Re: Restorecond and .xsession-errors

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 05/12/2010 10:44 PM, Dominick Grift wrote:
> On 05/12/2010 09:10 PM, Alan Rouse wrote:
>> I'm down to one AVC left booting to a desktop in OpenSUSE 11.3 milestone 6.
>>
>> type=AVC msg=audit(127369094.093:8): avc: denied { relabelfrom } for pid=3089 comm="restorecond" name=".xsession-errors" dev=sda3 ino=127759 scontext=user_u:user_r:user_t:s0 tcontext=system_u:object_r:xauth_home_t:s0 tclass=file
>>
>> It looks to me like somewhere late in the boot, a windowing error occurs and it attempts to log it to .xsession-errors.  For some reason at that point in time it attempts to relabel that file and is denied.
>>
>> The file context on .xsession-errors in the unprivileged user's home directory is user_u:object_r:user_home_t:s0
>>
>> However, when I run audit2allow on that avc, it says "This avc is a constraint violation.  You will need to add an attribute to either the source or target type to make it work."
>>
>> Should I relabel .xsession-errors?  If so, to what?
>>
>>
> 
> Here in Fedora that file is xdm_home_t but nonetheless both should have
> the user_home_type attribute and $1_usertype (attribute for user
> domains) should be able to relabelto and relabelfrom user_home_types.
> 
> In other words the user should be able to relabel the file.
> 
> However, since the audit2allow say's that it is a constraint violation,
> i am guessing that UBAC is enabled.
> 
> That would mean the the user_u SELinux identity cannot interact with the
> system_u SELinux identity of the files label.
> 
> In that case, either deal with UBAC or disable UBAC.
> 

Well actually. I bet the file context for this location has system_u
specified and restorecond just does what its told.

So restorecond (with runs as the user_u SELinux identity) is trying to
relabel the file ~/.xsession-errors (with the user_u SELinux identity)
to the specified context of system_u:object_r:xauth_home_t:s0. I am
guessing that is not allowed by the constraints. I wonder what the
proper solution is but my money say's the file context specification for
that and other locations in "user_u" home should have the user_u SELinux
identity. The question would then be how does genhomedircon know what
identity to use for the various different SELinux user homes.

Attachment: signature.asc
Description: OpenPGP digital signature

[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux