On 05/12/2010 09:10 PM, Alan Rouse wrote:
> I'm down to one AVC left booting to a desktop in OpenSUSE 11.3 milestone 6.
>
> type=AVC msg=audit(127369094.093:8): avc: denied { relabelfrom } for pid=3089 comm="restorecond" name=".xsession-errors" dev=sda3 ino=127759 scontext=user_u:user_r:user_t:s0 tcontext=system_u:object_r:xauth_home_t:s0 tclass=file
>
> It looks to me like somewhere late in the boot, a windowing error occurs and it attempts to log it to .xsession-errors. For some reason at that point in time it attempts to relabel that file and is denied.
>
> The file context on .xsession-errors in the unprivileged user's home directory is user_u:object_r:user_home_t:s0
>
> However, when I run audit2allow on that avc, it says "This avc is a constraint violation. You will need to add an attribute to either the source or target type to make it work."
>
> Should I relabel .xsession-errors? If so, to what?
>
>
Here in Fedora that file is xdm_home_t but nonetheless both should have
the user_home_type attribute and $1_usertype (attribute for user
domains) should be able to relabelto and relabelfrom user_home_types.
In other words the user should be able to relabel the file.
However, since the audit2allow say's that it is a constraint violation,
i am guessing that UBAC is enabled.
That would mean the the user_u SELinux identity cannot interact with the
system_u SELinux identity of the files label.
In that case, either deal with UBAC or disable UBAC.
Attachment:
signature.asc
Description: OpenPGP digital signature
