two denials one for ck-get-x11-serv and one for wine

Antonio Olivares olivares14031 at
Wed Aug 12 22:23:05 UTC 2009

Dear fellow selinux experts and users,

I had problems updating a rawhide machine and I used xfce spin to get back in the saddle.  I encountered two denials and I post them here for guidance.  

Thanks in Advance,



SELinux is preventing the ck-get-x11-serv from using potentially mislabeled
files (.Xauthority).

Detailed Description:

SELinux has denied ck-get-x11-serv access to potentially mislabeled file(s)
(.Xauthority). This means that SELinux will not allow ck-get-x11-serv to use
these files. It is common for users to edit files in their home directory or tmp
directories and then move (mv) them to system directories. The problem is that
the files end up with the wrong file context which confined applications are not
allowed to access.

Allowing Access:

If you want ck-get-x11-serv to access this files, you need to relabel them using
restorecon -v '.Xauthority'. You might want to relabel the entire directory
using restorecon -R -v ''.

Additional Information:

Source Context                system_u:system_r:consolekit_t:s0-s0:c0.c1023
Target Context                unconfined_u:object_r:admin_home_t:s0
Target Objects                .Xauthority [ file ]
Source                        ck-get-x11-serv
Source Path                   /usr/libexec/ck-get-x11-server-pid
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           ConsoleKit-x11-0.3.1-2.fc12
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.26-8.fc12
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   home_tmp_bad_labels
Host Name                     (removed)
Platform                      Linux localhost.localdomain
                              2.6.31-0.125.rc5.git2.fc12.i686 #1 SMP Tue Aug 4
                              03:18:57 EDT 2009 i686 i686
Alert Count                   1
First Seen                    Wed 12 Aug 2009 02:42:54 AM CDT
Last Seen                     Wed 12 Aug 2009 02:42:54 AM CDT
Local ID                      ffd20bb6-e1cf-466f-b51e-9de4c94b4991
Line Numbers                  

Raw Audit Messages            

node=localhost.localdomain type=AVC msg=audit(1250062974.438:22): avc:  denied  { read } for  pid=1325 comm="ck-get-x11-serv" name=".Xauthority" dev=dm-0 ino=78946 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file

node=localhost.localdomain type=SYSCALL msg=audit(1250062974.438:22): arch=40000003 syscall=33 success=no exit=-13 a0=bffedfbc a1=4 a2=18ab18 a3=bffedfbc items=0 ppid=1324 pid=1325 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ck-get-x11-serv" exe="/usr/libexec/ck-get-x11-server-pid" subj=system_u:system_r:consolekit_t:s0-s0:c0.c1023 key=(null)

Can't copy the wine and can't submit the above one to bugzilla.  The wine one looks serious as I try to run some windows programs that worked before without problems.  Will see how I can capture them?


More information about the fedora-selinux-list mailing list