View Issue Details

IDProjectCategoryView StatusLast Update
0012422CentOS-7selinux-policypublic2019-07-18 04:54
PrioritynormalSeverityminorReproducibilityhave not tried
Status newResolutionopen 
PlatformOSOS Version7
Product Version 
Target VersionFixed in Version 
Summary0012422: SELinux is preventing /usr/libexec/gdm-session-worker from 'create' accesses on the directory gdm.
DescriptionDescription of problem:
Just booting the workstation up.
SELinux is preventing /usr/libexec/gdm-session-worker from 'create' accesses on the directory gdm.

***** Plugin catchall_labels (83.8 confidence) suggests *******************

If you want to allow gdm-session-worker to have create access on the gdm directory
Then you need to change the label on gdm
# semanage fcontext -a -t FILE_TYPE 'gdm'
where FILE_TYPE is one of the following: abrt_var_cache_t, auth_cache_t, auth_home_t, cache_home_t, cgroup_t, config_home_t, data_home_t, dbus_home_t, faillog_t, fonts_cache_t, gconf_home_t, gkeyringd_gnome_home_t, gkeyringd_tmp_t, gnome_home_t, gstreamer_home_t, icc_data_home_t, locale_t, mozilla_plugin_tmp_t, mozilla_plugin_tmpfs_t, pam_var_run_t, user_tmp_t, var_auth_t, xdm_home_t, xdm_log_t, xdm_spool_t, xdm_tmpfs_t, xdm_var_lib_t, xdm_var_run_t, xkb_var_lib_t, xserver_log_t.
Then execute:
restorecon -v 'gdm'

***** Plugin catchall (17.1 confidence) suggests **************************

If you believe that gdm-session-worker should be allowed create access on the gdm directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
allow this access for now by executing:
# ausearch -c 'gdm-session-wor' --raw | audit2allow -M my-gdmsessionwor
# semodule -i my-gdmsessionwor.pp

Additional Information:
Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context system_u:object_r:usr_t:s0
Target Objects gdm [ dir ]
Source gdm-session-wor
Source Path /usr/libexec/gdm-session-worker
Port <Unknown>
Host (removed)
Source RPM Packages gdm-3.14.2-19.el7.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.13.1-102.el7_3.7.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name (removed)
Platform Linux (removed) 3.10.0-514.2.2.el7.x86_64 #1 SMP
                              Tue Dec 6 23:06:41 UTC 2016 x86_64 x86_64
Alert Count 4
First Seen 2016-12-17 12:25:23 CST
Last Seen 2016-12-17 16:39:28 CST
Local ID 7fe73b66-b749-4fc7-83e8-999bfbd51fe1

Raw Audit Messages
type=AVC msg=audit(1482014368.27:172): avc: denied { create } for pid=2890 comm="gdm-session-wor" name="gdm" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=dir

type=SYSCALL msg=audit(1482014368.27:172): arch=x86_64 syscall=mkdir success=no exit=EACCES a0=7fcc47ba7fa0 a1=1c0 a2=7fcc47ba7fc5 a3=7ffd0e0674f0 items=0 ppid=2877 pid=2890 auid=1002 uid=1002 gid=1002 euid=1002 suid=1002 fsuid=1002 egid=1002 sgid=1002 fsgid=1002 tty=(none) ses=1 comm=gdm-session-wor exe=/usr/libexec/gdm-session-worker subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)

Hash: gdm-session-wor,xdm_t,usr_t,dir,create

Version-Release number of selected component:
Additional Informationreporter: libreport-
hashmarkername: setroubleshoot
kernel: 3.10.0-514.2.2.el7.x86_64
reproducible: Not sure how to reproduce the problem
type: libreport
TagsNo tags attached.




2019-07-18 04:54

reporter   ~0034841

Another user experienced a similar problem:

it takes me to black screen when i turnoff my latop
and gdm is not authorized to make cahnges in gdm-seesion-worker

reporter: libreport-
hashmarkername: setroubleshoot
kernel: 3.10.0-957.21.3.el7.x86_64
package: selinux-policy-3.13.1-229.el7_6.12.noarch
reason: SELinux is preventing /usr/libexec/gdm-session-worker from 'create' accesses on the directory gdm.
reproducible: Not sure how to reproduce the problem
type: libreport

Issue History

Date Modified Username Field Change
2016-12-17 22:48 drifus New Issue
2019-07-18 04:54 afzal44 Note Added: 0034841