Bug 968975 - avc: denied { setattr } for pid=4446 comm="gdm" name="gdm" dev="dm-1"
avc: denied { setattr } for pid=4446 comm="gdm" name="gdm" dev="dm-1"
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy (Show other bugs)
7.0
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: Miroslav Grepl
BaseOS QE Security Team
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-05-30 08:02 EDT by Jaroslav Škarvada
Modified: 2013-05-30 17:29 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-05-30 17:29:19 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jaroslav Škarvada 2013-05-30 08:02:46 EDT
Description of problem:
When run gdm on the compose RHEL-7.0-20130529.n.1, the following AVC shows in the log (IIRC it repeats if gdm is restarted):

May 30 12:13:46 dhcp-25-243 kernel: [ 1628.769135] type=1400 audit(1369908826.768:10): avc:  denied  { setattr } for  pid=4446 comm="gdm" name="gdm" dev="dm-1" ino=137413002 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_t:s0 tclass=dir
May 30 12:14:41 dhcp-25-243 kernel: [ 1683.616987] type=1400 audit(1369908881.615:11): avc:  denied  { setattr } for  pid=4738 comm="gdm" name="gdm" dev="dm-1" ino=137413002 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_t:s0 tclass=dir

It seems to be harmless.

Version-Release number of selected component (if applicable):
selinux-policy-3.12.1-46.el7.noarch

How reproducible:
Always

Steps to Reproduce:
1. Set boot to graphical target
2. Try to login through gdm

Actual results:
Above mentioned AVC

Expected results:
No AVC

Additional info:
I tried to autorelabel the filesystem, but the problem persists.
Comment 2 Miroslav Grepl 2013-05-30 10:47:27 EDT
What does

# ls -dZ /var/gdm /var/lib/gdm
Comment 3 Jaroslav Škarvada 2013-05-30 11:01:53 EDT
ls -dZ /var/gdm /var/lib/gdm
drwx--x--x. gdm gdm unconfined_u:object_r:var_t:s0   /var/gdm
drwxrwx--T. gdm gdm system_u:object_r:xdm_var_lib_t:s0 /var/lib/gdm

It was probably fixed by restorecon:
# restorecon -v /var/gdm
restorecon reset /var/gdm context unconfined_u:object_r:var_t:s0->unconfined_u:object_r:xserver_log_t:s0

Interesting that the autorelabel didn't fix it.

I cannot reboot the machine now, but I will try to reboot it later (i.e. tmrw) to see whether the problem gone.
Comment 4 Jaroslav Škarvada 2013-05-30 17:29:19 EDT
It does seem to work after reboot. I have no idea how it got the wrong label. Closing, sorry for the false positive.

Note You need to log in before you can comment on or make changes to this bug.