selinux question(s) (/home really = /n/home..)

Matt Nicholson sjoeboo at sjoeboo.com
Tue Nov 4 20:02:06 UTC 2008 

So, after finding a similar sounding bug, I upgraded libxcb to the version
from rawhide, and everything is working now....time to go file a bug/comment
on one...

On Tue, Nov 4, 2008 at 2:22 PM, Matt Nicholson <sjoeboo at sjoeboo.com> wrote:

>
> output from /var/log/messages as I try to login as guest user: (xguest):
>
> Nov  4 14:13:15 dhcp-0016533596-c5-74 gconfd (gdm-2932): Exiting
> Nov  4 14:13:15 dhcp-0016533596-c5-74 kernel: Not cloning cgroup for unused
> subsystem ns
> Nov  4 14:13:16 dhcp-0016533596-c5-74 gconfd (xguest-3121): starting
> (version 2.22.0), pid 3121 user 'xguest'
> Nov  4 14:13:16 dhcp-0016533596-c5-74 gconfd (xguest-3121): Resolved
> address "xml:readonly:/etc/gconf/gconf.xml.mandatory" to a read-only
> configuration source at position 0
> Nov  4 14:13:16 dhcp-0016533596-c5-74 gconfd (xguest-3121): Resolved
> address "xml:readwrite:/home/xguest/.gconf" to a writable configuration
> source at position 1
> Nov  4 14:13:16 dhcp-0016533596-c5-74 gconfd (xguest-3121): Resolved
> address "xml:readonly:/etc/gconf/gconf.xml.defaults" to a read-only
> configuration source at position 2
> Nov  4 14:13:16 dhcp-0016533596-c5-74 kernel: type=1400
> audit(1225825996.389:5): avc:  denied  { read write } for  pid=3148
> comm="dbus-daemon" path="socket:[37602]" dev=sockfs ino=37602
> scontext=xguest_u:xguest_r:xguest_dbusd_t:s0
> tcontext=xguest_u:xguest_r:xguest_t:s0 tclass=unix_stream_socket
> Nov  4 14:13:16 dhcp-0016533596-c5-74 ssh-agent[3166]: error: setrlimit
> RLIMIT_CORE: Permission denied
> Nov  4 14:13:16 dhcp-0016533596-c5-74 acpid: client connected from
> 3229[0:0]
> Nov  4 14:13:17 dhcp-0016533596-c5-74 kernel: mtrr: base(0xd0000000) is not
> aligned on a size(0x3e80000) boundary
> Nov  4 14:13:18 dhcp-0016533596-c5-74 gconfd (gdm-3258): starting (version
> 2.22.0), pid 3258 user 'gdm'
> Nov  4 14:13:18 dhcp-0016533596-c5-74 gconfd (gdm-3258): Resolved address
> "xml:readonly:/etc/gconf/gconf.xml.mandatory" to a read-only configuration
> source at position 0
> Nov  4 14:13:18 dhcp-0016533596-c5-74 gconfd (gdm-3258): Resolved address
> "xml:readonly:/etc/gconf/gconf.xml.system" to a read-only configuration
> source at position 1
> Nov  4 14:13:18 dhcp-0016533596-c5-74 gconfd (gdm-3258): Resolved address
> "xml:readonly:/var/lib/gdm/.gconf.mandatory" to a read-only configuration
> source at position 2
> Nov  4 14:13:18 dhcp-0016533596-c5-74 gconfd (gdm-3258): Resolved address
> "xml:readwrite:/var/lib/gdm/.gconf" to a writable configuration source at
> position 3
> Nov  4 14:13:18 dhcp-0016533596-c5-74 gconfd (gdm-3258): Resolved address
> "xml:readonly:/etc/gconf/gconf.xml.defaults" to a read-only configuration
> source at position 4
> Nov  4 14:13:19 dhcp-0016533596-c5-74 gconfd (gdm-3258): Error setting
> value for `/apps/gnome-screensaver/power_management_delay': Can't overwrite
> existing read-only value: Value for
> `/apps/gnome-screensaver/power_management_delay' set in a read-only source
> at the front of your configuration path
> Nov  4 14:13:19 dhcp-0016533596-c5-74 gconfd (gdm-3258): Error setting
> value for `/apps/gnome-screensaver/power_management_delay': Can't overwrite
> existing read-only value: Value for
> `/apps/gnome-screensaver/power_management_delay' set in a read-only source
> at the front of your configuration path
> Nov  4 14:13:19 dhcp-0016533596-c5-74 pulseaudio[3307]: polkit.c: Cannot
> set UID on session object.
> Nov  4 14:13:19 dhcp-0016533596-c5-74 pulseaudio[3307]: main.c: Called SUID
> root and real-time/high-priority scheduling was requested in the
> configuration. However, we lack the necessary priviliges:
> Nov  4 14:13:19 dhcp-0016533596-c5-74 pulseaudio[3307]: main.c: We are not
> in group 'pulse-rt' and PolicyKit refuse to grant us priviliges. Dropping
> SUID again.
> Nov  4 14:13:19 dhcp-0016533596-c5-74 pulseaudio[3307]: main.c: For
> enabling real-time scheduling please acquire the appropriate PolicyKit
> priviliges, or become a member of 'pulse-rt', or increase the
> RLIMIT_NICE/RLIMIT_RTPRIO resource limits for this user.
> Nov  4 14:13:19 dhcp-0016533596-c5-74 pulseaudio[3307]: main.c:
> setrlimit(RLIMIT_NICE, (31, 31)) failed: Operation not permitted
> Nov  4 14:13:19 dhcp-0016533596-c5-74 pulseaudio[3307]: main.c:
> setrlimit(RLIMIT_RTPRIO, (9, 9)) failed: Operation not permitted
> Nov  4 14:13:19 dhcp-0016533596-c5-74 pulseaudio[3307]: alsa-util.c: Device
> front:0 doesn't support 44100 Hz, changed to 44099 Hz.
>
> Obviously, the things that stick out in there are the :
>
> Nov  4 14:13:16 dhcp-0016533596-c5-74 kernel: type=1400
> audit(1225825996.389:5): avc:  denied  { read write } for  pid=3148
> comm="dbus-daemon" path="socket:[37602]" dev=sockfs ino=37602
> scontext=xguest_u:xguest_r:xguest_dbusd_t:s0
> tcontext=xguest_u:xguest_r:xguest_t:s0 tclass=unix_stream_socket
> Nov  4 14:13:16 dhcp-0016533596-c5-74 ssh-agent[3166]: error: setrlimit
> RLIMIT_CORE: Permission denied
>
> and:
>
> Nov  4 14:13:15 dhcp-0016533596-c5-74 kernel: Not cloning cgroup for unused
> subsystem ns
>
> more specifically, the sealert says:
>
> SELinux is preventing dbus-daemon (xguest_dbusd_t) "read write" to socket
> (xguest_t).
>
>
>
> On Tue, Nov 4, 2008 at 2:03 PM, Matt Nicholson <sjoeboo at sjoeboo.com>wrote:
>
>> yes, all upto date. a new build from my kickstart is finishing updating
>> right now (had to add oddjob/turn it on by default). Once its done I'll send
>> what info I can.
>>
>> Before i was getting an selinux alert/error, but i generated and loaded a
>> local policy, which took care of the selinux alert, but still didn't fix
>> xguest (it just bouces back out to GDM).
>>
>> More coming soon. Thanks for all the help!
>>
>>
>>
>> On Tue, Nov 4, 2008 at 1:54 PM, Daniel J Walsh <dwalsh at redhat.com> wrote:
>>
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>> Matt Nicholson wrote:
>>> > Right, that did it (after i started the oddjobd service, that is).
>>> >
>>> > Now, the original reason i turned selinux back on was to use
>>> > xguest....saddly, this isn't working still...
>>> >
>>> Why not?  Are you fully up2date?
>>>
>>> xguest should be working on F9 and F10 right now.
>>>
>>> <SNIP>
>>> -----BEGIN PGP SIGNATURE-----
>>> Version: GnuPG v1.4.9 (GNU/Linux)
>>> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
>>>
>>> iEYEARECAAYFAkkQmlkACgkQrlYvE4MpobNXvwCeK5prZkPCBNDq3cYprnuwkJOZ
>>> JaQAnRpM41iDhoQ0AWeTmmqYAqrpLLLI
>>> =rAZp
>>> -----END PGP SIGNATURE-----
>>>
>>> --
>>> fedora-list mailing list
>>> fedora-list at redhat.com
>>> To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
>>> Guidelines:
>>> http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
>>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20081104/6b3a5013/attachment-0001.htm>

More information about the fedora-list mailing list