Bug 849312 - SELinux is preventing /usr/libexec/gdm-session-worker from 'setattr' accesses on the file .xsession-errors.
SELinux is preventing /usr/libexec/gdm-session-worker from 'setattr' accesses...
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
x86_64 Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2012-08-18 01:56 EDT by Pratyush Sahay
Modified: 2012-09-17 12:47 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2012-08-20 05:47:00 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Pratyush Sahay 2012-08-18 01:56:27 EDT
libreport version: 2.0.10
executable:     /usr/bin/python2.7
hashmarkername: setroubleshoot
kernel:         3.5.1-1.fc17.x86_64
time:           Sat 18 Aug 2012 11:26:07 AM IST

:SELinux is preventing /usr/libexec/gdm-session-worker from 'setattr' accesses on the file .xsession-errors.
:*****  Plugin catchall_labels (83.8 confidence) suggests  ********************
:If you want to allow gdm-session-worker to have setattr access on the .xsession-errors file
:Then you need to change the label on .xsession-errors
:# semanage fcontext -a -t FILE_TYPE '.xsession-errors'
:where FILE_TYPE is one of the following: fonts_cache_t, xserver_log_t, faillog_t, lastlog_t, xdm_log_t, gnome_home_type, etc_runtime_t, xdm_tmp_t, pcscd_var_run_t, pam_var_run_t, xdm_var_lib_t, xdm_var_run_t, xkb_var_lib_t, xdm_rw_etc_t, gconf_home_t, user_tmpfs_type, xdm_home_t, xdm_lock_t, pam_var_console_t, cgroup_t, locale_t, var_auth_t, user_tmp_t, auth_home_t, xauth_home_t, auth_cache_t, user_fonts_t, xdm_tmpfs_t, xdm_spool_t, krb5_host_rcache_t. 
:Then execute: 
:restorecon -v '.xsession-errors'
:*****  Plugin catchall (17.1 confidence) suggests  ***************************
:If you believe that gdm-session-worker should be allowed setattr access on the .xsession-errors file by default.
:Then you should report this as a bug.
:You can generate a local policy module to allow this access.
:allow this access for now by executing:
:# grep gdm-session-wor /var/log/audit/audit.log | audit2allow -M mypol
:# semodule -i mypol.pp
:Additional Information:
:Source Context                system_u:system_r:xdm_t:s0-s0:c0.c1023
:Target Context                system_u:object_r:mnt_t:s0
:Target Objects                .xsession-errors [ file ]
:Source                        gdm-session-wor
:Source Path                   /usr/libexec/gdm-session-worker
:Port                          <Unknown>
:Host                          (removed)
:Source RPM Packages           gdm-3.4.1-3.fc17.x86_64
:Target RPM Packages           
:Policy RPM                    selinux-policy-3.10.0-145.fc17.noarch
:Selinux Enabled               True
:Policy Type                   targeted
:Enforcing Mode                Permissive
:Host Name                     (removed)
:Platform                      Linux (removed) 3.5.1-1.fc17.x86_64 #1 SMP Thu Aug
:                              9 17:50:43 UTC 2012 x86_64 x86_64
:Alert Count                   3
:First Seen                    2012-08-17 12:23:59 IST
:Last Seen                     2012-08-17 12:37:44 IST
:Local ID                      b157acc1-bf26-44a9-ae19-83bfd92ba09a
:Raw Audit Messages
:type=AVC msg=audit(1345187264.44:429): avc:  denied  { setattr } for  pid=32277 comm="gdm-session-wor" name=".xsession-errors" dev="sda1" ino=913973 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mnt_t:s0 tclass=file
:type=SYSCALL msg=audit(1345187264.44:429): arch=x86_64 syscall=fchmod success=yes exit=0 a0=e a1=180 a2=e a3=6f7272652d6e6f69 items=0 ppid=32223 pid=32277 auid=1001 uid=1001 gid=1001 euid=1001 suid=1001 fsuid=1001 egid=1001 sgid=1001 fsgid=1001 tty=(none) ses=23 comm=gdm-session-wor exe=/usr/libexec/gdm-session-worker subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
:Hash: gdm-session-wor,xdm_t,mnt_t,file,setattr
:#============= xdm_t ==============
:allow xdm_t mnt_t:file setattr;
:audit2allow -R
:#============= xdm_t ==============
:allow xdm_t mnt_t:file setattr;
Comment 1 Miroslav Grepl 2012-08-20 05:47:00 EDT
You will need to execute

# restorecon -R -v /home

to fix this issue.
Comment 2 Pratyush Sahay 2012-08-20 06:58:07 EDT
Thanks for the info.. Thought to add though - this started happening upon creating a new user (standaRD). Every time the standard user logged in, selinux would show up this message on the admin user's account.
Comment 3 Miroslav Grepl 2012-08-22 08:18:16 EDT
Ok, what is path to your home dirs?
Comment 4 Pratyush Sahay 2012-08-22 09:16:27 EDT
Admin user(ipcv11) home dir: /home/ipcv11. Had created the standard user from "User Accounts" in "System Settings" (Gnome). So, the home dir created for standard user(ipcv2) was: /home/ipcv2.
Comment 5 Daniel Walsh 2012-09-17 12:47:08 EDT
And it was labeled mnt_t?  This looks strange.

Note You need to log in before you can comment on or make changes to this bug.