Summary: SELinux is preventing /usr/libexec/gdm-session-worker "getattr" access on /tmp/.X11-unix/X0. Detailed Description: [gdm-session-wor has a permissive type (xdm_t). This access was not denied.] SELinux denied access requested by gdm-session-wor. It is not expected that this access is required by gdm-session-wor and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023 Target Context system_u:object_r:root_t:s0 Target Objects /tmp/.X11-unix/X0 [ sock_file ] Source gdm-session-wor Source Path /usr/libexec/gdm-session-worker Port <Unknown> Host (removed) Source RPM Packages gdm-2.28.0-9.fc12 Target RPM Packages Policy RPM selinux-policy-3.6.32-24.fc12 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name (removed) Platform Linux (removed) 2.6.31.1-56.fc12.x86_64 #1 SMP Tue Sep 29 16:16:22 EDT 2009 x86_64 x86_64 Alert Count 2 First Seen Tue 13 Oct 2009 10:46:35 AM PDT Last Seen Tue 13 Oct 2009 10:51:47 AM PDT Local ID 81e55d18-7674-43da-9fac-40c4a97279c1 Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1255456307.387:2358): avc: denied { getattr } for pid=9518 comm="gdm-session-wor" path="/tmp/.X11-unix/X0" dev=tmpfs ino=43023 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:root_t:s0 tclass=sock_file node=(removed) type=SYSCALL msg=audit(1255456307.387:2358): arch=c000003e syscall=6 success=yes exit=0 a0=7fff3d45ca80 a1=7fff3d45c9b0 a2=7fff3d45c9b0 a3=3fb items=0 ppid=8248 pid=9518 auid=500 uid=0 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=(none) ses=5 comm="gdm-session-wor" exe="/usr/libexec/gdm-session-worker" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) Hash String generated from selinux-policy-3.6.32-24.fc12,catchall,gdm-session-wor,xdm_t,root_t,sock_file,getattr audit2allow suggests: #============= xdm_t ============== allow xdm_t root_t:sock_file getattr;
I'm using tmpfs for /tmp (I don't have a spare partition I could encrypt, but I don't want tmp files on my disk either) and I think this is causing this "error". * /etc/fstab tmpfs /tmp tmpfs nosuid 0 0 * /proc/mounts tmpfs /tmp tmpfs rw,rootcontext=system_u:object_r:tmp_t:s0,seclabel,nosuid,relatime 0 0
You seem to have a badly mislabeled system touch /.autorelabel; reboot Should clean it up. Repoen if this bug persists.
Hi Daniel, care to elaborate a bit on the "mislabeling process"? This is a freshly installed system, not much has been configured yet (apart from /tmp being mounted as tmpfs), I wonder what caused the system to be "mislabled". I'll try your workaround as soon as I get access to the system again. Thanks!
Actually what is the label on /tmp? ls -LZ /tmp It should be tmp_t and not root_t restorecon -R -v /tmp Should fix.
Hm, the errormessage does not occur any more (it did occur as a notification window for the first few logins to Gnome), but from the /proc/mounts entry above I see: tmpfs /tmp tmpfs rw,rootcontext=system_u:object_r:tmp_t:s0,seclabel,nosuid,relatime 0 0 Now I see: ---------------------------------------------------------- # ls -LZ /tmp drwx------. christian christian unconfined_u:object_r:user_tmp_t:s0 keyring-6XBMYu drwx------. christian christian unconfined_u:object_r:user_tmp_t:s0 orbit-christian drwx------. gdm gdm system_u:object_r:xdm_tmp_t:s0 orbit-gdm drwx------. christian christian unconfined_u:object_r:user_tmp_t:s0 pulse-8h57TbygR0Pe drwx------. gdm gdm system_u:object_r:xdm_tmp_t:s0 pulse-PKdhtXMmr18n drwx------. christian christian unconfined_u:object_r:user_tmp_t:s0 virtual-christian.Zo5wWn # ls -LZd /tmp drwxrwxrwt. root root system_u:object_r:tmp_t:s0 /tmp # grep /tmp /proc/mounts tmpfs /tmp tmpfs rw,rootcontext=system_u:object_r:tmp_t:s0,seclabel,nosuid,relatime 0 0 ---------------------------------------------------------- Since the error is gone, I do not feel to relabel anything. I was just reporting this thingy, because SELinux told me to. Maybe this can be documented as a "known issue when /tmp is a tmpfs". Or maybe not, because it's a far too exotic configuration (is it?). Thanks, Christian.
I have no idea why it happened at all. I always use /tmp as a tmpfs and have not seen the problem.