Summary: SELinux is preventing /usr/bin/xauth "read" access on /proc//status. Detailed Description: [xauth has a permissive type (xauth_t). This access was not denied.] SELinux denied access requested by xauth. It is not expected that this access is required by xauth and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context unconfined_u:unconfined_r:xauth_t:s0-s0:c0.c1023 Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Objects /proc/<pid>/status [ file ] Source xauth Source Path /usr/bin/xauth Port <Unknown> Host (removed) Source RPM Packages xorg-x11-xauth-1.0.2-7.fc12 Target RPM Packages Policy RPM selinux-policy-3.6.32-49.fc12 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall Host Name (removed) Platform Linux (removed) 2.6.31.6-145.fc12.x86_64 #1 SMP Sat Nov 21 15:57:45 EST 2009 x86_64 x86_64 Alert Count 18 First Seen Sat 28 Nov 2009 10:35:14 AM EST Last Seen Sat 28 Nov 2009 10:35:19 AM EST Local ID 4375031c-b13f-4797-b015-f75d1b67a6a3 Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1259364919.181:27033): avc: denied { read } for pid=2357 comm="xauth" path="/proc/2320/status" dev=proc ino=16654 scontext=unconfined_u:unconfined_r:xauth_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=file node=(removed) type=AVC msg=audit(1259364919.181:27033): avc: denied { read write } for pid=2357 comm="xauth" path="/dev/nvidiactl" dev=tmpfs ino=12904 scontext=unconfined_u:unconfined_r:xauth_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=chr_file node=(removed) type=AVC msg=audit(1259364919.181:27033): avc: denied { read write } for pid=2357 comm="xauth" path="/dev/nvidia0" dev=tmpfs ino=12906 scontext=unconfined_u:unconfined_r:xauth_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=chr_file node=(removed) type=AVC msg=audit(1259364919.181:27033): avc: denied { read write } for pid=2357 comm="xauth" path="/dev/nvidia0" dev=tmpfs ino=12906 scontext=unconfined_u:unconfined_r:xauth_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=chr_file node=(removed) type=AVC msg=audit(1259364919.181:27033): avc: denied { read write } for pid=2357 comm="xauth" path="/dev/nvidia0" dev=tmpfs ino=12906 scontext=unconfined_u:unconfined_r:xauth_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=chr_file node=(removed) type=AVC msg=audit(1259364919.181:27033): avc: denied { read write } for pid=2357 comm="xauth" path="/dev/nvidia0" dev=tmpfs ino=12906 scontext=unconfined_u:unconfined_r:xauth_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=chr_file node=(removed) type=SYSCALL msg=audit(1259364919.181:27033): arch=c000003e syscall=59 success=yes exit=0 a0=7fff9f7fcc8d a1=19f6e20 a2=1a28370 a3=35f9e7fc50 items=0 ppid=2330 pid=2357 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="xauth" exe="/usr/bin/xauth" subj=unconfined_u:unconfined_r:xauth_t:s0-s0:c0.c1023 key=(null) Hash String generated from selinux-policy-3.6.32-49.fc12,catchall,xauth,xauth_t,unconfined_t,file,read audit2allow suggests: #============= xauth_t ============== allow xauth_t device_t:chr_file { read write }; allow xauth_t unconfined_t:file read;
Nvidia devices seem to be getting created with the wrong label. Does xauth seem to be working correctly?
> Does xauth seem to be working correctly? How can one test this?
Do your X apps seem to be working correctly when you login? WHen you launch apps as root? If you ssh -X -Y into a box? I would figure it is working fine.
When I login as normal user everything is working fine. But there are indeed some problems when I try to launch apps as root, although I'm unsure if this isn't a topic of its own: In KDE, when I type 'kdesu dolphin' SELinux comes up with a security alert; basically it says: SELinux is preventing /bin/bash "write" access to /var/lib/misc/prelink.quick. [xauth has a permissive type (xauth_t). This access was not denied.] SELinux denied access requested by xauth. It is not expected that this access is required by xauth and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. This alert has occurred 33 times since Mon Nov 30, 2009 at 04:07:48 PM CET After this dolphin starts but is not fully functional: One can browse directories etc but it one tries to, for example, open a text file, a KDE message dialog box pops up saying "KDEInit could not launch '/usr/bin/kwrite'.". Right now I don't have the ability to try remote login into this machine, but I will check this tomorrow.
*** Bug 543479 has been marked as a duplicate of this bug. ***
I have some fixes for the labels. Fixed in selinux-policy-3.6.32-53.fc12.noarch
Remote login and execution of X/KDE applications works fine without any errors or warnings.
selinux-policy-3.6.32-55.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-55.fc12
selinux-policy-3.6.32-55.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2009-12650
selinux-policy-3.6.32-55.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.