i check out policy from svn at version 2301, and build at FC7 Rawhide. after switching from target to strict, i can not make my gnome-settings-daemon work well: ### the detail contexts is in thread: http://marc.info/?l=selinux&m=118050940823692&w=2 ### i login as normal user through X window, but i got another errors: "Fails to execute program: /usr/libexec/gnome-settings-daemon" corresponding avc were: type=AVC msg=audit(1180319582.421:32): avc: denied { execute } for pid=1855 comm="dbus-daemon" name="gnome-settings-daemon" dev=sda1 ino=215756 scontext=user_u:user_r:user_dbusd_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file type=AVC msg=audit(1180319582.421:32): avc: denied { execute_no_trans } for pid=1855 comm="dbus-daemon" name="gnome-settings-daemon" dev=sda1 ino=215756 scontext=user_u:user_r:user_dbusd_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file i add two template call in dbus_per_role_template() to remove these tow errors: corecmd_exec_bin($1_dbusd_t) additionally, there are still another erros about gnome-settings-daemon: type=AVC msg=audit(1180319581.037:31): avc: denied { search } for pid=1844 comm="dbus-daemon" name="yangshao" dev=sda1 ino=1407785 scontext=user_u:user_r:user_dbusd_t:s0 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=dir i user a interface to remove this denied error: userdom_search_user_home_dirs($1,$1_dbusd_t) (also in dbus_per_role_template()) after re-make and reboot, i got another errors: "... /usr/libexec/gnome-settings-daemon received singal 6..." it seemed that gnome-settings-daemon received SIGABRT signal, and i found an avc denied messages: type=AVC msg=audit(1180493663.406:31): avc: denied { getsched } for pid=1856 comm="gnome-settings-" scontext=user_u:user_r:user_dbusd_t:s0 tcontext=user_u:user_r:user_dbusd_t:s0 tclass=process so i permit getsched of user_dbusd_t to try to fix this "signal 6" errors: allow $1_dbusd_t self:process { getattr sigkill signal getsched }; but after adding this, gnome-settings-daemon exit with status 1 after rebooting, and some avc denied messages came out: type=AVC msg=audit(1180494884.832:87): avc: denied { search } for pid=2112 comm="gnome-settings-" name=".X11-unix" dev=sda1 ino=327976 scontext=user_u:user_r:user_dbusd_t:s0 tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=dir type=AVC msg=audit(1180494884.840:88): avc: denied { create } for pid=2112 comm="gnome-settings-" scontext=user_u:user_r:user_dbusd_t:s0 tcontext=user_u:user_r:user_dbusd_t:s0 tclass=netlink_route_socket type=AVC msg=audit(1180494884.840:89): avc: denied { name_connect } for pid=2112 comm="gnome-settings-" dest=6000 scontext=user_u:user_r:user_dbusd_t:s0 tcontext=system_u:object_r:xserver_port_t:s0 tclass=tcp_socket i wonder are these errors caused by my modification, and how to make the gnome-settings-daemon work??? thanks in advance -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
