On 08/27/2010 08:34 PM, Daniel B. Thurman wrote:
Yes, I know F9 is obsolete but I still use it!
BTW: for some reason I am not getting back selinux emails that I posted
which is why I sent it twice - was the a burp in the mailing
system?
Just need to figure out what this means and a fix for it please?
=================================================
Summary:
SELinux is preventing the gnome-settings- from using potentially mislabeled
files (socket).
Detailed Description:
SELinux has denied gnome-settings- access to potentially mislabeled file(s)
(socket). This means that SELinux will not allow gnome-settings- to use
these
files. It is common for users to edit files in their home directory or tmp
directories and then move (mv) them to system directories. The problem
is that
the files end up with the wrong file context which confined applications
are not
allowed to access.
Allowing Access:
If you want gnome-settings- to access this files, you need to relabel
them using
restorecon -v 'socket'. You might want to relabel the entire directory using
restorecon -R -v '<Unknown>'.
Additional Information:
Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context system_u:object_r:tmp_t:s0
Target Objects socket [ sock_file ]
Source gnome-settings-
Source Path /usr/libexec/gnome-settings-daemon
Port <Unknown>
Host
gold.cdkkt.com
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.3.1-135.fc9
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name home_tmp_bad_labels
Host Name
gold.cdkkt.com
Platform Linux
gold.cdkkt.com
2.6.27.25-78.2.56.fc9.i686 #1
SMP Thu Jun 18 12:47:50 EDT 2009 i686 i686
Alert Count 378
First Seen Fri 27 Aug 2010 11:09:22 AM PDT
Last Seen Fri 27 Aug 2010 11:09:26 AM PDT
Local ID bdb33ade-aa41-4dec-a430-ae0ad4594254
Line Numbers
Raw Audit Messages
node=gold.cdkkt.com type=AVC msg=audit(1282932566.767:3581): avc:
denied { read write } for pid=3079 comm="gnome-settings-"
name="socket" dev=sda8 ino=245843
scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
tcontext=system_u:object_r:tmp_t:s0 tclass=sock_file
That is pulseaudio. Well strictly speaking its gnome settings daemon,
but in gnome, pulsaudio is kind of integrated into settings daemon
Basically it wants to read/write the socket in /tmp/.esd*
I am not certain though if /tmp/.esd* should be labelled tmp_t or
user_tmp_t, and so i think it is best if you can see if you can
reproduce this issue before i suggest a patch.
Basically what you would do is;
rm -rf /tmp/.esd*
rm -rf /tmp/pulse
rm -rf ~/.pulse-cookie
rm -rf ~/.Pulse
rm -rf ~/.esd_auth
Then reboot and see with what type the pulseaudio object in /tmp were
created.
I run a modified policy in which pulseaudio runs in the gnome settings
daemon security domain. I basically did that to make sure the paths
above always get labelled properly, where you starte pulseaudio manually
or via gnome.
=================================================
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux