Zusammenfassung: SELinux is preventing /usr/libexec/lxdm-greeter-gtk "remove_name" access on lxdm.conf.8AEG9U. Detaillierte Beschreibung: [SELinux ist im Permissive-Modus. Dieser Zugriff wurde nicht verweigert.] SELinux denied access requested by lxdm-greeter-gt. It is not expected that this access is required by lxdm-greeter-gt and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Zugriff erlauben: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Zusätzliche Informationen: Quellkontext system_u:system_r:xdm_t:s0-s0:c0.c1023 Zielkontext system_u:object_r:etc_t:s0 Zielobjekte lxdm.conf.8AEG9U [ dir ] Quelle lxdm-greeter-gt Quellen-Pfad /usr/libexec/lxdm-greeter-gtk Port <Unbekannt> Host (removed) Quellen-RPM-Pakete lxdm-0.2.0-0.1.20100223gitdf819fd.fc12 Ziel-RPM-Pakete RPM-Richtlinie selinux-policy-3.6.32-92.fc12 SELinux aktiviert True Richtlinienversion targeted Enforcing-Modus Permissive Plugin-Name catchall Hostname (removed) Plattform Linux (removed) 2.6.32.9-70.fc12.x86_64 #1 SMP Wed Mar 3 04:40:41 UTC 2010 x86_64 x86_64 Anzahl der Alarme 3 Zuerst gesehen Sa 13 Mär 2010 10:52:12 CET Zuletzt gesehen Sa 13 Mär 2010 10:52:12 CET Lokale ID 2c142863-db31-48dd-bfc8-55719177201a Zeilennummern Raw-Audit-Meldungen node=(removed) type=AVC msg=audit(1268473932.147:33): avc: denied { remove_name } for pid=3910 comm="lxdm-greeter-gt" name="lxdm.conf.8AEG9U" dev=dm-0 ino=1048599 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=dir node=(removed) type=AVC msg=audit(1268473932.147:33): avc: denied { rename } for pid=3910 comm="lxdm-greeter-gt" name="lxdm.conf.8AEG9U" dev=dm-0 ino=1048599 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=file node=(removed) type=AVC msg=audit(1268473932.147:33): avc: denied { unlink } for pid=3910 comm="lxdm-greeter-gt" name="lxdm.conf" dev=dm-0 ino=1049348 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=file node=(removed) type=SYSCALL msg=audit(1268473932.147:33): arch=c000003e syscall=82 success=yes exit=0 a0=fa7e00 a1=4072e1 a2=0 a3=7fff9f311930 items=0 ppid=2078 pid=3910 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="lxdm-greeter-gt" exe="/usr/libexec/lxdm-greeter-gtk" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) Hash String generated from catchall,lxdm-greeter-gt,xdm_t,etc_t,dir,remove_name audit2allow suggests: #============= xdm_t ============== allow xdm_t etc_t:dir remove_name; allow xdm_t etc_t:file { rename unlink };
Zusammenfassung: SELinux is preventing /usr/libexec/lxdm-greeter-gtk "write" access on /etc/lxdm. Detaillierte Beschreibung: [SELinux ist im Permissive-Modus. Dieser Zugriff wurde nicht verweigert.] SELinux denied access requested by lxdm-greeter-gt. It is not expected that this access is required by lxdm-greeter-gt and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Zugriff erlauben: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Zusätzliche Informationen: Quellkontext system_u:system_r:xdm_t:s0-s0:c0.c1023 Zielkontext system_u:object_r:etc_t:s0 Zielobjekte /etc/lxdm [ dir ] Quelle lxdm-greeter-gt Quellen-Pfad /usr/libexec/lxdm-greeter-gtk Port <Unbekannt> Host wicktop.localdomain Quellen-RPM-Pakete lxdm-0.2.0-0.1.20100223gitdf819fd.fc12 Ziel-RPM-Pakete lxdm-0.2.0-0.1.20100223gitdf819fd.fc12 RPM-Richtlinie selinux-policy-3.6.32-92.fc12 SELinux aktiviert True Richtlinienversion targeted Enforcing-Modus Permissive Plugin-Name catchall Hostname wicktop.localdomain Plattform Linux wicktop.localdomain 2.6.32.9-70.fc12.x86_64 #1 SMP Wed Mar 3 04:40:41 UTC 2010 x86_64 x86_64 Anzahl der Alarme 23 Zuerst gesehen Mi 24 Feb 2010 01:14:00 CET Zuletzt gesehen Sa 13 Mär 2010 10:52:12 CET Lokale ID a2c7f8e8-2ad6-4b2f-864d-85813088e07a Zeilennummern Raw-Audit-Meldungen node=wicktop.localdomain type=AVC msg=audit(1268473932.84:32): avc: denied { write } for pid=3910 comm="lxdm-greeter-gt" name="lxdm" dev=dm-0 ino=1049362 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=dir node=wicktop.localdomain type=AVC msg=audit(1268473932.84:32): avc: denied { add_name } for pid=3910 comm="lxdm-greeter-gt" name="lxdm.conf.8AEG9U" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=dir node=wicktop.localdomain type=AVC msg=audit(1268473932.84:32): avc: denied { create } for pid=3910 comm="lxdm-greeter-gt" name="lxdm.conf.8AEG9U" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=file node=wicktop.localdomain type=AVC msg=audit(1268473932.84:32): avc: denied { write } for pid=3910 comm="lxdm-greeter-gt" name="lxdm.conf.8AEG9U" dev=dm-0 ino=1048599 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=file node=wicktop.localdomain type=SYSCALL msg=audit(1268473932.84:32): arch=c000003e syscall=2 success=yes exit=4294967424 a0=7876a0 a1=c2 a2=1b6 a3=1b items=0 ppid=2078 pid=3910 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="lxdm-greeter-gt" exe="/usr/libexec/lxdm-greeter-gtk" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
Zusammenfassung: SELinux is preventing /usr/sbin/lxdm-binary "relabelfrom" access on tty1. Detaillierte Beschreibung: [SELinux ist im Permissive-Modus. Dieser Zugriff wurde nicht verweigert.] SELinux denied access requested by lxdm-binary. It is not expected that this access is required by lxdm-binary and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Zugriff erlauben: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Zusätzliche Informationen: Quellkontext system_u:system_r:xdm_t:s0-s0:c0.c1023 Zielkontext system_u:object_r:tty_device_t:s0 Zielobjekte tty1 [ chr_file ] Quelle lxdm-binary Quellen-Pfad /usr/sbin/lxdm-binary Port <Unbekannt> Host wicktop.localdomain Quellen-RPM-Pakete lxdm-0.2.0-0.1.20100223gitdf819fd.fc12 Ziel-RPM-Pakete RPM-Richtlinie selinux-policy-3.6.32-92.fc12 SELinux aktiviert True Richtlinienversion targeted Enforcing-Modus Permissive Plugin-Name catchall Hostname wicktop.localdomain Plattform Linux wicktop.localdomain 2.6.32.9-70.fc12.x86_64 #1 SMP Wed Mar 3 04:40:41 UTC 2010 x86_64 x86_64 Anzahl der Alarme 30 Zuerst gesehen Di 09 Mär 2010 09:46:56 CET Zuletzt gesehen So 