Using KDM with autologin enabled (no GDM installed) for my MythTV frontends, I receive the following SELinux denials at startup. I must admit, I'm not sure what it's trying to do and even in enforcing mode, it doesn't seem to affect the function of auto-login for KDM. Source Context unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c102 3 Target Context system_u:object_r:xdm_spool_t:s0 Target Objects /var/spool/gdm/force-display-on-active-vt (deleted) [ file ] Source restorecon Source Path /sbin/setfiles Port <Unknown> Host mythtv-fe1.chicago.messinet.com Source RPM Packages policycoreutils-2.0.78-7.fc12 Target RPM Packages Policy RPM selinux-policy-3.6.32-66.fc12 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall Host Name mythtv-fe1.chicago.messinet.com Platform Linux mythtv-fe1.chicago.messinet.com 2.6.31.9-174.fc12.x86_64 #1 SMP Mon Dec 21 05:33:33 UTC 2009 x86_64 x86_64 Alert Count 8 First Seen Wed Jan 13 17:50:14 2010 Last Seen Mon Jan 18 17:19:30 2010 Local ID 0f81d51f-453f-4f14-82df-948d4616e179 Line Numbers Raw Audit Messages node=mythtv-fe1.chicago.messinet.com type=AVC msg=audit(1263856770.436:12): avc: denied { read } for pid=1741 comm="restorecon" path=2F7661722F73706F6F6C2F67646D2F666F7263652D646973706C61792D6F6E2D6163746976652D7674202864656C6574656429 dev=dm-0 ino=262309 scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_spool_t:s0 tclass=file node=mythtv-fe1.chicago.messinet.com type=SYSCALL msg=audit(1263856770.436:12): arch=c000003e syscall=59 success=yes exit=0 a0=bf51e0 a1=bf5140 a2=bf0ef0 a3=18 items=0 ppid=1735 pid=1741 auid=509 uid=509 gid=509 euid=509 suid=509 fsuid=509 egid=509 sgid=509 fsgid=509 tty=(none) ses=1 comm="restorecon" exe="/sbin/setfiles" subj=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 key=(null)
This looks like kdm is leaking a file descriptor to /var/spool/gdm/force-display-on-active-vt
I just copy-n-pasted the same code gdm uses. Here's the code, http://cvs.fedoraproject.org/viewvc/devel/kdebase-workspace/kdebase-workspace-4.3.3-kdm_plymouth.patch?revision=1.1&view=markup
31 + should_force_display_on_active_vt=open("/var/spool/gdm/force-display-on-active-vt", O_RDONLY); 32 + unlink("/var/spool/gdm/force-display-on-active-vt"); 33 + return should_force_display_on_active_vt; open without close here.
ah, thanks. fwiw, gdm used g_file_test there (which must handle the closing itself).
After upgrading to kdm-4.3.90-8.fc12.x86_64 from kdm-4.3.90-5.fc12.x86_64, kdm segfaults due to what appears to be infinite recursion. I'll attach the strace in a second, but it would appear that the attempted fix for this bug is the cause as the trace is mostly: open("/var/spool/gdm/force-display-on-active-vt", O_RDONLY) = -1 ENOENT (No such file or directory)
Created attachment 385565 [details] "strace kdm -nodaemon >& kdm.strace" gzipped
This is yet another bug in the patch: + if ( triggered_to_force_display_on_active_vt() >= 0 ) + close(should_force_display_on_active_vt); That should be: + if ( should_force_display_on_active_vt >= 0 ) + close(should_force_display_on_active_vt); otherwise we have infinite recursion.
*** Bug 557536 has been marked as a duplicate of this bug. ***
marking dep on kde-4.4 (unless someone is interested in backporting fix to 4.3.x in the meantime).
don't mind me, Kevin already did the backport builds.
*** Bug 557777 has been marked as a duplicate of this bug. ***
kdebase-workspace-4.3.4-6.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.
kdebase-workspace-4.3.4-6.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.
*** Bug 557502 has been marked as a duplicate of this bug. ***
*** Bug 558287 has been marked as a duplicate of this bug. ***