Summary: SELinux is preventing /usr/libexec/gnome-settings-daemon "getattr" access on /pub/graphics/WallPaper/NCC1701_STXI.jpg. Detailed Description: [SELinux is in permissive mode. This access was not denied.] SELinux denied access requested by gnome-settings-. It is not expected that this access is required by gnome-settings- and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023 Target Context system_u:object_r:default_t:s0 Target Objects /pub/graphics/WallPaper/NCC1701_STXI.jpg [ file ] Source gnome-settings- Source Path /usr/libexec/gnome-settings-daemon Port <Unknown> Host (removed) Source RPM Packages gnome-settings-daemon-2.30.1-6.fc13 Target RPM Packages Policy RPM selinux-policy-3.7.19-23.fc13 Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Plugin Name catchall Host Name (removed) Platform Linux (removed) 2.6.33.5-112.fc13.x86_64 #1 SMP Thu May 27 02:28:31 UTC 2010 x86_64 x86_64 Alert Count 1 First Seen Mon 14 Jun 2010 05:08:42 PM EDT Last Seen Mon 14 Jun 2010 05:08:42 PM EDT Local ID dbfd5187-7ad3-4a6f-b468-9ad73feaff31 Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1276549722.982:11): avc: denied { getattr } for pid=2438 comm="gnome-settings-" path="/pub/graphics/WallPaper/NCC1701_STXI.jpg" dev=dm-13 ino=130412 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=file node=(removed) type=SYSCALL msg=audit(1276549722.982:11): arch=c000003e syscall=6 success=yes exit=0 a0=1169bd0 a1=7fffd88a21b0 a2=7fffd88a21b0 a3=1 items=0 ppid=2435 pid=2438 auid=4294967295 uid=42 gid=474 euid=42 suid=42 fsuid=42 egid=474 sgid=474 fsgid=474 tty=(none) ses=4294967295 comm="gnome-settings-" exe="/usr/libexec/gnome-settings-daemon" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) Hash String generated from catchall,gnome-settings-,xdm_t,default_t,file,getattr audit2allow suggests: #============= xdm_t ============== allow xdm_t default_t:file getattr;
You need to set a label on this directory, probably usr_t would work. # semanage fcontext -a -t usr_t /pub(/.*)?' # restorecon -R -v /pub
Just gave those commands a try although I did modify them to: # semanage fcontext -a -t usr_t /pub/graphics/wallpaper/* # restorecon -R -v /pub/graphics/wallpaper/ I didnt notice any change in SELinux permissions and if you right click on the file in nautilus and access properties/permissions the SELinux one is default_t and clicking on the drop down usr_t does not exist even though if you check the properties of one of the jpgs in /usr/share/background/images show usr_t. If I do your command exactly as above I get: -bash: syntax error near unexpected token `('
# semanage fcontext -a -t usr_t '/pub(/.*)?' Do it at /pub So the entire directory gets labeled. Sorry about the missing '
It seems to have stopped since I did the following: 1. Copied the file from /pub/graphics/WallPaper to /usr/share/backgrounds/images 2. Changed the copied ownership to root 3. Disabled the autostart of wallpapoza. The result is that my desktop stays with the image I want and no more SELinux alerts, at least for that anymore.