-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 11/25/2013 09:03 AM, ????????? ???????? wrote:
>> The message I'm now seeing in /var/log/audit/audit.log :
>>
>> type=AVC msg=audit(1385112688.399:67769): avc: denied { write } for
>> pid=8218 comm="xauth" name="caw" dev=md1 ino=262145
>> scontext=unconfined_u:unconfined_r:xauth_t:s0-s0:c0.c1023
>> tcontext=unconfined_u:object_r:home_root_t:s0 tclass=dir type=SYSCALL
>> msg=audit(1385112688.399:67769): arch=c000003e syscall=2 success=no
>> exit=-13 a0=7fffdecf5c60 a1=c1 a2=180 a3=8 items=0 ppid=8217 pid=8218
>> auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500
>> fsgid=500 tty=(none) ses=9 comm="xauth" exe="/usr/bin/xauth"
>> subj=unconfined_u:unconfined_r:xauth_t:s0-s0:c0.c1023 key=(null)
>
> You may try to add the following rules to your local policy, but do you
> really need this? It seems like you shouldn't have any problems with
> non-root accounts.
>
> module local 1.0;
>
> require { type xauth_t; type home_root_t; class dir write; }
>
> #============= xauth_t ============== #!!!! The source type 'xauth_t' can
> write to a 'dir' of the following types: # user_home_t, xauth_tmp_t,
> var_lib_t, xdm_var_run_t, admin_home_t, user_home_dir_t, tmp_t, user_tmp_t,
> nx_server_var_lib_t, nfs_t
>
> allow xauth_t home_root_t:dir write;
>
>
> _______________________________________________ CentOS mailing list
> CentOS at centos.org http://lists.centos.org/mailman/listinfo/centos
>
No this is not correct. The problem is the parent directory should be
user_home_dir_t not home_root_t.
restorecon -R -v /home
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlKTWjoACgkQrlYvE4MpobPBXQCeMk2Fh5Wz09xbQLaeI/ePmbfz
6FAAn2Q5RQWELYrSpf9qsEbLCet7Uska
=wZPk
-----END PGP SIGNATURE-----