SELinux is preventing /usr/bin/metacity from 'getattr' accesses on the sock_file /tmp/at-spi2/socket-1413-1804289383. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that metacity should be allowed getattr access on the socket-1413-1804289383 sock_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep metacity /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023 Target Context system_u:object_r:tmp_t:s0 Target Objects /tmp/at-spi2/socket-1413-1804289383 [ sock_file ] Source metacity Source Path /usr/bin/metacity Port <Unbekannt> Host (removed) Source RPM Packages metacity-2.32.0-1.git20110228.fc15 Target RPM Packages Policy RPM selinux-policy-3.9.16-5.fc15 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 2.6.38-1.fc15.x86_64 #1 SMP Tue Mar 15 05:29:00 UTC 2011 x86_64 x86_64 Alert Count 1 First Seen Sa 19 Mär 2011 21:30:31 CET Last Seen Sa 19 Mär 2011 21:30:31 CET Local ID 549980e7-03bc-4c70-a1ed-a8e49bdd13cd Raw Audit Messages type=AVC msg=audit(1300566631.696:45): avc: denied { getattr } for pid=1413 comm="metacity" path="/tmp/at-spi2/socket-1413-1804289383" dev=dm-1 ino=402638 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=sock_file type=SYSCALL msg=audit(1300566631.696:45): arch=x86_64 syscall=stat success=no exit=EACCES a0=1c95db0 a1=7ffff3ed70f0 a2=7ffff3ed70f0 a3=7ffff3ed6e60 items=0 ppid=1327 pid=1413 auid=4294967295 uid=42 gid=42 euid=42 suid=42 fsuid=42 egid=42 sgid=42 fsgid=42 tty=(none) ses=4294967295 comm=metacity exe=/usr/bin/metacity subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) Hash: metacity,xdm_t,tmp_t,sock_file,getattr audit2allow #============= xdm_t ============== allow xdm_t tmp_t:sock_file getattr; audit2allow -R #============= xdm_t ============== allow xdm_t tmp_t:sock_file getattr;
Why would xdm be launching metacity and looking at /tmp/at-spi2/socket-1413-1804289383
Am getting this with: gdm-3.0.0-1.fc15.x86_64 metacity-2.34.0-1.fc15.x86_64 selinux-policy-3.9.16-14.fc15.noarch selinux-policy-targeted-3.9.16-14.fc15.noarch Raw Audit Messages type=AVC msg=audit(1302626053.386:39): avc: denied { getattr } for pid=1361 comm="metacity" path="/tmp/at-spi2/socket-1361-1804289383" dev=sdb6 ino=406476 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=sock_file type=SYSCALL msg=audit(1302626053.386:39): arch=x86_64 syscall=stat success=no exit=EACCES a0=16b2df0 a1=7fff8daf24f0 a2=7fff8daf24f0 a3=7fff8daf2260 items=0 ppid=1321 pid=1361 auid=4294967295 uid=42 gid=42 euid=42 suid=42 fsuid=42 egid=42 sgid=42 fsgid=42 tty=(none) ses=4294967295 comm=metacity exe=/usr/bin/metacity subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) Hash: metacity,xdm_t,tmp_t,sock_file,getattr
There were some sockets labelled tmp_t in /tmp/at-spi2/. restorecon -rnv /tmp/at-spi2/ did not complain. Cleared this with "rm /tmp/at-spi2/*" and rebooting. Seems similar to Bug 692905 - SELinux is preventing /usr/bin/gnome-power-manager from 'getattr' accesses on the sock_file /tmp/at-spi2/socket-1385-1804289383.
I think this is left over garbage from the install. And can be ignored. I will add files_dontaudit_getattr_all_tmp_sockets(xdm_t) to get it to shut up. Fixed in selinux-policy-3.9.16-15.fc15
I have done "rm /tmp/at-spi2/*" twice on separate days without reinstalling. Something seems to be regenerating them that way.
Strange since these files should be labeled xdm_tmp_t. Are you using gdm for boot?
I mean login?
Yes, I am using gdm in a default configuration: gdm-3.0.0-1.fc15.x86_64
If you look in this directory after login, are all of the sockets labeled xdm_tmp_t? ls -lZ /tmp/at-spi2/
(In reply to comment #9) > If you look in this directory after login, are all of the sockets labeled > xdm_tmp_t? > > ls -lZ /tmp/at-spi2/ I did a clean F15 install and update using the Live CD (F15-Beta-RC2) on my laptop. After rebooting and configuring, I logged out and logged in. There are no sealerts. All sockets in /tmp/at-spi2/ are labelled xdm_tmp_t. ATM, on the desktop system where I had been seeing the sealerts all sockets in /tmp/at-spi2/ are likewise labelled xdm_tmp_t after logging out and logging in. This is on my newly installed laptop: [joeblow@spruce ~]$ ls -lZ | grep ':tmp_t' [joeblow@spruce ~]$ ls -lZ /tmp/at-spi2/ | head -3 srwxrwxrwx. gdm gdm system_u:object_r:xdm_tmp_t:s0 socket-10367-1165612340 srwxrwxrwx. gdm gdm system_u:object_r:xdm_tmp_t:s0 socket-10374-511702305 srwxrwxrwx. gdm gdm system_u:object_r:xdm_tmp_t:s0 socket-10402-1804289383 [joeblow@spruce ~]$ [joeblow@spruce ~]$ rpm -qa 'selinux*' gdm | sort gdm-3.0.0-1.fc15.i686 selinux-policy-3.9.16-14.fc15.noarch selinux-policy-targeted-3.9.16-14.fc15.noarch
Just booted the F15-Beta-RC2 Live CD on my laptop. /tmp/at-spi2/ does not exist. After logging out and logging in /tmp/at-spi2/ exists, and there are 8 socket files in /tmp/at-spi2/, all labeled: system_u:object_r:xdm_tmp_t:s0
selinux-policy-3.9.16-15.fc15 has been submitted as an update for Fedora 15. https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-15.fc15
Package selinux-policy-3.9.16-15.fc15: * should fix your issue, * was pushed to the Fedora 15 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.16-15.fc15' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-15.fc15 then log in and leave karma (feedback).
selinux-policy-3.9.16-15.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report.