SELinux is preventing the ck-get-x11-serv from using potentially mislabeled files (<Unknown>).

Daniel J Walsh dwalsh at redhat.com
Mon Nov 19 20:22:49 UTC 2007 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Antonio Olivares wrote:
> Just as I sent out the other mail about the selinux denying X I have gotten this one, what should I do?  Advice/comments/suggestions are welcome.
> 
> Regards,
> 
> Antonio 
> 
> Summary
>     SELinux is preventing the ck-get-x11-serv from using potentially mislabeled
>     files (<Unknown>).
> 
> Detailed Description
>     SELinux has denied ck-get-x11-serv access to potentially mislabeled file(s)
>     (<Unknown>).  This means that SELinux will not allow ck-get-x11-serv to use
>     these files.  It is common for users to edit files in their home directory
>     or tmp directories and then move (mv) them to system directories.  The
>     problem is that the files end up with the wrong file context which confined
>     applications are not allowed to access.
> 
> Allowing Access
>     If you want ck-get-x11-serv to access this files, you need to relabel them
>     using restorecon -v <Unknown>.  You might want to relabel the entire
>     directory using restorecon -R -v <Unknown>.
> 
> Additional Information        
> 
> Source Context                system_u:system_r:consolekit_t
> Target Context                system_u:object_r:user_home_t
> Target Objects                None [ file ]
> Affected RPM Packages         
> Policy RPM                    selinux-policy-3.0.8-44.fc8
> Selinux Enabled               True
> Policy Type                   targeted
> MLS Enabled                   True
> Enforcing Mode                Enforcing
> Plugin Name                   plugins.home_tmp_bad_labels
> Host Name                     localhost
> Platform                      Linux localhost 2.6.24-0.38.rc2.git6.fc9 #1 SMP
>                               Fri Nov 16 17:20:39 EST 2007 i686 athlon
> Alert Count                   5
> First Seen                    Sun 11 Nov 2007 09:40:02 AM CST
> Last Seen                     Mon 19 Nov 2007 07:25:44 AM CST
> Local ID                      fa84efec-ad7f-46d6-a356-d16d9235b774
> Line Numbers                  
> 
> Raw Audit Messages            
> 
> avc: denied { read } for comm=ck-get-x11-serv dev=dm-0 name=.Xauthority pid=2874
> scontext=system_u:system_r:consolekit_t:s0 tclass=file
> tcontext=system_u:object_r:user_home_t:s0
> 
> 
> 
> 
> 
> 
>       ____________________________________________________________________________________
> Get easy, one-click access to your favorites. 
> Make Yahoo! your homepage.
> http://www.yahoo.com/r/hs 
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

This is strange, we worked to change startx to prvent this situation.  I
will update policy to dontaudit this.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFHQfCZrlYvE4MpobMRAt2hAJ925CgGfugXwWMIElpz+Eue+h/SowCgwNbj
yikbgqVuAIsMDCHBhiyM6Fw=
=eikC
-----END PGP SIGNATURE-----

More information about the fedora-test-list mailing list