Summary: SELinux is preventing /sbin/setfiles access to a leaked /home/amessina/.xsession-errors-:0 file descriptor. Detailed Description: [restorecon has a permissive type (setfiles_t). This access was not denied.] SELinux denied access requested by the restorecon command. It looks like this is either a leaked descriptor or restorecon output was redirected to a file it is not allowed to access. Leaks usually can be ignored since SELinux is just closing the leak and reporting the error. The application does not use the descriptor, so it will run properly. If this is a redirection, you will not get output in the /home/amessina/.xsession-errors-:0. You should generate a bugzilla on selinux-policy, and it will get routed to the appropriate package. You can safely ignore this avc. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Additional Information: Source Context unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c102 3 Target Context system_u:object_r:nfs_t:s0 Target Objects /home/amessina/.xsession-errors-:0 [ file ] Source restorecon Source Path /sbin/setfiles Port <Unknown> Host (removed) Source RPM Packages policycoreutils-2.0.74-17.fc12 Target RPM Packages Policy RPM selinux-policy-3.6.32-49.fc12 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name leaks Host Name (removed) Platform Linux (removed) 2.6.31.6-145.fc12.x86_64 #1 SMP Sat Nov 21 15:57:45 EST 2009 x86_64 x86_64 Alert Count 2 First Seen Sat 28 Nov 2009 12:06:57 PM CST Last Seen Sat 28 Nov 2009 12:06:57 PM CST Local ID 8b9117e4-1e11-497c-b7d9-1a905bbff343 Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1259431617.980:25025): avc: denied { write } for pid=1633 comm="restorecon" path="/home/amessina/.xsession-errors-:0" dev=0:15 ino=5980164 scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:nfs_t:s0 tclass=file node=(removed) type=AVC msg=audit(1259431617.980:25025): avc: denied { write } for pid=1633 comm="restorecon" path="/home/amessina/.xsession-errors-:0" dev=0:15 ino=5980164 scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:nfs_t:s0 tclass=file node=(removed) type=SYSCALL msg=audit(1259431617.980:25025): arch=c000003e syscall=59 success=yes exit=0 a0=27d21c0 a1=27d2120 a2=27cdee0 a3=18 items=0 ppid=1628 pid=1633 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="restorecon" exe="/sbin/setfiles" subj=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 key=(null) Hash String generated from selinux-policy-3.6.32-49.fc12,leaks,restorecon,setfiles_t,nfs_t,file,write audit2allow suggests: #============= setfiles_t ============== allow setfiles_t nfs_t:file write;
You can add these rules for now using # grep avc /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Fixed in selinux-policy-3.6.32-52.fc12.noarch Are you using kdm for login?
I do use KDM and I also have my /home dirs mounted over NFS with krb5p.
This is a bug in SELInux-policy but I wanted to change this bug to kdebase, because the kdm should be opening the xsession-errors file for append instead of write. This is what gdm is doing. If you do this, I can change the access to allow and prevent a confined application from clearing all data in the .xsession-errors file.
KDM is actually in kdebase-workspace.
An ever-growing ~/.xsession-errors is preferable ? really?
It is fine if xdm truncates the file, which is also what gdm does, but pass the descriptor as append only for the session.
* Fri Dec 11 2009 Rex Dieter <rdieter> 4.3.80-4 - SELinux is preventing access to a leaked .xsession-errors-:0 file descriptor (#542312)
akonadi-1.3.1-2.fc11,arora-0.10.2-3.fc11,compiz-0.7.8-20.fc11,digikam-1.1.0-2.fc11,kbluetooth-0.4.1-2.fc11,kcoloredit-4.4.0-2.fc11,kdeaccessibility-4.4.0-1.fc11,kdeadmin-4.4.0-2.fc11,kdeartwork-4.4.0-1.fc11,kdebase-4.4.0-3.fc11,kdebase-runtime-4.4.0-3.fc11,kdebase-workspace-4.4.0-7.fc11,kdebindings-4.4.0-1.fc11,kdeedu-4.4.0-1.fc11,kdegames-4.4.0-2.fc11,kdegraphics-4.4.0-1.fc11,kde-l10n-4.4.0-1.fc11,kdelibs-4.4.0-9.fc11,kdemultimedia-4.4.0-1.fc11,kdenetwork-4.4.0-2.fc11,kdepim-4.4.0-5.fc11,kdepimlibs-4.4.0-2.fc11,kdepim-runtime-4.4.0-4.fc11,kdeplasma-addons-4.4.0-1.fc11,kde-plasma-networkmanagement-0.9-0.12.20100220.fc11,kde-plasma-smooth-tasks-0.0.1-0.1.wip20091206.fc11.1,kde-plasma-stasks-0.5.1-7.fc11,kde-plasma-yawp-0.3.2-2.fc11,kdesdk-4.4.0-1.fc11,kde-settings-4.2-17,kdetoys-4.4.0-1.fc11,kdeutils-4.4.0-1.fc11,kgrab-0.1.1-22.fc11,kiconedit-4.4.0-1.fc11,kio_gopher-0.1.3-3.fc11,kipi-plugins-1.1.0-1.fc11.2,konq-plugins-4.4.0-2.fc11,kopete-cryptography-1.3.0-16.fc11,kphotoalbum-4.1.1-5.fc11,kpilot-5.3.0-4.fc11,oxygen-icon-theme-4.4.0-2.fc11,polkit-qt-0.9.3-2.fc11,PyKDE-3.16.6-3.fc11,PyQt-3.18.1-6.fc11,PyQt4-4.7-1.fc11,qedje-0.4.0-6.fc11,qgis-1.0.2-6.fc11,qscintilla-2.4.2-1.fc11,qt-4.6.2-1.fc11,qt-creator-1.3.1-2.fc11,qtscriptgenerator-0.1.0-10.fc11,qzion-0.4.0-7.fc11,scidavis-0.2.3-13.fc11,sip-4.10-1.fc11,skanlite-0.4-1.fc11,soprano-2.4.0.1-1.fc11,strigi-0.7.2-2.fc11,virtuoso-opensource-6.1.0-2.fc11,webkitkde-0.0.5-0.1.svn1088283.fc11,PyQwt-5.2.0-4.fc11,qbittorrent-1.4.1-3.fc11,frescobaldi-1.0.2-1.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/F11/FEDORA-2010-1850
akonadi-1.3.1-2.fc12,arora-0.10.2-3.fc12,avogadro-1.0.0-3.fc12,compiz-0.8.2-24.fc12,digikam-1.1.0-2.fc12,kbluetooth-0.4.1-2.fc12,kcoloredit-4.4.0-2.fc12,kdeaccessibility-4.4.0-1.fc12,kdeadmin-4.4.0-2.fc12,kdeartwork-4.4.0-1.fc12,kdebase-4.4.0-3.fc12,kdebase-runtime-4.4.0-3.fc12,kdebase-workspace-4.4.0-7.fc12,kdebindings-4.4.0-1.fc12,kdeedu-4.4.0-1.fc12,kdegames-4.4.0-2.fc12,kdegraphics-4.4.0-1.fc12,kdelibs-4.4.0-9.fc12,kdemultimedia-4.4.0-1.fc12,kdenetwork-4.4.0-2.fc12,kdepim-4.4.0-5.fc12,kdepimlibs-4.4.0-2.fc12,kdepim-runtime-4.4.0-4.fc12,kdeplasma-addons-4.4.0-1.fc12,kde-l10n-4.4.0-1.fc12,kde-plasma-networkmanagement-0.9-0.12.20100220.fc12,kde-plasma-smooth-tasks-0.0.1-0.1.wip20091206.fc12.1,kde-plasma-stasks-0.5.1-7.fc12,kde-plasma-yawp-0.3.2-2.fc12,kdesdk-4.4.0-1.fc12,kde-settings-4.3-17,kdetoys-4.4.0-1.fc12,kdeutils-4.4.0-1.fc12,kgrab-0.1.1-22.fc12,kiconedit-4.4.0-1.fc12,kio_gopher-0.1.3-3.fc12,kipi-plugins-1.1.0-1.fc12.2,konq-plugins-4.4.0-2.fc12,kopete-cryptography-1.3.0-16.fc12,kphotoalbum-4.1.1-5.fc12,kpilot-5.3.0-4.fc12,oxygen-icon-theme-4.4.0-2.fc12,polkit-qt-0.95.1-3.fc12,PyKDE-3.16.6-3.fc12,PyQt-3.18.1-6.fc12,PyQt4-4.7-1.fc12,qedje-0.4.0-6.fc12,qgis-1.0.2-6.fc12,qscintilla-2.4.2-1.fc12,qt-4.6.2-1.fc12,qt-creator-1.3.1-2.fc12,qtscriptgenerator-0.1.0-10.fc12,qzion-0.4.0-7.fc12,scidavis-0.2.3-13.fc12,sip-4.10-1.fc12,skanlite-0.4-1.fc12,soprano-2.4.0.1-1.fc12,strigi-0.7.2-2.fc12,virtuoso-opensource-6.1.0-2.fc12,webkitkde-0.0.5-0.1.svn1088283.fc12,PyQwt-5.2.0-4.fc12,qbittorrent-2.1.5-4.fc12,frescobaldi-1.0.2-1.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/akonadi-1.3.1-2.fc12,arora-0.10.2-3.fc12,avogadro-1.0.0-3.fc12,compiz-0.8.2-24.fc12,digikam-1.1.0-2.fc12,kbluetooth-0.4.1-2.fc12,kcoloredit-4.4.0-2.fc12,kdeaccessibility-4.4.0-1.fc12,kdeadmin-4.4.0-2.fc12,kdeartwork-4.4.0-1.fc12,kdebase-4.4.0-3.fc12,kdebase-runtime-4.4.0-3.fc12,kdebase-workspace-4.4.0-7.fc12,kdebindings-4.4.0-1.fc12,kdeedu-4.4.0-1.fc12,kdegames-4.4.0-2.fc12,kdegraphics-4.4.0-1.fc12,kdelibs-4.4.0-9.fc12,kdemultimedia-4.4.0-1.fc12,kdenetwork-4.4.0-2.fc12,kdepim-4.4.0-5.fc12,kdepimlibs-4.4.0-2.fc12,kdepim-runtime-4.4.0-4.fc12,kdeplasma-addons-4.4.0-1.fc12,kde-l10n-4.4.0-1.fc12,kde-plasma-networkmanagement-0.9-0.12.20100220.fc12,kde-plasma-smooth-tasks-0.0.1-0.1.wip20091206.fc12.1,kde-plasma-stasks-0.5.1-7.fc12,kde-plasma-yawp-0.3.2-2.fc12,kdesdk-4.4.0-1.fc12,kde-settings-4.3-17,kdetoys-4.4.0-1.fc12,kdeutils-4.4.0-1.fc12,kgrab-0.1.1-22.fc12,kiconedit-4.4.0-1.fc12,kio_gopher-0.1.3-3.fc12,kipi-plugins-1.1.0-1.fc12.2,konq-plugins-4.4.0-2.fc12,kopete-cryptography-1.3.0-16.fc12,kphotoalbum-4.1.1-5.fc12,kpilot-5.3.0-4.fc12,oxygen-icon-theme-4.4.0-2.fc12,polkit-qt-0.95.1-3.fc12,PyKDE-3.16.6-3.fc12,PyQt-3.18.1-6.fc12,PyQt4-4.7-1.fc12,qedje-0.4.0-6.fc12,qgis-1.0.2-6.fc12,qscintilla-2.4.2-1.fc12,qt-4.6.2-1.fc12,qt-creator-1.3.1-2.fc12,qtscriptgenerator-0.1.0-10.fc12,qzion-0.4.0-7.fc12,scidavis-0.2.3-13.fc12,sip-4.10-1.fc12,skanlite-0.4-1.fc12,soprano-2.4.0.1-1.fc12,strigi-0.7.2-2.fc12,virtuoso-opensource-6.1.0-2.fc12,webkitkde-0.0.5-0.1.svn1088283.fc12,PyQwt-5.2.0-4.fc12,qbittorrent-2.1.5-4.fc12,frescobaldi-1.0.2-1.fc12
kbluetooth-0.4.1-2.fc12, kdebase-workspace-4.4.0-7.fc12, kdelibs-4.4.0-9.fc12, kdepim-4.4.0-5.fc12, kde-plasma-networkmanagement-0.9-0.12.20100220.fc12, qt-4.6.2-1.fc12, qbittorrent-2.1.5-4.fc12, frescobaldi-1.0.2-1.fc12, akonadi-1.3.1-2.fc12, arora-0.10.2-3.fc12, avogadro-1.0.0-3.fc12, compiz-0.8.2-24.fc12, digikam-1.1.0-2.fc12, kcoloredit-4.4.0-2.fc12, kdeaccessibility-4.4.0-1.fc12, kdeadmin-4.4.0-2.fc12, kdeartwork-4.4.0-1.fc12, kdebase-4.4.0-3.fc12, kdebase-runtime-4.4.0-3.fc12, kdebindings-4.4.0-1.fc12, kdeedu-4.4.0-1.fc12, kdegames-4.4.0-2.fc12, kdegraphics-4.4.0-1.fc12, kdemultimedia-4.4.0-1.fc12, kdenetwork-4.4.0-2.fc12, kdepimlibs-4.4.0-2.fc12, kdeplasma-addons-4.4.0-1.fc12, kde-l10n-4.4.0-1.fc12, kde-plasma-smooth-tasks-0.0.1-0.1.wip20091206.fc12.1, kde-plasma-stasks-0.5.1-7.fc12, kde-plasma-yawp-0.3.2-2.fc12, kdesdk-4.4.0-1.fc12, kde-settings-4.3-17, kdetoys-4.4.0-1.fc12, kdeutils-4.4.0-1.fc12, kgrab-0.1.1-22.fc12, kiconedit-4.4.0-1.fc12, kio_gopher-0.1.3-3.fc12, kipi-plugins-1.1.0-1.fc12.2, konq-plugins-4.4.0-2.fc12, kopete-cryptography-1.3.0-16.fc12, kphotoalbum-4.1.1-5.fc12, kpilot-5.3.0-4.fc12, oxygen-icon-theme-4.4.0-2.fc12, polkit-qt-0.95.1-3.fc12, PyKDE-3.16.6-3.fc12, PyQt-3.18.1-6.fc12, PyQt4-4.7-1.fc12, qedje-0.4.0-6.fc12, qgis-1.0.2-6.fc12, qscintilla-2.4.2-1.fc12, qt-creator-1.3.1-2.fc12, qtscriptgenerator-0.1.0-10.fc12, qzion-0.4.0-7.fc12, scidavis-0.2.3-13.fc12, sip-4.10-1.fc12, skanlite-0.4-1.fc12, soprano-2.4.0.1-1.fc12, strigi-0.7.2-2.fc12, virtuoso-opensource-6.1.0-2.fc12, webkitkde-0.0.5-0.1.svn1088283.fc12, kdepim-runtime-4.4.0-4.fc12, PyQwt-5.2.0-4.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update kbluetooth kdebase-workspace kdelibs kdepim kde-plasma-networkmanagement qt qbittorrent frescobaldi akonadi arora avogadro compiz digikam kcoloredit kdeaccessibility kdeadmin kdeartwork kdebase kdebase-runtime kdebindings kdeedu kdegames kdegraphics kdemultimedia kdenetwork kdepimlibs kdeplasma-addons kde-l10n kde-plasma-smooth-tasks kde-plasma-stasks kde-plasma-yawp kdesdk kde-settings kdetoys kdeutils kgrab kiconedit kio_gopher kipi-plugins konq-plugins kopete-cryptography kphotoalbum kpilot oxygen-icon-theme polkit-qt PyKDE PyQt PyQt4 qedje qgis qscintilla qt-creator qtscriptgenerator qzion scidavis sip skanlite soprano strigi virtuoso-opensource webkitkde kdepim-runtime PyQwt'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2010-2579
kbluetooth-0.4.1-2.fc12, kdebase-workspace-4.4.0-7.fc12, kdelibs-4.4.0-9.fc12, kdepim-4.4.0-5.fc12, kde-plasma-networkmanagement-0.9-0.12.20100220.fc12, qt-4.6.2-1.fc12, qbittorrent-2.1.5-4.fc12, frescobaldi-1.0.2-1.fc12, akonadi-1.3.1-2.fc12, arora-0.10.2-3.fc12, avogadro-1.0.0-3.fc12, compiz-0.8.2-24.fc12, digikam-1.1.0-2.fc12, kcoloredit-4.4.0-2.fc12, kdeaccessibility-4.4.0-1.fc12, kdeadmin-4.4.0-2.fc12, kdeartwork-4.4.0-1.fc12, kdebase-4.4.0-3.fc12, kdebase-runtime-4.4.0-3.fc12, kdebindings-4.4.0-1.fc12, kdeedu-4.4.0-1.fc12, kdegames-4.4.0-2.fc12, kdegraphics-4.4.0-1.fc12, kdemultimedia-4.4.0-1.fc12, kdenetwork-4.4.0-2.fc12, kdepimlibs-