from logwatch
--------------------- Kernel Begin ------------------------
WARNING: Kernel Errors Present type=1400 audit(1276553951.414:525): avc: denied { read append } for pid=2526 comm="polkit-agent-he" path="/home/user/.xsession-errors" dev=dm-7 ino=2 ...: 1 Time(s)
---------------------- Kernel End -------------------------
selinux-policy-3.7.19-28.fc13.noarch (from koji) kernel-PAE-2.6.33.5-128.fc13.i686 (from Koji)
On Tue, Jun 15, 2010 at 09:38:47AM +0100, Frank Murphy wrote:
from logwatch
--------------------- Kernel Begin ------------------------
WARNING: Kernel Errors Present type=1400 audit(1276553951.414:525): avc: denied { read append } for pid=2526 comm="polkit-agent-he" path="/home/user/.xsession-errors" dev=dm-7 ino=2 ...: 1 Time(s)
That is not enough information. You may be able to retrieve the complete avc denial with the following command:
ausearch -m avc -ts yesterday | grep polkit | grep xsession
The AVC denials have information that is required to determine what happend.
---------------------- Kernel End -------------------------
selinux-policy-3.7.19-28.fc13.noarch (from koji) kernel-PAE-2.6.33.5-128.fc13.i686 (from Koji)
-- Regards,
Frank Murphy UTF_8 Encoded Friend of Fedora -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
On 15/06/10 09:46, Frank Murphy wrote:
On 15/06/10 09:44, Dominick Grift wrote:
ausearch -m avc -ts yesterday | grep polkit | grep xsession
# ausearch -m avc -ts yesterday | grep polkit | grep xsession
<no matches>
Opening up the xsession file:
(polkit-gnome-authentication-agent-1:2099): GLib-GObject-WARNING **: cannot register existing type `_PolkitError'
(polkit-gnome-authentication-agent-1:2099): GLib-CRITICAL **: g_once_init_leave: assertion `initialization_value != 0' failed GNOME_KEYRING_CONTROL=/tmp/keyring-fIyflf SSH_AUTH_SOCK=/tmp/keyring-fIyflf/ssh
On 15/06/10 09:44, Dominick Grift wrote:
The AVC denials have information that is required to determine what happend.
On Tue, Jun 15, 2010 at 10:54:23AM +0100, Frank Murphy wrote:
On 15/06/10 09:44, Dominick Grift wrote:
The AVC denials have information that is required to determine what happend.
unfortunately i cannot find the corresponding AVC denial in the pastebin above.
-- Regards,
Frank Murphy UTF_8 Encoded Friend of Fedora -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
On 06/15/2010 11:54 AM, Frank Murphy wrote:
On 15/06/10 09:44, Dominick Grift wrote:
The AVC denials have information that is required to determine what happend.
Frank,
run
# restorecon -R -v /home
Should fix.
Other issues, which are caused by hal leaking file desciptors, will fix in selinux-policy-3.7.19-29.fc13.
On Tue, Jun 15, 2010 at 09:38:47AM +0100, Frank Murphy wrote:
from logwatch
--------------------- Kernel Begin ------------------------
WARNING: Kernel Errors Present type=1400 audit(1276553951.414:525): avc: denied { read append } for pid=2526 comm="polkit-agent-he" path="/home/user/.xsession-errors" dev=dm-7 ino=2 ...: 1 Time(s)
---------------------- Kernel End -------------------------
alright well since i do not have sufficient information here is what i suspect may be required:
mkdir ~/mypolkit; cd ~/mypolkit; echo "policy_module(mypolkit, 1.0.0)" > mypolkit.te; echo "require { type policykit_auth_t; }" >> mypolkit.te; echo "xserver_append_xdm_home_files(policykit_auth_t)" >> mypolkit.te;
make -f /usr/share/selinux/devel/Makefile mypolkit.pp sudo semodule -i mypolkit.pp
But again: I am not sure if this is what is actually needed. I need to see the full AVC denial instead of only part of an AVC denial to be able to properly determine what is required.
selinux-policy-3.7.19-28.fc13.noarch (from koji) kernel-PAE-2.6.33.5-128.fc13.i686 (from Koji)
-- Regards,
Frank Murphy UTF_8 Encoded Friend of Fedora -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
On 15/06/10 10:14, Dominick Grift wrote:
But again: I am not sure if this is what is actually needed. I need to see the full AVC denial instead of only part of an AVC denial to be able to properly determine what is required.
Unfortunatly no sealerts are jumping up. I will put up an fpaste of audit.log
though it seems to be quite big.
selinux@lists.fedoraproject.org
-
Dominick Grift -
Frank Murphy -
Miroslav Grepl