Fedora Account System
Red Hat Associate
Red Hat Customer
Summary: SELinux is preventing /usr/libexec/gdm-session-worker "read" access on /root/.gstreamer-0.10/registry.x86_64.bin. Detailed Description: [SELinux is in permissive mode. This access was not denied.] SELinux denied access requested by gdm-session-wor. It is not expected that this access is required by gdm-session-wor and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023 Target Context system_u:object_r:admin_home_t:s0 Target Objects /root/.gstreamer-0.10/registry.x86_64.bin [ file ] Source gdm-session-wor Source Path /usr/libexec/gdm-session-worker Port <Unknown> Host (removed) Source RPM Packages gdm-2.28.2-1.fc12 Target RPM Packages Policy RPM selinux-policy-3.6.32-69.fc12 Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Plugin Name catchall Host Name (removed) Platform Linux E-laptop 2.6.31.9-174.fc12.x86_64 #1 SMP Mon Dec 21 05:33:33 UTC 2009 x86_64 x86_64 Alert Count 18 First Seen IST 18:31:54 2010 ינו 18 ב' Last Seen IST 16:22:39 2010 ינו 19 ג' Local ID b37f4951-d088-4026-a1ca-3e146d578f2a Line Numbers Raw Audit Messages node=E-laptop type=AVC msg=audit(1263910959.367:9): avc: denied { read } for pid=1506 comm="gdm-session-wor" name="registry.x86_64.bin" dev=sda6 ino=1540956 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=file node=E-laptop type=AVC msg=audit(1263910959.367:9): avc: denied { open } for pid=1506 comm="gdm-session-wor" name="registry.x86_64.bin" dev=sda6 ino=1540956 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=file node=E-laptop type=SYSCALL msg=audit(1263910959.367:9): arch=c000003e syscall=2 success=yes exit=4294967424 a0=11b3030 a1=0 a2=0 a3=18 items=0 ppid=1366 pid=1506 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="gdm-session-wor" exe="/usr/libexec/gdm-session-worker" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) It is not usual that gdm needs Gstreamer access, but I use pam-face-authentication (http://code.google.com/p/pam-face-authentication/) and because of this bug it doesn't work on login. (If I already logged on it does works).
Created attachment 385957 [details] Patch to label /root/.gstreamer-* such that gdm can read it. Miroslav, what do you think of this patch. I think labeling stuff in the /root directory might eliminate some of these avcs we are seeing. Please add to F12.
Looks good. I believe mainly the labeling /root/\.pulse(/.*)? gen_context(system_u:object_r:gnome_home_t,s0) /root/\.gstreamer-.* gen_context(system_u:object_r:gstreamer_home_t,s0) will prevent further bugs. Fixed in selinux-policy-3.6.32-75.fc12.noarch
selinux-policy-3.6.32-78.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-78.fc12
selinux-policy-3.6.32-78.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2010-1207
selinux-policy-3.6.32-78.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.