fedora-selinux August 2010 archive
Main Archive Page > Month Archives  > fedora-selinux archives
fedora-selinux: Re: Issue with Gnome setting?

Re: Issue with Gnome setting?

From: Dominick Grift <domg472_at_nospam>
Date: Fri Aug 27 2010 - 18:43:30 GMT
To: selinux@lists.fedoraproject.org

On 08/27/2010 08:34 PM, Daniel B. Thurman wrote:
>
> Yes, I know F9 is obsolete but I still use it!
>
> BTW: for some reason I am not getting back selinux emails that I posted
> which is why I sent it twice - was the a burp in the mailing
> system?
>
> Just need to figure out what this means and a fix for it please?
> =================================================
> Summary:
>
> SELinux is preventing the gnome-settings- from using potentially mislabeled
> files (socket).
>
> Detailed Description:
>
> SELinux has denied gnome-settings- access to potentially mislabeled file(s)
> (socket). This means that SELinux will not allow gnome-settings- to use
> these
> files. It is common for users to edit files in their home directory or tmp
> directories and then move (mv) them to system directories. The problem
> is that
> the files end up with the wrong file context which confined applications
> are not
> allowed to access.
>
> Allowing Access:
>
> If you want gnome-settings- to access this files, you need to relabel
> them using
> restorecon -v 'socket'. You might want to relabel the entire directory using
> restorecon -R -v '<Unknown>'.
>
> Additional Information:
>
> Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023
> Target Context system_u:object_r:tmp_t:s0
> Target Objects socket [ sock_file ]
> Source gnome-settings-
> Source Path /usr/libexec/gnome-settings-daemon
> Port <Unknown>
> Host gold.cdkkt.com
> Source RPM Packages
> Target RPM Packages
> Policy RPM selinux-policy-3.3.1-135.fc9
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Enforcing
> Plugin Name home_tmp_bad_labels
> Host Name gold.cdkkt.com
> Platform Linux gold.cdkkt.com
> 2.6.27.25-78.2.56.fc9.i686 #1
> SMP Thu Jun 18 12:47:50 EDT 2009 i686 i686
> Alert Count 378
> First Seen Fri 27 Aug 2010 11:09:22 AM PDT
> Last Seen Fri 27 Aug 2010 11:09:26 AM PDT
> Local ID bdb33ade-aa41-4dec-a430-ae0ad4594254
> Line Numbers
>
> Raw Audit Messages
>
> node=gold.cdkkt.com type=AVC msg=audit(1282932566.767:3581): avc:
> denied { read write } for pid=3079 comm="gnome-settings-"
> name="socket" dev=sda8 ino=245843
> scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:tmp_t:s0 tclass=sock_file

That is pulseaudio. Well strictly speaking its gnome settings daemon,
but in gnome, pulsaudio is kind of integrated into settings daemon

Basically it wants to read/write the socket in /tmp/.esd*

I am not certain though if /tmp/.esd* should be labelled tmp_t or
user_tmp_t, and so i think it is best if you can see if you can
reproduce this issue before i suggest a patch.

Basically what you would do is;

rm -rf /tmp/.esd*
rm -rf /tmp/pulse
rm -rf ~/.pulse-cookie
rm -rf ~/.Pulse
rm -rf ~/.esd_auth

Then reboot and see with what type the pulseaudio object in /tmp were
created.

I run a modified policy in which pulseaudio runs in the gnome settings
daemon security domain. I basically did that to make sure the paths
above always get labelled properly, where you starte pulseaudio manually
or via gnome.

> =================================================
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux

-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux