Write denied, but no write attempted!?!
Göran Uddeborg
goeran at uddeborg.se
Sun Sep 16 20:42:13 UTC 2007
I'm using xdm rather than gdm. SELinux prevents
/sbin/pam_console_apply (pam_console_t) "write" to /var/log/xdm.log
(var_log_t). It happens once every time someone logs in or out. See
the attached mail from SETroubleshoot for an example.
To understand what is going on, I tried to strace the processes. But
pam_console_apply doesn't attempt to write anything at all! See the
attached (compressed) strace from pid 4480, the process mentioned in
the SETroubleshoot mail.
Xdm has stderr pointing to /var/log/xdm.log, so it's not unlikely that
the open fd is inherited by pam_console_apply. But if the inheritance
itself was disallowed, wouldn't it be a "use" that would be denied by
SELinux rather than a "write"?
What am I missing?
(The system is not up-to-date. It is possible this message would go
away with an upgrade. I'm not looking for a way to get rid of the
message here, I'm trying to understand what is going on.)
-------------- next part --------------
An embedded message was scrubbed...
From: SELinux_Troubleshoot at freddi.uddeborg.se
Subject: [SELinux AVC Alert] SELinux is preventing /sbin/pam_console_apply (pam_console_t) "write" to /var/log/xdm.log (var_log_t).
Date: Sun, 16 Sep 2007 20:11:10 -0000
Size: 10996
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20070916/c3acb27a/attachment.eml>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: #xdm.4480.bz2
Type: application/octet-stream
Size: 10447 bytes
Desc: Strace of pam_cansole_apply
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20070916/c3acb27a/attachment.obj>
More information about the fedora-selinux-list
mailing list