SELinux is preventing /usr/bin/xrdb from 'connectto' accesses on the unix_stream_socket @/tmp/.X11-unix/X1. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that xrdb should be allowed connectto access on the X1 unix_stream_socket by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep xrdb /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023 Target Context system_u:system_r:inetd_child_t:s0-s0:c0.c1023 Target Objects @/tmp/.X11-unix/X1 [ unix_stream_socket ] Source xrdb Source Path /usr/bin/xrdb Port <Unknown> Host (removed) Source RPM Packages xorg-x11-server-utils-7.5-5.fc15 Target RPM Packages Policy RPM selinux-policy-3.9.16-52.fc15 Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 2.6.42.12-1.fc15.x86_64 #1 SMP Tue Mar 20 16:30:08 UTC 2012 x86_64 x86_64 Alert Count 2 First Seen Mon 23 Apr 2012 11:29:33 AM IST Last Seen Mon 23 Apr 2012 11:30:14 AM IST Local ID 3e446ea9-5824-4001-b5fa-2bdf30568d99 Raw Audit Messages type=AVC msg=audit(1335160814.617:84): avc: denied { connectto } for pid=4738 comm="xrdb" path=002F746D702F2E5831312D756E69782F5831 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:inetd_child_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=SYSCALL msg=audit(1335160814.617:84): arch=x86_64 syscall=connect success=yes exit=0 a0=3 a1=7fff1d014240 a2=14 a3=7fff1d014243 items=0 ppid=4737 pid=4738 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=xrdb exe=/usr/bin/xrdb subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) Hash: xrdb,xdm_t,inetd_child_t,unix_stream_socket,connectto audit2allow #============= xdm_t ============== allow xdm_t inetd_child_t:unix_stream_socket connectto; audit2allow -R #============= xdm_t ============== allow xdm_t inetd_child_t:unix_stream_socket connectto;
What are you doing? Was this X running out of xineted?
I had to access the machine on remote. So I created a service in xinetd & took vnc through vncviewer of GDM on remote site. I think the machine was running on selinux permissive mode & this was only an informational log of access violation.
Ok that would explain. If you wanted this to run in enforcing mode then you would have to write local custom policy.
It would be security wise very beneficial if a generalized policy be created for such scenarios. That was my primary purpose for reporting it.