14 Mär 2010 13:35:02 CET Lokale ID f8b336b4-3260-4aff-89d7-ad2220395c15 Zeilennummern Raw-Audit-Meldungen node=wicktop.localdomain type=AVC msg=audit(1268570102.10:10): avc: denied { relabelfrom } for pid=2095 comm="lxdm-binary" name="tty1" dev=devtmpfs ino=4994 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file node=wicktop.localdomain type=SYSCALL msg=audit(1268570102.10:10): arch=c000003e syscall=188 success=yes exit=0 a0=7fffe4d0de30 a1=3e6a615669 a2=6cf420 a3=2b items=0 ppid=1 pid=2095 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="lxdm-binary" exe="/usr/sbin/lxdm-binary" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
Zusammenfassung: SELinux is preventing /usr/sbin/lxdm-binary "relabelto" access on tty1. Detaillierte Beschreibung: [SELinux ist im Permissive-Modus. Dieser Zugriff wurde nicht verweigert.] SELinux denied access requested by lxdm-binary. It is not expected that this access is required by lxdm-binary and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Zugriff erlauben: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Zusätzliche Informationen: Quellkontext system_u:system_r:xdm_t:s0-s0:c0.c1023 Zielkontext system_u:object_r:tty_device_t:s0 Zielobjekte tty1 [ chr_file ] Quelle lxdm-binary Quellen-Pfad /usr/sbin/lxdm-binary Port <Unbekannt> Host wicktop.localdomain Quellen-RPM-Pakete lxdm-0.2.0-0.1.20100223gitdf819fd.fc12 Ziel-RPM-Pakete RPM-Richtlinie selinux-policy-3.6.32-92.fc12 SELinux aktiviert True Richtlinienversion targeted Enforcing-Modus Permissive Plugin-Name catchall Hostname wicktop.localdomain Plattform Linux wicktop.localdomain 2.6.32.9-70.fc12.x86_64 #1 SMP Wed Mar 3 04:40:41 UTC 2010 x86_64 x86_64 Anzahl der Alarme 23 Zuerst gesehen Di 09 Mär 2010 03:09:11 CET Zuletzt gesehen So 14 Mär 2010 15:04:04 CET Lokale ID 9c415fd8-0130-4092-9d48-ecb8d77e0538 Zeilennummern Raw-Audit-Meldungen node=wicktop.localdomain type=AVC msg=audit(1268575444.87:65): avc: denied { relabelto } for pid=2095 comm="lxdm-binary" name="tty1" dev=devtmpfs ino=4994 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file node=wicktop.localdomain type=SYSCALL msg=audit(1268575444.87:65): arch=c000003e syscall=188 success=yes exit=0 a0=7fffe4d0e0d0 a1=3e6a615669 a2=6bf180 a3=22 items=0 ppid=1 pid=2095 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="lxdm-binary" exe="/usr/sbin/lxdm-binary" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
lxdm should definitely not be writing to its config files under /etc/lxdm If lxdm has files that need to be modified they should be under /var/run or /var/lib I can add term_relabel_unallocated_ttys(xdm_t) But isn't lxdm using pseudo terms?
(In reply to comment #4) > lxdm should definitely not be writing to its config files under /etc/lxdm agreed. > I can add term_relabel_unallocated_ttys(xdm_t) > But isn't lxdm using pseudo terms? No it's not, we already discussed this in bug 564320 and after your comment 18 I thought this was supposed to be fixed with term_relabel_all_ttys(xdm_t).
Yes I remember. term_relabel_all_ttys does not include unallocated ones. Miroslav, Add term_relabel_unallocated_ttys(xdm_t)
*** Bug 573761 has been marked as a duplicate of this bug. ***
Christoph, if you change lxdm to not write to /etc/lxdm add a custom policy module # echo > myxdm.te << _EOF policy_module(myxdm, 1.0) gen_require(` type xdm_t; ') term_relabel_unallocated_ttys(xdm_t) _EOF # make -f /usr/share/selinux/devel/Makefile # semodule -i myxdm.pp Can you login and run id -Z To make sure you have the right context unconfined_t. ls -lZ `tty` Should have a context with something like user_tty_device_t or user_devpts_t
After adding myxml.pp, and logging in: $ id -Z system_u:system_r:initrc_t:s0 $ ls -lZ `tty` crw--w----. dj tty system_u:object_r:initrc_devpts_t:s0 /dev/pts/4 $ rpm -q lxdm lxdm-0.1.1-0.2.20100303gite4f7b39.fc12.i686 $ rpm -q selinux-policy-targeted selinux-policy-targeted-3.6.32-99.fc12.noarch # ausearch -m avc -ts 14:04 ---- time->Tue Mar 16 14:04:15 2010 type=SYSCALL msg=audit(1268766255.278:57529): arch=40000003 syscall=11 success=yes exit=0 a0=936a460 a1=bfccb670 a2=9370600 a3=bfccb670 items=0 ppid=2079 pid=2233 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="udev-acl.ck" exe="/lib/udev/udev-acl" subj=system_u:system_r:udev_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1268766255.278:57529): avc: denied { noatsecure } for pid=2233 comm="udev-acl.ck" scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=process type=AVC msg=audit(1268766255.278:57529): avc: denied { siginh } for pid=2233 comm="udev-acl.ck" scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=process type=AVC msg=audit(1268766255.278:57529): avc: denied { rlimitinh } for pid=2233 comm="udev-acl.ck" scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=process ---- time->Tue Mar 16 14:04:26 2010 type=SYSCALL msg=audit(1268766266.987:57531): arch=40000003 syscall=11 success=yes exit=0 a0=bf878b7c a1=b75a6388 a2=8c137e0 a3=b75a6388 items=0 ppid=2241 pid=2292 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=4294967295 comm="mailx" exe="/bin/mailx" subj=system_u:system_r:sendmail_t:s0 key=(null) type=AVC msg=audit(1268766266.987:57531): avc: denied { write } for pid=2292 comm="mailx" path="/home/dj/.xsession-errors" dev=sdb3 ino=75 scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:object_r:xdm_home_t:s0 tclass=file ---- time->Tue Mar 16 14:04:26 2010 type=SYSCALL msg=audit(1268766266.685:57530): arch=40000003 syscall=11 success=yes exit=0 a0=804c710 a1=bff9f34c a2=bffa0714 a3=7 items=0 ppid=2253 pid=2254 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=4294967295 comm="dbus-daemon" exe="/bin/dbus-daemon" subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1268766266.685:57530): avc: denied { write } for pid=2254 comm="dbus-daemon" path="/home/dj/.xsession-errors" dev=sdb3 ino=75 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_home_t:s0 tclass=file ---- time->Tue Mar 16 14:04:27 2010 type=SYSCALL msg=audit(1268766267.004:57532): arch=40000003 syscall=54 success=no exit=-25 a0=1 a1=5401 a2=bfa09458 a3=bfa09498 items=0 ppid=2241 pid=2292 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=4294967295 comm="mailx" exe="/bin/mailx" subj=system_u:system_r:sendmail_t:s0 key=(null) type=AVC msg=audit(1268766267.004:57532): avc: denied { ioctl } for pid=2292 comm="mailx" path="/home/dj/.xsession-errors" dev=sdb3 ino=75 scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:object_r:xdm_home_t:s0 tclass=file ---- time->Tue Mar 16 14:04:27 2010 type=SYSCALL msg=audit(1268766267.005:57533): arch=40000003 syscall=5 success=yes exit=4 a0=8b6ac20 a1=c2 a2=180 a3=14345d9e items=0 ppid=2241 pid=2292 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=4294967295 comm="mailx" exe="/bin/mailx" subj=system_u:system_r:sendmail_t:s0 key=(null) type=AVC msg=audit(1268766267.005:57533): avc: denied { write } for pid=2292 comm="mailx" name="RxRt9Tyl" dev=tmpfs ino=15689053 scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=file type=AVC msg=audit(1268766267.005:57533): avc: denied { create } for pid=2292 comm="mailx" name="RxRt9Tyl" scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=file type=AVC msg=audit(1268766267.005:57533): avc: denied { add_name } for pid=2292 comm="mailx" name="RxRt9Tyl" scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=dir type=AVC msg=audit(1268766267.005:57533): avc: denied { write } for pid=2292 comm="mailx" name="dj" dev=tmpfs ino=15048453 scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=dir ---- time->Tue Mar 16 14:04:27 2010 type=SYSCALL msg=audit(1268766267.006:57534): arch=40000003 syscall=94 success=yes exit=0 a0=4 a1=180 a2=bfa0941c a3=4 items=0 ppid=2241 pid=2292 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=4294967295 comm="mailx" exe="/bin/mailx" subj=system_u:system_r:sendmail_t:s0 key=(null) type=AVC msg=audit(1268766267.006:57534): avc: denied { setattr } for pid=2292 comm="mailx" name="RxRt9Tyl" dev=tmpfs ino=15689053 scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=file ---- time->Tue Mar 16 14:04:27 2010 type=SYSCALL msg=audit(1268766267.006:57535): arch=40000003 syscall=10 success=yes exit=0 a0=8b6ac20 a1=4b9fd63b a2=8b6ac20 a3=8b6a940 items=0 ppid=2241 pid=2292 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=4294967295 comm="mailx" exe="/bin/mailx" subj=system_u:system_r:sendmail_t:s0 key=(null) type=AVC msg=audit(1268766267.006:57535): avc: denied { unlink } for pid=2292 comm="mailx" name="RxRt9Tyl" dev=tmpfs ino=15689053 scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=file type=AVC msg=audit(1268766267.006:57535): avc: denied { remove_name } for pid=2292 comm="mailx" name="RxRt9Tyl" dev=tmpfs ino=15689053 scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=dir ---- time->Tue Mar 16 14:04:27 2010 type=SYSCALL msg=audit(1268766267.006:57536): arch=40000003 syscall=197 success=yes exit=0 a0=1 a1=bfa092c0 a2=9e6ff4 a3=9e74c0 items=0 ppid=2241 pid=2292 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=4294967295 comm="mailx" exe="/bin/mailx" subj=system_u:system_r:sendmail_t:s0 key=(null) type=AVC msg=audit(1268766267.006:57536): avc: denied { getattr } for pid=2292 comm="mailx" path="/home/dj/.xsession-errors" dev=sdb3 ino=75 scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:object_r:xdm_home_t:s0 tclass=file ---- time->Tue Mar 16 14:04:27 2010 type=SYSCALL msg=audit(1268766267.071:57537): arch=40000003 syscall=11 success=yes exit=0 a0=82bf770 a1=82bf560 a2=82bb008 a3=82bf560 items=0 ppid=1 pid=2314 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=4294967295 comm="restorecond" exe="/usr/sbin/restorecond" subj=system_u:system_r:restorecond_t:s0 key=(null) type=AVC msg=audit(1268766267.071:57537): avc: denied { write } for pid=2314 comm="restorecond" path="/home/dj/.xsession-errors" dev=sdb3 ino=75 scontext=system_u:system_r:restorecond_t:s0 tcontext=system_u:object_r:xdm_home_t:s0 tclass=file ---- time->Tue Mar 16 14:04:27 2010 type=SYSCALL msg=audit(1268766267.093:57538): arch=40000003 syscall=11 success=yes exit=0 a0=1133388 a1=1130cc8 a2=11334b0 a3=1133858 items=0 ppid=2325 pid=2326 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=4294967295 comm="im-settings-dae" exe="/usr/libexec/im-settings-daemon" subj=system_u:system_r:initrc_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1268766267.093:57538): avc: denied { noatsecure } for pid=2326 comm="im-settings-dae" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:initrc_t:s0-s0:c0.c1023 tclass=process type=AVC msg=audit(1268766267.093:57538): avc: denied { siginh } for pid=2326 