SELinux is preventing /usr/bin/gnome-screensaver from 'execute' accesses on the file /usr/share/kde4/apps/kajongg/kajongg.py. ***** Plugin catchall_labels (83.8 confidence) suggests ******************** If you want to allow gnome-screensaver to have execute access on the kajongg.py file Then you need to change the label on /usr/share/kde4/apps/kajongg/kajongg.py Do # semanage fcontext -a -t FILE_TYPE '/usr/share/kde4/apps/kajongg/kajongg.py' where FILE_TYPE is one of the following: shutdown_exec_t, xdm_exec_t, lib_t, bin_t, policykit_auth_exec_t, lib_t, abrt_helper_exec_t, xserver_exec_t, ld_so_t, pam_console_exec_t, dbusd_exec_t, textrel_shlib_t, etc_t, loadkeys_exec_t, ssh_agent_exec_t, plymouth_exec_t, rpm_exec_t, xauth_exec_t, pulseaudio_exec_t, pam_exec_t, mount_exec_t, shell_exec_t, updpwd_exec_t, oddjob_mkhomedir_exec_t, fusermount_exec_t, chkpwd_exec_t, hostname_exec_t, init_exec_t, alsa_exec_t, consoletype_exec_t, shell_exec_t, xsession_exec_t. Then execute: restorecon -v '/usr/share/kde4/apps/kajongg/kajongg.py' ***** Plugin catchall (17.1 confidence) suggests *************************** If you believe that gnome-screensaver should be allowed execute access on the kajongg.py file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep /usr/bin/gnome-screensaver /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023 Target Context system_u:object_r:usr_t:s0 Target Objects /usr/share/kde4/apps/kajongg/kajongg.py [ file ] Source gnome-screensav Source Path /usr/bin/gnome-screensaver Port <Unknown> Host (removed) Source RPM Packages gnome-screensaver-2.30.2-2.fc14 Target RPM Packages kdegames-4.5.4-1.fc14 Policy RPM selinux-policy-3.9.7-18.fc14 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 2.6.35.10-68.fc14.x86_64 #1 SMP Thu Dec 16 21:41:20 UTC 2010 x86_64 x86_64 Alert Count 1 First Seen Po 20. december 2010, 19:10:05 CET Last Seen Po 20. december 2010, 19:10:05 CET Local ID 1d47c531-0f43-4a80-a8ad-34770f0ecf76 Raw Audit Messages type=AVC msg=audit(1292868605.32:35740): avc: denied { execute } for pid=2049 comm="gnome-screensav" name="kajongg.py" dev=dm-0 ino=920393 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=file gnome-screensav,xdm_t,usr_t,file,execute type=SYSCALL msg=audit(1292868605.32:35740): arch=x86_64 syscall=access success=no exit=EACCES a0=19d47a8 a1=1 a2=6e69622f7273752f a3=b9 items=0 ppid=1 pid=2049 auid=4294967295 uid=42 gid=42 euid=42 suid=42 fsuid=42 egid=42 sgid=42 fsgid=42 tty=(none) ses=4294967295 comm=gnome-screensav exe=/usr/bin/gnome-screensaver subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) gnome-screensav,xdm_t,usr_t,file,execute #============= xdm_t ============== allow xdm_t usr_t:file execute;
Gnome power manager should not be starting gnome-screensaver under gdm.
Why not? gnome-screensaver should be already running in most cases. I'm not sure how the original report relates to starting gss.
Because gnome-screensaver does nothing of use under gdm. It is going out and searching the file system while running under gdm causing all of these AVC messages. This is happening without anyone logging in, not after login.
*** Bug 664647 has been marked as a duplicate of this bug. ***
*** Bug 663413 has been marked as a duplicate of this bug. ***
files_dontaudit_all_access_check(xdm_t) Has been added to F16 Miroslav can you add this to F15? F14 is too close to end of life to make it worth pushing this fix, since it breaks nothing.