Description of problem: Having previously used kde and currently using xfce as soon as login to xfce get an selinux avc Version-Release number of selected component (if applicable): selinux-policy-targeted-3.10.0-67.fc16.noarch How reproducible: Every time Steps to Reproduce: 1. Login to xfce 2. 3. Actual results: selinux troubleshooter opens and contains the following details: SELinux is preventing /usr/libexec/kde4/lnusertemp from create access on the directory .kde. ***** Plugin catchall_boolean (89.3 confidence) suggests ******************* If you want to enable polyinstantiated directory support. Then you must tell SELinux about this by enabling the 'allow_polyinstantiation' boolean. Do setsebool -P allow_polyinstantiation 1 ***** Plugin catchall (11.6 confidence) suggests *************************** If you believe that lnusertemp should be allowed create access on the .kde directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep lnusertemp /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023 Target Context system_u:object_r:admin_home_t:s0 Target Objects .kde [ dir ] Source lnusertemp Source Path /usr/libexec/kde4/lnusertemp Port <Unknown> Host samsung2 Source RPM Packages kdelibs-4.7.3-5.fc16 Target RPM Packages Policy RPM selinux-policy-3.10.0-67.fc16 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name samsung2 Platform Linux samsung2 3.1.5-6.fc16.i686.PAE #1 SMP Thu Dec 15 16:19:31 UTC 2011 i686 i686 Alert Count 4 First Seen Mon 19 Dec 2011 07:58:50 PM GMT Last Seen Thu 22 Dec 2011 10:49:03 AM GMT Local ID 57d7af8a-2535-4193-a8ae-fb7fb2445495 Raw Audit Messages type=AVC msg=audit(1324550943.870:75): avc: denied { create } for pid=1715 comm="lnusertemp" name=".kde" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir type=SYSCALL msg=audit(1324550943.870:75): arch=i386 syscall=mkdir success=no exit=EACCES a0=bfec3779 a1=1c0 a2=bfec3779 a3=bfec3718 items=0 ppid=1709 pid=1715 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=lnusertemp exe=/usr/libexec/kde4/lnusertemp subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) Hash: lnusertemp,xdm_t,admin_home_t,dir,create audit2allow #============= xdm_t ============== #!!!! This avc can be allowed using the boolean 'allow_polyinstantiation' allow xdm_t admin_home_t:dir create; audit2allow -R #============= xdm_t ============== #!!!! This avc can be allowed using the boolean 'allow_polyinstantiation' allow xdm_t admin_home_t:dir create; Expected results: No selinux troubleshoot popping into the notification area at login Additional info: f16 fully up to date. 3.1.5-6.fc16.i686.PAE
I decided to log in to kde to see if it was a problem there - no avc. When I logged back in to xfce there was no further selinux troubleshooter appearance either! So I now don't know what the interactions are here that led to the problem in the first place?
restorecon -R -v /root Should fix this for good.
Thanks Dan - I just want to check that it is indeed the /root dir in the command, and not / or ~/ before executing it.
*** Bug 772325 has been marked as a duplicate of this bug. ***
restorecon doesn't help. AVC still occur. $ sudo find / -context system_u:object_r:admin_home_t:s0 /root /root/.bashrc /root/.bash_logout /root/.bash_profile I didn't login as root. I log as ordinary user: $ id uid=1001(justynka) gid=1001(justynka) grupy=1001(justynka),10(wheel),1002(vboxusers) kontekst=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
The first avc talks about /root/.kde Is this the same thing you are seeing.
I'm sorry, but after restorecon on all FS and reboot all is working fine. No more AVC's.