-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Joe Smith wrote: > Last week, I was doing an X server update and I wanted to test the > config. I wanted to run X as a normal user, so (logged in as root) I did > this: > > # (su - joe -c "xinit -- :1 >x.log.my 2>&1") > > Some time after that (I think it was the next day, after a reboot), I > got a flag from setroubleshoot: > > Nov 6 21:25:09 duros setroubleshoot: SELinux is preventing the > /sbin/modprobe from using potentially mislabeled files > (/home/joe/x.log.my). For complete SELinux messages. run ... > > At the time, I just removed the log file (I didn't need it anymore) and > forgot about it, but it kept bugging me: > > Why was this flagged as an access problem? The file was not owned by > root--it was created under a normal user's environment. > > What was modprobe doing (or trying to do) with a file in a user's home > directory? > > Hmmm... > > <Joe > You redirected stdout/stderr to a file labeled user_home_t and started the Xserver. From that point on ever app that starts by default get its stdout/stderr redirected to user_home_t. The kernel checks when confined apps start up whether they have read/write access to all open file descriptors including stderr/stdout. So eventually modprobe gets executed while in your X session. The kernel sees that you need read/write to user_home_t, and it says that is not allowed generating the AVC. The kernel then closes the file descriptor and reopens stderr/stdout to /dev/null. So You can safely ignore this avc. modprobe was not trying to do anything evil. This is the most common source of AVC's in SELinux and something we would like to be able to eliminate. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFHOx8xrlYvE4MpobMRAmonAKC1Oe961GlU582IL8UrQ08jNCr+LQCg3lf2 Ze7mAE7/g1I1wZZHbTvSSy4= =oA5s -----END PGP SIGNATURE-----