comm="im-settings-dae" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:initrc_t:s0-s0:c0.c1023 tclass=process type=AVC msg=audit(1268766267.093:57538): avc: denied { rlimitinh } for pid=2326 comm="im-settings-dae" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:initrc_t:s0-s0:c0.c1023 tclass=process ---- time->Tue Mar 16 14:04:27 2010 type=SYSCALL msg=audit(1268766267.303:57539): arch=40000003 syscall=102 success=yes exit=0 a0=3 a1=bf87de20 a2=4acff4 a3=bf87dfcc items=0 ppid=1 pid=2314 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=4294967295 comm="restorecond" exe="/usr/sbin/restorecond" subj=system_u:system_r:restorecond_t:s0 key=(null) type=AVC msg=audit(1268766267.303:57539): avc: denied { connectto } for pid=2314 comm="restorecond" path=002F746D702F646275732D5A735142534744325A4D scontext=system_u:system_r:restorecond_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=unix_stream_socket ---- time->Tue Mar 16 14:04:33 2010 type=SYSCALL msg=audit(1268766273.217:57540): arch=40000003 syscall=4 success=yes exit=103 a0=2 a1=bf872620 a2=67 a3=67 items=0 ppid=1 pid=2314 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=4294967295 comm="restorecond" exe="/usr/sbin/restorecond" subj=system_u:system_r:restorecond_t:s0 key=(null) type=AVC msg=audit(1268766273.217:57540): avc: denied { write } for pid=2314 comm="restorecond" path="/home/dj/.xsession-errors" dev=sdb3 ino=75 scontext=system_u:system_r:restorecond_t:s0 tcontext=system_u:object_r:xdm_home_t:s0 tclass=file ---- time->Tue Mar 16 14:05:02 2010 type=SYSCALL msg=audit(1268766302.861:57545): arch=40000003 syscall=268 success=yes exit=0 a0=80c17f0 a1=54 a2=bfeeab3c a3=bfeeb3fc items=0 ppid=2776 pid=2777 auid=4294967295 uid=466 gid=463 euid=466 suid=466 fsuid=466 egid=463 sgid=463 fsgid=463 tty=(none) ses=4294967295 comm="df" exe="/bin/df" subj=system_u:system_r:munin_t:s0 key=(null) type=AVC msg=audit(1268766302.861:57545): avc: denied { search } for pid=2777 comm="df" name="dj" dev=sdb3 ino=8193 scontext=system_u:system_r:munin_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir type=AVC msg=audit(1268766302.861:57545): avc: denied { search } for pid=2777 comm="df" name="/" dev=sdb3 ino=2 scontext=system_u:system_r:munin_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir
That means lxdm is not labeled correctly you are running with the context of an init process. lxdm needs to be labeled xdm_exec_t. Run restorecon on the lxdm executable and see what its context is? If it is not xdm_exec_t, then what is its path?
Restorecon is happy with it: -rwxr-xr-x. root root system_u:object_r:bin_t:s0 /usr/sbin/lxdm
That is because it expects it to bin in /usr/bin/lxdm rpm -ql lxdm | grep bin /usr/bin/lxdm /usr/bin/lxdm-binary /usr/bin/lxdm-greeter-gtk rpm -q lxdm lxdm-0.1.0-0.1.fc13.x86_64
Miroslav can you change the label to /usr/(s)?bin/lxdm -- gen_context(system_u:object_r:xdm_exec_t,s0) /usr/(s)?bin/lxdm-binary -- gen_context(system_u:object_r:xdm_exec_t,s0) d.johnson chcon -t xdm_exec_t /usr/sbin/lxdm Will fix the label. Until an update gets pushed. Christoph, I take it lxdm is moving?
Yes, it's moving, as announced in bug 564320 comment 7. In the next comment you told Miroslav to "make the /usr/bin->/usr/sbin changes". Seems like some things from the previous bugs got lost somehow.
(In reply to comment #14) > Yes, it's moving, as announced in bug 564320 comment 7. In the next comment you > told Miroslav to "make the /usr/bin->/usr/sbin changes". Seems like some things > from the previous bugs got lost somehow. Yes, my fault I missed it. Fixed in selinux-policy-3.6.32-104.fc12
selinux-policy-3.6.32-106.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-106.fc12
selinux-policy-3.6.32-106.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-106.fc12
selinux-policy-3.6.32-106.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.