/icons/hicolor/96x96/apps/fedora-logo-icon.png MaxShowUID=65530 MinShowUID=500 SelectedUsers= ShowUsers=NotHidden SortUsers=true StdFont=Abyssinica SIL,10,-1,5,50,0,0,0,0,0 Theme=/usr/share/kde4/apps/kdm/themes/Constantine UseBackground=true UseTheme=true UserCompletion=false UserList=true [X-:*-Core] AllowShutdown=All NoPassEnable=false NoPassUsers= ServerArgsLocal=-br -nolisten tcp ServerTimeout=30 TerminateServer=true [X-:*-Greeter] DefaultUser=olivares FocusPasswd=true LoginMode=DefaultLocal PreselectUser=Previous [X-:0-Core] AutoLoginEnable=true AutoLoginLocked=false AutoLoginUser=olivares [Xdmcp] Enable=false Willing=/etc/X11/xdm/Xwilling Xaccess=/etc/X11/xdm/Xaccess [olivares@n6355-19134 ~]$ BTW Why is this a repeated bug? I had not seen it before? This is the original bug right? https://bugzilla.redhat.com/show_bug.cgi?id=524583
Uh, looks like this kdmrc has UserAuthDir and ForceUserAuthDir set just fine, so where the heck is the problem now? :-(
Dunno, with those set, I cannot reproduce the problem (ie, no ~/.Xauthority file is ever created or used, only stuff under /var/run/kdm).
This bug appears to have been reported against 'rawhide' during the Fedora 12 development cycle. Changing version to '12'. More information and reason for this action is here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping
This message is a reminder that Fedora 12 is nearing its end of life. Approximately 30 (thirty) days from now Fedora will stop maintaining and issuing updates for Fedora 12. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '12'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 12's end of life. Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 12 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora please change the 'version' of this bug to the applicable version. If you are unable to change the version, please add a comment here and someone will do it for you. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Fedora 12 changed to end-of-life (EOL) status on 2010-12-02. Fedora 12 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. Thank you for reporting this bug and we are sorry it could not be fixed.