I see this at every boot Sommario: SELinux is preventing /usr/bin/gnome-session "write" access on .ICE-unix. Descrizione dettagliata: [SELinux è in modalità permissiva. Questo accesso non è stato negato.] SELinux denied access requested by gnome-session. It is not expected that this access is required by gnome-session and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Abilitazione accesso in corso: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Informazioni aggiuntive: Contesto della sorgente system_u:system_r:xdm_t:s0-s0:c0.c1023 Contesto target system_u:object_r:initrc_tmp_t:s0 Oggetti target .ICE-unix [ dir ] Sorgente gnome-session Percorso della sorgente /usr/bin/gnome-session Porta <Sconosciuto> Host (removed) Sorgente Pacchetti RPM gnome-session-2.28.0-2.fc12 Pacchetti RPM target RPM della policy selinux-policy-3.6.32-97.fc12 Selinux abilitato True Tipo di policy targeted Modalità Enforcing Permissive Nome plugin catchall Host Name (removed) Piattaforma Linux (removed) 2.6.32.9-70.fc12.x86_64 #1 SMP Wed Mar 3 04:40:41 UTC 2010 x86_64 x86_64 Conteggio avvisi 3 Primo visto mer 03 mar 2010 21:11:11 CET Ultimo visto mer 03 mar 2010 21:11:11 CET ID locale ea8d1d50-a695-4ab7-917c-367890b1c088 Numeri di linea Messaggi Raw Audit node=(removed) type=AVC msg=audit(1267647071.678:11809): avc: denied { write } for pid=2051 comm="gnome-session" name=".ICE-unix" dev=dm-0 ino=14 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir node=(removed) type=AVC msg=audit(1267647071.678:11809): avc: denied { add_name } for pid=2051 comm="gnome-session" name="2051" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir node=(removed) type=AVC msg=audit(1267647071.678:11809): avc: denied { create } for pid=2051 comm="gnome-session" name="2051" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=sock_file node=(removed) type=SYSCALL msg=audit(1267647071.678:11809): arch=c000003e syscall=49 success=yes exit=0 a0=8 a1=7fff6ed93e50 a2=15 a3=ffffffed items=0 ppid=1590 pid=2051 auid=4294967295 uid=42 gid=479 euid=42 suid=42 fsuid=42 egid=479 sgid=479 fsgid=479 tty=(none) ses=4294967295 comm="gnome-session" exe="/usr/bin/gnome-session" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) Hash String generated from catchall,gnome-session,xdm_t,initrc_tmp_t,dir,write audit2allow suggests: #============= xdm_t ============== #!!!! The source type 'xdm_t' can write to a 'dir' of the following types: # xdm_home_t, pam_var_console_t, pcscd_var_run_t, var_lock_t, xkb_var_lib_t, xdm_rw_etc_t, root_t, tmp_t, var_t, user_fonts_t, user_tmpfs_t, xdm_spool_t, fonts_cache_t, user_home_dir_t, locale_t, var_auth_t, tmpfs_t, var_spool_t, var_lib_t, var_run_t, user_tmp_t, xdm_tmp_t, auth_cache_t, xdm_tmpfs_t, xserver_log_t, var_log_t, xdm_log_t, pam_var_run_t, xdm_var_lib_t, xdm_var_run_t, nfs_t, root_t allow xdm_t initrc_tmp_t:dir { write add_name }; allow xdm_t initrc_tmp_t:sock_file create;
Are you using freenx?
(In reply to comment #1) > Are you using freenx? No. vnc (vino+vinagre)) sometimes.
But this is your desktop machine? restorecon -R -v /tmp/.ICE-unix Should fix the label When you get a chance Destroy the directory and reboot and log in and see if the label is user_tmp_t. initrc_tmp_t means it is a temporary director create during bootup at some point. If a user process created the directory, it would be labelled user_tmp_t. I was guessing that you had some remove Xserver like freenx that was creating the directory.
It's my main laptop, I will try what you suggest tomorrow, thank you!
Sorry for the delay, I did as you told me. I deleted /tmp/.ICE-unix, rebooted and the directory got created again, with initrc_tmp_t label. So same selinux warning. Anything else I can do? I really don't know what is creating this folder.
Do you have any services running that could be causing this directory to be created. # chkconfig --list | grep on
Created attachment 398919 [details] List of running services from chkconfig chkconfig --list output attached
If I go to runlevel 3, delete the directory, then go to runlevel 5, I do get the system_u:object_r:xdm_tmp_t:s0 context. If I go to runlevel 3, delete the directory, and then reboot to runlevel 5, the directory comes back with the system_u:object_r:initrc_tmp_t:s0 context.
I am seeing the same behavior here or a RHEL6 box.
Created attachment 398961 [details] List of active services
I'm getting the same SELinux message after upgrading to selinux-policy-targeted-3.6.32-99.fc12.noarch.rpm (followed by an autorelabel). I'm not using freenx, VNC or something else. It's a plain local login (from GDM).
Created attachment 399583 [details] List of running services (from chkconfig) chkconfig --list | grep 5:on
I have found the problem. /tmp/.ICE-unix is actually being created in /etc/rc.sysinit Adding the following labeling /tmp/\.ICE-unix(/.*)? gen_context(system_u:object_r:xdm_tmp_t,s0) And remove the labeling from userdomain.fc will fix the problem.
@DW: How do you do that "adding the following labeling"? To where to add that line?
I am asking Miroslav, the bugzilla assignee to make the change. Basically it is a software configuration change in the selinux-policy package.
Fixed in selinux-policy-3.6.32-102.fc12
selinux-policy-3.6.32-103.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-103.fc12
selinux-policy-3.6.32-103.fc12 fixes it, thank you!
No, it's NOT fixed. I've installed selinux-policy-3.6.32-103.fc12.noarch, removed the /tmp/.ICE-unix directory, and rebooted. I still see this AVC: Summary: SELinux is preventing /usr/bin/gnome-session "write" access on .ICE-unix. Detailed Description: [SELinux is in permissive mode. This access was not denied.] SELinux denied access requested by gnome-session. It is not expected that this access is required by gnome-session and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023 Target Context system_u:object_r:initrc_tmp_t:s0 Target Objects .ICE-unix [ dir ] Source gnome-session Source Path /usr/bin/gnome-session Port <Unknown> Host (removed) Source RPM Packages gnome-session-2.28.0-2.fc12 Target RPM Packages Policy RPM selinux-policy-3.6.32-103.fc12 Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Plugin Name catchall Host Name (removed) Platform Linux omega-3a.local 2.6.32.9-70.fc12.x86_64 #1 SMP Wed Mar 3 04:40:41 UTC 2010 x86_64 x86_64 Alert Count 12 First Seen Tue 16 Mar 2010 10:55:58 AM CDT Last Seen Tue 16 Mar 2010 10:57:12 AM CDT Local ID 55030c91-7aad-4b43-aac7-8a955a0330d6 Line Numbers Raw Audit Messages node=omega-3a.local type=AVC msg=audit(1268755032.597:15887): avc: denied { write } for pid=7455 comm="gnome-session" name=".ICE-unix" dev=sda2 ino=42109 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir node=omega-3a.local type=AVC msg=audit(1268755032.597:15887): avc: denied { remove_name } for pid=7455 comm="gnome-session" name="7455" dev=sda2 ino=42184 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir node=omega-3a.local type=AVC msg=audit(1268755032.597:15887): avc: denied { unlink } for pid=7455 comm="gnome-session" name="7455" dev=sda2 ino=42184 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=sock_file node=omega-3a.local type=SYSCALL msg=audit(1268755032.597:15887): arch=c000003e syscall=87 success=yes exit=0 a0=11adb92 a1=11a9d20 a2=0 a3=1 items=0 ppid=7432 pid=7455 auid=4294967295 uid=42 gid=475 euid=42 suid=42 fsuid=42 egid=475 sgid=475 fsgid=475 tty=(none) ses=4294967295 comm="gnome-session" exe="/usr/bin/gnome-session" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
What does matchpathcon /tmp/.ICE-unix say?
That's weird, it really fixed it for me. Are you sure it's not some older report that you didn't delete from setroubleshoot? (it happened to me once)
matchpathcon shows "/tmp/.ICE-unix system_u:object_r:xdm_tmp_t:s0" and that agrees with what 'ls' shows as the current context. I think I may just be seeing an anomaly in the timestamps. The stamp on that latest AVC is just a few seconds after what /var/run/utmp shows as the boot time, and gnome-session doesn't get started that fast. Indeed, when I look at the audit log, it claims that the next start of auditd occurs _before_ the AVC that is recorded earlier in the file. Looks like I just picked a bad moment to get my clock synchronized via NTP for the first time. Objection withdrawn. The change does work.
selinux-policy-3.6.32-103.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-103.fc12
I made the installation of: su -c 'yum --enablerepo=updates-testing update selinux-policy'. but the problem continued.
I'm also still seeing this.
You guys removed the directory and then rebooted and the directory came up mislabeled?
I stand corrected. restorecon -R -v /tmp/.ICE-unix appears to have fixed it.
Hi, removed /tmp/.ICE-unix Installed fix as suggested in Coment 23 with su -c 'yum --enablerepo=updates-testing update selinux-policy' After reboot /tmp/.ICE-unix didn't appear again so I think problem fixed for me.
(In reply to comment #28) > Hi, > > removed /tmp/.ICE-unix > > Installed fix as suggested in Coment 23 with > su -c 'yum --enablerepo=updates-testing update selinux-policy' > > After reboot /tmp/.ICE-unix didn't appear again so I think > problem fixed for me. after restart on five occasions, I think the problem is fixed.
Installed fix (su -c 'yum --enablerepo=updates-testing update selinux-policy'), removed /tmp/.ICE-unix like comment #29, reboot, but on restart i had the same bug... Can anybody help me? Thz...
speedxx, What does matchpathcon /tmp/.ICE-unix say?
(In reply to comment #30) > Installed fix > (su -c 'yum --enablerepo=updates-testing update selinux-policy'), > removed /tmp/.ICE-unix like comment #29, reboot, but on restart i had the same > bug... Can anybody help me? Thz... Speedxx. My procedure was as follows: 1.- mv /tmp/.ICE-unix /tmp/.ICE-unix1 2.- su -c 'yum --enablerepo=updates-testing update selinux-policy' 3.- reboot. and the problem fixed for me too.
Jose, i'll try now... many thz for now...
Nothing to do... The bug still remains... :((((
I tried the following commands and it worked: 1. yum remove selinux-policy 2. yum install selinux-policy 3. yum --enablerepo=updates-testing update selinux-policy
Smartqa many thanks, you helped me!!! :D
*** Bug 575072 has been marked as a duplicate of this bug. ***
selinux-policy-3.6.32-103.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.
(In reply to comment #35) > I tried the following commands and it worked: > > 1. yum remove selinux-policy > 2. yum install selinux-policy > 3. yum --enablerepo=updates-testing update selinux-policy That worked for me too, thanks. Ivor