4.4.0-2.fc12, kdeplasma-addons-4.4.0-1.fc12, kde-l10n-4.4.0-1.fc12, kde-plasma-smooth-tasks-0.0.1-0.1.wip20091206.fc12.1, kde-plasma-stasks-0.5.1-7.fc12, kde-plasma-yawp-0.3.2-2.fc12, kdesdk-4.4.0-1.fc12, kde-settings-4.3-17, kdetoys-4.4.0-1.fc12, kdeutils-4.4.0-1.fc12, kgrab-0.1.1-22.fc12, kiconedit-4.4.0-1.fc12, kio_gopher-0.1.3-3.fc12, kipi-plugins-1.1.0-1.fc12.2, konq-plugins-4.4.0-2.fc12, kopete-cryptography-1.3.0-16.fc12, kphotoalbum-4.1.1-5.fc12, kpilot-5.3.0-4.fc12, oxygen-icon-theme-4.4.0-2.fc12, polkit-qt-0.95.1-3.fc12, PyKDE-3.16.6-3.fc12, PyQt-3.18.1-6.fc12, PyQt4-4.7-1.fc12, qedje-0.4.0-6.fc12, qgis-1.0.2-6.fc12, qscintilla-2.4.2-1.fc12, qt-creator-1.3.1-2.fc12, qtscriptgenerator-0.1.0-10.fc12, qzion-0.4.0-7.fc12, scidavis-0.2.3-13.fc12, sip-4.10-1.fc12, skanlite-0.4-1.fc12, soprano-2.4.0.1-1.fc12, strigi-0.7.2-2.fc12, virtuoso-opensource-6.1.0-2.fc12, webkitkde-0.0.5-0.1.svn1088283.fc12, kdepim-runtime-4.4.0-4.fc12, PyQwt-5.2.0-4.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.
kbluetooth-0.4.1-2.fc11, kdebase-workspace-4.4.0-7.fc11, kdelibs-4.4.0-9.fc11, kdepim-4.4.0-5.fc11, kde-plasma-networkmanagement-0.9-0.12.20100220.fc11, qt-4.6.2-1.fc11, qbittorrent-1.4.1-3.fc11, frescobaldi-1.0.2-1.fc11, akonadi-1.3.1-2.fc11, arora-0.10.2-3.fc11, compiz-0.7.8-20.fc11, digikam-1.1.0-2.fc11, kcoloredit-4.4.0-2.fc11, kdeaccessibility-4.4.0-1.fc11, kdeadmin-4.4.0-2.fc11, kdeartwork-4.4.0-1.fc11, kdebase-4.4.0-3.fc11, kdebase-runtime-4.4.0-3.fc11, kdebindings-4.4.0-1.fc11, kdeedu-4.4.0-1.fc11, kdegames-4.4.0-2.fc11, kdegraphics-4.4.0-1.fc11, kde-l10n-4.4.0-1.fc11, kdemultimedia-4.4.0-1.fc11, kdenetwork-4.4.0-2.fc11, kdepimlibs-4.4.0-2.fc11, kdeplasma-addons-4.4.0-1.fc11, kde-plasma-smooth-tasks-0.0.1-0.1.wip20091206.fc11.1, kde-plasma-stasks-0.5.1-7.fc11, kde-plasma-yawp-0.3.2-2.fc11, kdesdk-4.4.0-1.fc11, kde-settings-4.2-17, kdetoys-4.4.0-1.fc11, kdeutils-4.4.0-1.fc11, kgrab-0.1.1-22.fc11, kiconedit-4.4.0-1.fc11, kio_gopher-0.1.3-3.fc11, kipi-plugins-1.1.0-1.fc11.2, konq-plugins-4.4.0-2.fc11, kopete-cryptography-1.3.0-16.fc11, kphotoalbum-4.1.1-5.fc11, kpilot-5.3.0-4.fc11, oxygen-icon-theme-4.4.0-2.fc11, polkit-qt-0.9.3-2.fc11, PyKDE-3.16.6-3.fc11, PyQt-3.18.1-6.fc11, PyQt4-4.7-1.fc11, qedje-0.4.0-6.fc11, qgis-1.0.2-6.fc11, qscintilla-2.4.2-1.fc11, qt-creator-1.3.1-2.fc11, qtscriptgenerator-0.1.0-10.fc11, qzion-0.4.0-7.fc11, scidavis-0.2.3-13.fc11, sip-4.10-1.fc11, skanlite-0.4-1.fc11, soprano-2.4.0.1-1.fc11, strigi-0.7.2-2.fc11, virtuoso-opensource-6.1.0-2.fc11, webkitkde-0.0.5-0.1.svn1088283.fc11, kdepim-runtime-4.4.0-4.fc11, PyQwt-5.2.0-4.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.