Description of problem: I'm seeing this on startup. Not sure it affects anything. avc: denied { send_msg } for msgtype=error error_name=net.reactivated.Fprint.Error.NoSuchDevice dest=:1.17 spid=573 tpid=561 scontext=system_u:system_r:fprintd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:initrc_t:s0 tclass=dbus : exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=? Seems to be related to the fprintd package Feb 19 10:56:14 vmf17 dbus-daemon[427]: dbus[427]: [system] Activating service name='net.reactivated.Fprint' (using servicehelper) Feb 19 10:56:14 vmf17 dbus[427]: [system] Activating service name='net.reactivated.Fprint' (using servicehelper) Feb 19 10:56:14 vmf17 dbus-daemon[427]: Launching FprintObject Feb 19 10:56:14 vmf17 dbus-daemon[427]: dbus[427]: [system] Successfully activated service 'net.reactivated.Fprint' Feb 19 10:56:14 vmf17 dbus[427]: [system] Successfully activated service 'net.reactivated.Fprint' Feb 19 10:56:14 vmf17 dbus-daemon[427]: ** Message: D-Bus service launched with name: net.reactivated.Fprint # ps -feZ | grep initrc_t system_u:system_r:initrc_t:s0 root 376 1 0 Feb19 ? 00:00:00 /usr/sbin/inputwatch system_u:system_r:initrc_t:s0 root 456 1 0 Feb19 ? 00:00:00 kdm -nodaemon system_u:system_r:initrc_t:s0 root 561 456 0 Feb19 ? 00:00:00 -:0 system_u:system_r:initrc_t:s0 root 564 561 0 Feb19 ? 00:01:29 /usr/libexec/kde4/kdm_greet # cat /usr/share/dbus-1/system-services/net.reactivated.Fprint.service [D-BUS Service] Name=net.reactivated.Fprint Exec=/usr/libexec/fprintd User=root Version-Release number of selected component (if applicable): selinux-policy-3.10.0-89.fc17.noarch fprintd-0.4.1-2.fc17.x86_64
# ps -feZ | grep dbus system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 dbus 427 1 0 Feb19 ? 00:00:00 /bin/dbus-daemon --system --address=systemd: --nofork --systemd-activation
ps -eZ | grep initrc_t
(In reply to comment #2) > ps -eZ | grep initrc_t Is in the initial report
The problem is kdm_greet is running as initrc_t instead of xdm_t. $ chcon -t xdm_exec_t /usr/bin/kdm I am fixing labels. commit c6fbdb494cf7dc1d0907cf7a8c02af57d8350440 Author: Miroslav Grepl <mgrepl> Date: Tue Feb 21 10:43:53 2012 +0000 Fix mysql interface naming Fix label for kdm
I did the chcon and rebooted. Now I see lots of: type=AVC msg=audit(1329840242.668:57): avc: denied { sys_ptrace } for pid=595 comm="pidof" capability=19 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=capability but the dbus avc is gone.
selinux-policy-3.10.0-91.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-91.fc17
Package selinux-policy-3.10.0-91.fc17: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-91.fc17' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-2180/selinux-policy-3.10.0-91.fc17 then log in and leave karma (feedback).
I'm still seeing kdm mislabeled with -91, is that fix in there?
I see matchpathcon /usr/bin/kdm /usr/bin/kdm system_u:object_r:xdm_exec_t:s0 selinux-policy-3.10.0-92.fc17.noarch
Me too with -91. Perhaps this is because the installer image has an earlier selinux-policy and so the context isn't correct at install time? Also, what about the sys_ptrace message? I still see them with -93.
Yes, this issue has been fixed in the latest policy. Which one? There will be some fixes in -94 policy
selinux-policy-3.10.0-91.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.