-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 11/25/2013 09:03 AM, ????????? ???????? wrote: >> The message I'm now seeing in /var/log/audit/audit.log : >> >> type=AVC msg=audit(1385112688.399:67769): avc: denied { write } for >> pid=8218 comm="xauth" name="caw" dev=md1 ino=262145 >> scontext=unconfined_u:unconfined_r:xauth_t:s0-s0:c0.c1023 >> tcontext=unconfined_u:object_r:home_root_t:s0 tclass=dir type=SYSCALL >> msg=audit(1385112688.399:67769): arch=c000003e syscall=2 success=no >> exit=-13 a0=7fffdecf5c60 a1=c1 a2=180 a3=8 items=0 ppid=8217 pid=8218 >> auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 >> fsgid=500 tty=(none) ses=9 comm="xauth" exe="/usr/bin/xauth" >> subj=unconfined_u:unconfined_r:xauth_t:s0-s0:c0.c1023 key=(null) > > You may try to add the following rules to your local policy, but do you > really need this? It seems like you shouldn't have any problems with > non-root accounts. > > module local 1.0; > > require { type xauth_t; type home_root_t; class dir write; } > > #============= xauth_t ============== #!!!! The source type 'xauth_t' can > write to a 'dir' of the following types: # user_home_t, xauth_tmp_t, > var_lib_t, xdm_var_run_t, admin_home_t, user_home_dir_t, tmp_t, user_tmp_t, > nx_server_var_lib_t, nfs_t > > allow xauth_t home_root_t:dir write; > > > _______________________________________________ CentOS mailing list > CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos > No this is not correct. The problem is the parent directory should be user_home_dir_t not home_root_t. restorecon -R -v /home -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.15 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlKTWjoACgkQrlYvE4MpobPBXQCeMk2Fh5Wz09xbQLaeI/ePmbfz 6FAAn2Q5RQWELYrSpf9qsEbLCet7Uska =wZPk -----END PGP SIGNATURE----- _______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos