> The message I'm now seeing in /var/log/audit/audit.log :
>
> type=AVC msg=audit(1385112688.399:67769): avc: denied { write } for
> pid=8218 comm="xauth" name="caw" dev=md1 ino=262145
> scontext=unconfined_u:unconfined_r:xauth_t:s0-s0:c0.c1023
> tcontext=unconfined_u:object_r:home_root_t:s0 tclass=dir
> type=SYSCALL msg=audit(1385112688.399:67769): arch=c000003e syscall=2
> success=no exit=-13 a0=7fffdecf5c60 a1=c1 a2=180 a3=8 items=0 ppid=8217
> pid=8218 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500
> sgid=500 fsgid=500 tty=(none) ses=9 comm="xauth" exe="/usr/bin/xauth"
> subj=unconfined_u:unconfined_r:xauth_t:s0-s0:c0.c1023 key=(null)
You may try to add the following rules to your local policy, but do you
really need this? It seems like you shouldn't have any problems with
non-root accounts.
module local 1.0;
require {
type xauth_t;
type home_root_t;
class dir write;
}
#============= xauth_t ==============
#!!!! The source type 'xauth_t' can write to a 'dir' of the following
types:
# user_home_t, xauth_tmp_t, var_lib_t, xdm_var_run_t, admin_home_t,
user_home_dir_t, tmp_t, user_tmp_t, nx_server_var_lib_t, nfs_t
allow xauth_t home_root_t:dir write;