libreport version: 2.0.10 executable: /usr/bin/python2.7 hashmarkername: setroubleshoot kernel: 3.3.4-5.fc17.x86_64 time: Thu 31 May 2012 10:24:13 PM CEST description: :SELinux is preventing /usr/libexec/gdm-session-worker from 'setattr' accesses on the file .xsession-errors. : :***** Plugin catchall (100. confidence) suggests *************************** : :If you believe that gdm-session-worker should be allowed setattr access on the .xsession-errors file by default. :Then you should report this as a bug. :You can generate a local policy module to allow this access. :Do :allow this access for now by executing: :# grep gdm-session-wor /var/log/audit/audit.log | audit2allow -M mypol :# semodule -i mypol.pp : :Additional Information: :Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023 :Target Context system_u:object_r:ecryptfs_t:s0 :Target Objects .xsession-errors [ file ] :Source gdm-session-wor :Source Path /usr/libexec/gdm-session-worker :Port <Unknown> :Host (removed) :Source RPM Packages gdm-3.4.1-1.fc17.x86_64 :Target RPM Packages :Policy RPM selinux-policy-3.10.0-125.fc17.noarch :Selinux Enabled True :Policy Type targeted :Enforcing Mode Permissive :Host Name (removed) :Platform Linux (removed) 3.3.4-5.fc17.x86_64 #1 SMP Mon May 7 : 17:29:34 UTC 2012 x86_64 x86_64 :Alert Count 1 :First Seen Thu 31 May 2012 10:23:56 PM CEST :Last Seen Thu 31 May 2012 10:23:56 PM CEST :Local ID cd15ac23-a338-4f77-8115-c5758fea769b : :Raw Audit Messages :type=AVC msg=audit(1338495836.350:228): avc: denied { setattr } for pid=14256 comm="gdm-session-wor" name=".xsession-errors" dev="ecryptfs" ino=1315696 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:ecryptfs_t:s0 tclass=file : : :type=AVC msg=audit(1338495836.350:228): avc: denied { setattr } for pid=14256 comm="gdm-session-wor" name="ECRYPTFS_FNEK_ENCRYPTED.FXZsMvSiEYbtYESwiRaQDIxUulzx2hd4dLTiC9OfKtNbyo0Jacg5svd9ujZEP.a4o481IT7T2ULqcsc-" dev="sda1" ino=1315696 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_home_t:s0 tclass=file : : :type=SYSCALL msg=audit(1338495836.350:228): arch=x86_64 syscall=fchmod success=yes exit=0 a0=e a1=180 a2=e a3=7fff05542590 items=0 ppid=947 pid=14256 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=11 comm=gdm-session-wor exe=/usr/libexec/gdm-session-worker subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) : :Hash: gdm-session-wor,xdm_t,ecryptfs_t,file,setattr : :audit2allowunable to open /sys/fs/selinux/policy: Permission denied : : :audit2allow -Runable to open /sys/fs/selinux/policy: Permission denied : :
Is your home directory labeled encryptfs_t?
[ksekera@tux ~]$ ls -laZ /home | grep ksekera drwx------. ksekera ksekera system_u:object_r:ecryptfs_t:s0 ksekera
How did you setup this homedir?
I did fresh F17 install and added a user with the installer. Then installed ecryptfs-utils. Did authconfig --enableecryptfs --updateall. Next added user to /etc/group to the ecryptfs user group. Then under root run ecryptfs-migrate-home -u ksekera During that I saw an error message (something like failed chown on /dev/shm/ecryptfs-ksekera: no such file or directory), but the script said everything should be fine at the end. Then tried logging in, homedir wasn't mounted. Did a restorecon -Rv on /home/.ecryptfs and /home/ksekera
This is still the same issue with ecryptfs which does not support extended attributes. We have working workaround for this, probably time to add it to the policy. Basically we would allow to read/manage dirs/files for lot of domains. Something like we have for using NFS.
I guess so. Although I wish it would get xattr support.
*** This bug has been marked as a duplicate of bug 827045 ***