SELinux is preventing /usr/libexec/gdm-session-worker from create access on the directory gdm.
***** Plugin catchall_boolean (89.3 confidence) suggests ******************
If 要 allow polyinstantiation to enabled
Then 必须启用 ‘polyinstantiation_enabled‘ 布尔值告知 SELinux 此情况。
可以阅读 ‘None‘ 手册页面来了解详情。
Do
setsebool -P polyinstantiation_enabled 1
***** Plugin catchall (11.6 confidence) suggests **************************
If 确定应默认允许 gdm-session-worker create 访问 gdm directory。
Then 应该将这个情况作为 bug 报告。
可以生成本地策略模块以允许此访问。
Do
allow this access for now by executing:
# ausearch -c ‘gdm-session-wor‘ --raw | audit2allow -M my-gdmsessionwor
# semodule -i my-gdmsessionwor.pp
Additional Information:
Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context system_u:object_r:admin_home_t:s0
Target Objects gdm [ dir ]
Source gdm-session-wor
Source Path /usr/libexec/gdm-session-worker
Port <Unknown>
Host localhost.localdomain
Source RPM Packages gdm-3.14.2-19.el7.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.13.1-102.el7.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name localhost.localdomain
Platform Linux localhost.localdomain 3.10.0-514.el7.x86_64
#1 SMP Tue Nov 22 16:42:41 UTC 2016 x86_64 x86_64
Alert Count 1
First Seen 2018-01-20 23:15:29 CST
Last Seen 2018-01-20 23:15:29 CST
Local ID 81677123-b61a-49aa-8c36-da835fdaada1
Raw Audit Messages
type=AVC msg=audit(1516461329.632:152): avc: denied { create } for pid=12497 comm="gdm-session-wor" name="gdm" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir
type=SYSCALL msg=audit(1516461329.632:152): arch=x86_64 syscall=mkdir success=no exit=EACCES a0=7fb4638f5f90 a1=1c0 a2=7fb4638f5fa0 a3=7fffa6a0fee0 items=0 ppid=12472 pid=12497 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm=gdm-session-wor exe=/usr/libexec/gdm-session-worker subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
Hash: gdm-session-wor,xdm_t,admin_home_t,dir,create
