Bug 539792 - SELinux is preventing the gdm-session-wor from using potentially mislabeled files (/root).
Summary: SELinux is preventing the gdm-session-wor from using potentially mislabeled f...
Keywords:
Status: CLOSED DUPLICATE of bug 538428
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 12
Hardware: x86_64
OS: Linux
low
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:deb461f5b6f...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-11-21 03:15 UTC by Edofin
Modified: 2009-11-23 13:36 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2009-11-23 13:36:31 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Edofin 2009-11-21 03:15:27 UTC 
Summary:

SELinux is preventing the gdm-session-wor from using potentially mislabeled
files (/root).

Detailed Description:

SELinux has denied gdm-session-wor access to potentially mislabeled file(s)
(/root). This means that SELinux will not allow gdm-session-wor to use these
files. It is common for users to edit files in their home directory or tmp
directories and then move (mv) them to system directories. The problem is that
the files end up with the wrong file context which confined applications are not
allowed to access.

Allowing Access:

If you want gdm-session-wor to access this files, you need to relabel them using
restorecon -v '/root'. You might want to relabel the entire directory using
restorecon -R -v '/root'.

Additional Information:

Source Context                system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context                system_u:object_r:admin_home_t:s0
Target Objects                /root [ dir ]
Source                        gdm-session-wor
Source Path                   /usr/libexec/gdm-session-worker
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           gdm-2.26.1-13.fc11
Target RPM Packages           filesystem-2.4.21-1.fc11
Policy RPM                    selinux-policy-3.6.12-86.fc11
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   home_tmp_bad_labels
Host Name                     (removed)
Platform                      Linux (removed)
                              2.6.30.9-96.fc11.x86_64 #1 SMP Wed Nov 4 00:02:04
                              EST 2009 x86_64 x86_64
Alert Count                   2
First Seen                    Fri 21 Aug 2009 09:13:26 PM MDT
Last Seen                     Fri 20 Nov 2009 07:05:28 AM MST
Local ID                      469ac591-ac2e-497f-9187-ccae65dd7d60
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1258725928.857:37): avc:  denied  { read write } for  pid=2532 comm="gdm-session-wor" name="root" dev=dm-0 ino=44 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir

node=(removed) type=SYSCALL msg=audit(1258725928.857:37): arch=c000003e syscall=21 success=no exit=-131940298596392 a0=1c97500 a1=7 a2=20 a3=4 items=0 ppid=2491 pid=2532 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=3 comm="gdm-session-wor" exe="/usr/libexec/gdm-session-worker" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)



Hash String generated from  selinux-policy-3.6.12-86.fc11,home_tmp_bad_labels,gdm-session-wor,xdm_t,admin_home_t,dir,read,write
audit2allow suggests:

#============= xdm_t ==============
allow xdm_t admin_home_t:dir { read write };
Comment 1 Daniel Walsh 2009-11-23 13:36:31 UTC 

*** This bug has been marked as a duplicate of bug 538428 ***
Note You need to log in before you can comment on or make changes to this bug.