trying to understand SELinux message

Daniel J Walsh dwalsh at redhat.com
Mon Nov 16 16:56:28 UTC 2009 

On 11/16/2009 12:09 AM, Paul Allen Newell wrote:
> Hello:
> 
> I just upgraded two of my systems to latest yum update
> (2.6.30.9-96.fc11.i686.PAE) with the hopes that the CD and DVD issues
> have been resolved (they have, almost, but thats a separate bugzilla
> report).
> 
> What I am querying about in this email is a message that I am seeing
> when I log in as root (yes, I know the caveats and try to respect, but I
> always make sure the ability is there if I need it). I log in from the
> start page GUI and there are no problems until, after a couple of
> seconds later, a pop-up from the "star icon in the upper right" says I
> got problems. I open it up and it says:
> 
> "SELinux is preventing the gdm-session-wor from using potentially
> mislabeled files (/root)."
> 
> Okay, that's nice to know, but I have no idea what it is trying to tell
> me needs to be fixed. I've got a couple files in the home directory but
> nothing looks funny about them (*.txt cut-and-paste of yum
> update/installs and an html of "how-to-install f11 from scratch").
> 
> I have edited both /etc/pam.d/gdm and /etc/pam.d/gdm-password per Fedora
> website instructions to allow root access.
> 
> Closer inspection says that I first began getting this message on
> 20jun09 after a yum update (I did original f11 install at the beginning
> of June). I just hadn't noticed it since I don't often log in as root,
> though I do remember seeing something in the summer and figuring it was
> a glip that would get fixed in future updates).
> 
> Any suggestions as to what I should be looking for to get rid of this
> message ... if I do indeed actually need to pay attention to it. If
> there is more info I can provide, please let me know what it is and how
> to get it and I will gladly post such.
> 
> Thanks in advance,
> Paul
> 
> 
Paul SELinux policy can not be written in such a way to allow you to run X Windows as root.

The problem is too many Applications require rights to write to the homedir and we want to treat /root differently then /home.
Allow an confined application to write to /root would allow it to do evil stuff by replacing /root/.bashrc for example.

And the next time an admin logged in the script would run.  

If you require running X as root then you will need to put SELinux into permissive mode.  In F12 we are now preventing users from logging in as root from GDM because it is so dangerous from a security point of view.

Imagine running firefox as root and what problems it can cause.

More information about the users mailing list