View Issue Details

IDProjectCategoryView StatusLast Update
0015327CentOS-7selinux-policypublic2018-12-20 02:33
PrioritynormalSeverityminorReproducibilityhave not tried
Status newResolutionopen 
PlatformOSOS Version7
Product Version 
Target VersionFixed in Version 
Summary0015327: SELinux is preventing /usr/libexec/gdm-session-worker from 'write' accesses on the file session.log.
DescriptionDescription of problem:
It happened on normal startup of CentOS and logging into an Xfce desktop.

Before Xfce showed up I had to switch Ctrl-Alt-F2 into text console and back with Alt-F1 into graphical console.
It did not show up automatically. I do not know if it is related or not.

(It happened before, not the 1st time... I just did not report it before - it may have started around June/July this year)
SELinux is preventing /usr/libexec/gdm-session-worker from 'write' accesses on the file session.log.

***** Plugin catchall (100. confidence) suggests **************************

If you believe that gdm-session-worker should be allowed write access on the session.log file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
allow this access for now by executing:
# ausearch -c 'gdm-session-wor' --raw | audit2allow -M my-gdmsessionwor
# semodule -i my-gdmsessionwor.pp

Additional Information:
Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context unconfined_u:object_r:user_home_t:s0
Target Objects session.log [ file ]
Source gdm-session-wor
Source Path /usr/libexec/gdm-session-worker
Port <Unknown>
Host (removed)
Source RPM Packages gdm-
Target RPM Packages
Policy RPM selinux-policy-3.13.1-192.el7_5.6.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name (removed)
Platform Linux (removed) 3.10.0-862.11.6.el7.x86_64 #1 SMP
                              Tue Aug 14 21:49:04 UTC 2018 x86_64 x86_64
Alert Count 1
First Seen 2018-09-26 20:41:06 CEST
Last Seen 2018-09-26 20:41:06 CEST
Local ID c83fdf3a-62e2-45e7-aec8-6e0627509c3f

Raw Audit Messages
type=AVC msg=audit(1537987266.413:153): avc: denied { write } for pid=1542 comm="gdm-session-wor" name="session.log" dev="sda7" ino=3813 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file

type=SYSCALL msg=audit(1537987266.413:153): arch=x86_64 syscall=ftruncate success=no exit=EACCES a0=b a1=0 a2=b a3=0 items=0 ppid=1500 pid=1542 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=1 comm=gdm-session-wor exe=/usr/libexec/gdm-session-worker subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)

Hash: gdm-session-wor,xdm_t,user_home_t,file,write

Version-Release number of selected component:
Additional Informationreporter: libreport-
hashmarkername: setroubleshoot
kernel: 3.10.0-862.11.6.el7.x86_64
reproducible: Not sure how to reproduce the problem
type: libreport
TagsNo tags attached.




2018-12-20 02:33

reporter   ~0033392

Another user experienced a similar problem:

This alert showed up when I logged in Desktop Environment session. I think it happens with any DE I use (Gnome, KDE, Xfce).

reporter: libreport-
hashmarkername: setroubleshoot
kernel: 3.10.0-957.1.3.el7.x86_64
package: selinux-policy-3.13.1-229.el7_6.6.noarch
reason: SELinux is preventing /usr/libexec/gdm-session-worker from 'write' accesses on the file session.log.
reproducible: Not sure how to reproduce the problem
type: libreport

Issue History

Date Modified Username Field Change
2018-09-26 15:55 tester2 New Issue
2018-12-20 02:33 tester2 Note Added: 0033392