Bug 827182 - SELinux is preventing /usr/libexec/gdm-session-worker from 'setattr' accesses on the file .xsession-errors.
SELinux is preventing /usr/libexec/gdm-session-worker from 'setattr' accesses...
Status: CLOSED DUPLICATE of bug 827045
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
17
x86_64 Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
abrt_hash:68cb03436e7dd047ddf05545a70...
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-05-31 16:24 EDT by klement.sekera
Modified: 2012-06-04 11:25 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-06-04 11:25:34 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description klement.sekera 2012-05-31 16:24:40 EDT
libreport version: 2.0.10
executable:     /usr/bin/python2.7
hashmarkername: setroubleshoot
kernel:         3.3.4-5.fc17.x86_64
time:           Thu 31 May 2012 10:24:13 PM CEST

description:
:SELinux is preventing /usr/libexec/gdm-session-worker from 'setattr' accesses on the file .xsession-errors.
:
:*****  Plugin catchall (100. confidence) suggests  ***************************
:
:If you believe that gdm-session-worker should be allowed setattr access on the .xsession-errors file by default.
:Then you should report this as a bug.
:You can generate a local policy module to allow this access.
:Do
:allow this access for now by executing:
:# grep gdm-session-wor /var/log/audit/audit.log | audit2allow -M mypol
:# semodule -i mypol.pp
:
:Additional Information:
:Source Context                system_u:system_r:xdm_t:s0-s0:c0.c1023
:Target Context                system_u:object_r:ecryptfs_t:s0
:Target Objects                .xsession-errors [ file ]
:Source                        gdm-session-wor
:Source Path                   /usr/libexec/gdm-session-worker
:Port                          <Unknown>
:Host                          (removed)
:Source RPM Packages           gdm-3.4.1-1.fc17.x86_64
:Target RPM Packages           
:Policy RPM                    selinux-policy-3.10.0-125.fc17.noarch
:Selinux Enabled               True
:Policy Type                   targeted
:Enforcing Mode                Permissive
:Host Name                     (removed)
:Platform                      Linux (removed) 3.3.4-5.fc17.x86_64 #1 SMP Mon May 7
:                              17:29:34 UTC 2012 x86_64 x86_64
:Alert Count                   1
:First Seen                    Thu 31 May 2012 10:23:56 PM CEST
:Last Seen                     Thu 31 May 2012 10:23:56 PM CEST
:Local ID                      cd15ac23-a338-4f77-8115-c5758fea769b
:
:Raw Audit Messages
:type=AVC msg=audit(1338495836.350:228): avc:  denied  { setattr } for  pid=14256 comm="gdm-session-wor" name=".xsession-errors" dev="ecryptfs" ino=1315696 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:ecryptfs_t:s0 tclass=file
:
:
:type=AVC msg=audit(1338495836.350:228): avc:  denied  { setattr } for  pid=14256 comm="gdm-session-wor" name="ECRYPTFS_FNEK_ENCRYPTED.FXZsMvSiEYbtYESwiRaQDIxUulzx2hd4dLTiC9OfKtNbyo0Jacg5svd9ujZEP.a4o481IT7T2ULqcsc-" dev="sda1" ino=1315696 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_home_t:s0 tclass=file
:
:
:type=SYSCALL msg=audit(1338495836.350:228): arch=x86_64 syscall=fchmod success=yes exit=0 a0=e a1=180 a2=e a3=7fff05542590 items=0 ppid=947 pid=14256 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=11 comm=gdm-session-wor exe=/usr/libexec/gdm-session-worker subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
:
:Hash: gdm-session-wor,xdm_t,ecryptfs_t,file,setattr
:
:audit2allowunable to open /sys/fs/selinux/policy:  Permission denied
:
:
:audit2allow -Runable to open /sys/fs/selinux/policy:  Permission denied
:
:
Comment 1 Daniel Walsh 2012-05-31 16:33:49 EDT
Is your home directory labeled encryptfs_t?
Comment 2 klement.sekera 2012-05-31 16:40:21 EDT
[ksekera@tux ~]$ ls -laZ /home | grep ksekera
drwx------. ksekera ksekera system_u:object_r:ecryptfs_t:s0  ksekera
Comment 3 Daniel Walsh 2012-05-31 16:41:33 EDT
How did you setup this homedir?
Comment 4 klement.sekera 2012-05-31 16:45:54 EDT
I did fresh F17 install and added a user with the installer.
Then installed ecryptfs-utils.
Did authconfig --enableecryptfs --updateall.
Next added user to /etc/group to the ecryptfs user group.
Then under root run ecryptfs-migrate-home -u ksekera
During that I saw an error message (something like failed chown on /dev/shm/ecryptfs-ksekera: no such file or directory), but the script said everything should be fine at the end.
Then tried logging in, homedir wasn't mounted.
Did a restorecon -Rv on /home/.ecryptfs and /home/ksekera
Comment 5 Miroslav Grepl 2012-05-31 16:52:05 EDT
This is still the same issue with ecryptfs which does not support extended attributes.

We have working workaround for this, probably time to add it to the policy.

Basically we would allow to read/manage dirs/files for lot of domains. Something like we have for using NFS.
Comment 6 Daniel Walsh 2012-06-04 11:04:58 EDT
I guess so.  Although I wish it would get xattr support.
Comment 7 Miroslav Grepl 2012-06-04 11:25:34 EDT

*** This bug has been marked as a duplicate of bug 827045 ***

Note You need to log in before you can comment on or make changes to this bug.