Description of problem: I attempted to do a test installation for the F13 XFCE test day and therefore grabbed the nightly build of the liveCD mentioned on the Test Day site. This built has been created on 2010-04-26 (xfce-i386-20100426.16.iso). Checksum of the iso has been verified. I get the following SELinux alert if I attempt to install the nightly built of the XFCE liveCD: Summary: SELinux is preventing /usr/libexec/abrt-hook-python access to a leaked /dev/tty3 file descriptor. Detailed Description: [abrt-hook-pytho has a permissive type (abrt_helper_t). This access was not denied.] SELinux denied access requested by the abrt-hook-pytho command. It looks like this is either a leaked descriptor or abrt-hook-pytho output was redirected to a file it is not allowed to access. Leaks usually can be ignored since SELinux is just closing the leak and reporting the error. The application does not use the descriptor, so it will run properly. If this is a redirection, you will not get output in the /dev/tty3. You should generate a bugzilla on selinux-policy, and it will get routed to the appropriate package. You can safely ignore this avc. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Additional Information: Source Context unconfined_u:unconfined_r:abrt_helper_t:s0-s0:c0.c 1023 Target Context system_u:object_r:tty_device_t:s0 Target Objects /dev/tty3 [ chr_file ] Source abrt-hook-pytho Source Path /usr/libexec/abrt-hook-python Port <Unknown> Host (removed) Source RPM Packages abrt-addon-python-1.0.9-2.fc13 Target RPM Packages Policy RPM selinux-policy-3.7.19-2.fc13 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name leaks Host Name (removed) Platform Linux localhost.localdomain 2.6.33.2-57.fc13.i686 #1 SMP Tue Apr 20 09:28:45 UTC 2010 i686 i686 Alert Count 2 First Seen Wed 28 Apr 2010 11:45:17 AM EDT Last Seen Wed 28 Apr 2010 11:48:21 AM EDT Local ID f916d878-4713-4602-9ca7-98f91a6e77d4 Line Numbers Raw Audit Messages node=localhost.localdomain type=AVC msg=audit(1272469701.114:24566): avc: denied { append } for pid=2716 comm="abrt-hook-pytho" path="/dev/tty3" dev=devtmpfs ino=5448 scontext=unconfined_u:unconfined_r:abrt_helper_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file node=localhost.localdomain type=SYSCALL msg=audit(1272469701.114:24566): arch=40000003 syscall=11 success=yes exit=0 a0=92e17d8 a1=94c6c80 a2=bfa667d0 a3=3 items=0 ppid=2715 pid=2716 auid=500 uid=0 gid=0 euid=497 suid=497 fsuid=497 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="abrt-hook-pytho" exe="/usr/libexec/abrt-hook-python" subj=unconfined_u:unconfined_r:abrt_helper_t:s0-s0:c0.c1023 key=(null) Version-Release number of selected component (if applicable): Fedora 13 XFCD liveCD built 2010-04-26 How reproducible: Double click on install to Hard Drive icon Steps to Reproduce: 1. Double click on install to Hard Drive icon 2. SELinux alert automatically shows up 3. Installation procedure dies Actual results: SELinux alert prevents installation to hard drive Expected results: Installation is possible Additional info: I found bug 569662, which is closed and the bug report says that this problem has been fixed 2010-03-10. However, the circumstances of that particular bug seem to be different.
Created attachment 409798 [details] Smolt profile Added the Smolt profile of the machine.
Moving this over to abrt for comment. Xfce doesn't do anything with the selinux policy, so it sounds like it's a abrt/selinux-policy issue.
I did a fresh installation with the 2010-04-29 nightly compose and the problem did not appear again. It seems that the issue in abrt/selinux is fixed.
Great! Thanks for the info, closing.
Did some more installations on different machines. No more problems.