Write denied, but no write attempted!?!

I'm using xdm rather than gdm. SELinux prevents /sbin/pam_console_apply (pam_console_t) "write" to /var/log/xdm.log
(var_log_t). It happens once every time someone logs in or out. See
the attached mail from SETroubleshoot for an example.

To understand what is going on, I tried to strace the processes. But pam_console_apply doesn't attempt to write anything at all! See the attached (compressed) strace from pid 4480, the process mentioned in the SETroubleshoot mail.

Xdm has stderr pointing to /var/log/xdm.log, so it's not unlikely that the open fd is inherited by pam_console_apply. But if the inheritance itself was disallowed, wouldn't it be a "use" that would be denied by SELinux rather than a "write"?

What am I missing?

(The system is not up-to-date. It is possible this message would go
away with an upgrade. I'm not looking for a way to get rid of the message here, I'm trying to understand what is going on.)

-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list

• This message: [ Message body ]
• Next message: Stephen Smalley: "Re: Write denied, but no write attempted!?!"
• Previous message: Steven Stromer: "Error: setroubleshootd dead but subsys locked"
• Next in thread: Stephen Smalley: "Re: Write denied, but no write attempted!?!"
• Reply: Stephen Smalley: "Re: Write denied, but no write attempted!?!"

• Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ]