Hide Forgot
type=1400 audit(1302255128.965:6): avc: denied { write } for pid=1051 comm="xdm" name="xdm.log" dev=sda3 ino=146296 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_log_t:s0 tclass=file ============ Here is a custom selinux policy: [root@work ~]# cat xdm.te module xdm 1.0; require { type var_log_t; type xdm_t; class file write; } #============= xdm_t ============== allow xdm_t var_log_t:file write; [root@work ~]#
restorecon -R -v /var/log/xdm.log is a much better solution. Whereever that is located.
Unfortuanteluy it doesn't work. Here is what I've got after reboot: [root@work ~]# dmesg | grep xdm [ 29.942053] type=1400 audit(1302292067.301:6): avc: denied { write } for pid=1025 comm="xdm" name="xdm.log" dev=sda3 ino=146296 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_log_t:s0 tclass=file [root@work ~]# Perhaps it has something with lates relocation of runtime files into /run.
Where is the xdm.log file located?
Is there something in the startup that is creating it other then xdm? An init script or a xinit script?
(In reply to comment #3) > Where is the xdm.log file located? /var/log/xdm.log work ~: cat /etc/mtab | grep /var /dev/sda3 /var ext3 rw,seclabel,noatime,nodiratime,errors=continue,user_xattr,acl,barrier=0,data=ordered 0 0 tmpfs /var/run tmpfs rw,seclabel,nosuid,nodev,noexec,relatime,mode=755 0 0 tmpfs /var/lock tmpfs rw,seclabel,nosuid,nodev,noexec,relatime,mode=755 0 0 sunrpc /var/lib/nfs/rpc_pipefs rpc_pipefs rw,relatime 0 0 work ~: (In reply to comment #4) > Is there something in the startup that is creating it other then xdm? > > An init script or a xinit script? Nope. I didn't even log in (from physical console) yet work ~: ps axf ... 1025 ? Ss 0:00 /usr/bin/xdm -nodaemon 1061 tty7 Ss+ 0:00 \_ /usr/bin/X :0 -auth /var/lib/xdm/authdir/authfiles/A:0-KfnmzN 1065 ? Ss 0:00 \_ -:0 ... work ~: No other X-clients were started - just xdm.
ps -axfZ should show xdm running as xdm_t. there are rules in policy that says xdm_t creating a file in directory labeled var_log_t will create it labeled xdm_log_t. But you already have a file labeled var_log_t, which means something else created the log file before xdm started. Is there some mention of xdm.log in the scripts that start xdm?
(In reply to comment #6) > ps -axfZ should show xdm running as xdm_t. there are rules in policy that says > xdm_t creating a file in directory labeled var_log_t will create it labeled > xdm_log_t. But you already have a file labeled var_log_t, which means > something else created the log file before xdm started. Is there some mention > of xdm.log in the scripts that start xdm? Daniel, I really sorry for the noise - I just found that this is completely my mistake. I'm sure this ticket must be closed now