SELinux is preventing plymouthd from 'search' accesses on the directory /var/spool/gdm. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that plymouthd should be allowed search access on the gdm directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep plymouthd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:plymouthd_t:s0 Target Context system_u:object_r:xdm_spool_t:s0 Target Objects /var/spool/gdm [ dir ] Source plymouthd Source Path plymouthd Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages gdm-2.32.0-3.fc15 Policy RPM selinux-policy-3.9.10-4.fc15 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 2.6.36.1-10.fc15.x86_64 #1 SMP Mon Nov 29 14:41:22 UTC 2010 x86_64 x86_64 Alert Count 1 First Seen Thu 02 Dec 2010 11:40:56 PM GMT Last Seen Thu 02 Dec 2010 11:40:56 PM GMT Local ID c10cff11-c23f-4b0d-92f7-50645dcfea1d Raw Audit Messages type=AVC msg=audit(1291333256.622:50): avc: denied { search } for pid=891 comm="plymouthd" name="gdm" dev=sdb10 ino=39581 scontext=system_u:system_r:plymouthd_t:s0 tcontext=system_u:object_r:xdm_spool_t:s0 tclass=dir plymouthd,plymouthd_t,xdm_spool_t,dir,search #============= plymouthd_t ============== allow plymouthd_t xdm_spool_t:dir search;
Flóki, could you execute # semanage permissive -a plymouthd_t And after reboot execute # ausearch -m avc -ts recent I would like to know if there are other AVC messages related to plymouthd. Thanks.
Booting with 'enforcing=0' yields the following AVCs: time->Fri Dec 3 07:27:44 2010 type=AVC msg=audit(1291390064.075:49): avc: denied { search } for pid=1005 comm="plymouthd" name="gdm" dev=dm-0 ino=12715930 scontext=system_u:system_r:plymouthd_t:s0 tcontext=system_u:object_r:xdm_spool_t:s0 tclass=dir ---- time->Fri Dec 3 07:27:44 2010 type=AVC msg=audit(1291390064.087:50): avc: denied { write } for pid=1005 comm="plymouthd" name="gdm" dev=dm-0 ino=12715930 scontext=system_u:system_r:plymouthd_t:s0 tcontext=system_u:object_r:xdm_spool_t:s0 tclass=dir ---- time->Fri Dec 3 07:27:44 2010 type=AVC msg=audit(1291390064.087:51): avc: denied { add_name } for pid=1005 comm="plymouthd" name="force-display-on-active-vt" scontext=system_u:system_r:plymouthd_t:s0 tcontext=system_u:object_r:xdm_spool_t:s0 tclass=dir ---- time->Fri Dec 3 07:27:44 2010 type=AVC msg=audit(1291390064.087:52): avc: denied { create } for pid=1005 comm="plymouthd" name="force-display-on-active-vt" scontext=system_u:system_r:plymouthd_t:s0 tcontext=system_u:object_r:xdm_spool_t:s0 tclass=file ---- time->Fri Dec 3 07:27:44 2010 type=AVC msg=audit(1291390064.248:53): avc: denied { write open } for pid=1005 comm="plymouthd" name="force-display-on-active-vt" dev=dm-0 ino=12714888 scontext=system_u:system_r:plymouthd_t:s0 tcontext=system_u:object_r:xdm_spool_t:s0 tclass=file That helpful?
Yes Tom. I am also seeing it. plymouthd creates "/var/spool/gdm/force-display-on-active-vt" file.
Created attachment 464903 [details] ausearch -m avc -ts recent ausearch -m avc -ts recent
*** Bug 660163 has been marked as a duplicate of this bug. ***
*** Bug 660164 has been marked as a duplicate of this bug. ***
*** Bug 660165 has been marked as a duplicate of this bug. ***
*** Bug 660166 has been marked as a duplicate of this bug. ***
Fixed in selinux-policy-3.9.10-7.fc15