Bug 252368

Summary:	kdm_greet denials
Product:	[Fedora] Fedora	Reporter:	Orion Poplawski <orion>
Component:	kdebase	Assignee:	Than Ngo <than>
Status:	CLOSED RAWHIDE	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	low	Docs Contact:
Priority:	low
Version:	rawhide	CC:	dwalsh, rdieter
Target Milestone:	---	Keywords:	SELinux
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2008-10-01 12:11:45 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Orion Poplawski 2007-08-15 17:20:36 UTC

Description of problem:

Aug 15 10:46:40 lynx kernel: audit(1187196400.066:26): avc:  denied  { create }
for  pid=2902 comm="kdm_greet" name="kdm"
scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
tcontext=system_u:object_r:var_lib_t:s0 tclass=dir

and then lots of (goes through lots of .desktop files), probably leaked fd:

Aug 15 10:46:40 lynx kernel: audit(1187196400.085:27): avc:  denied  { write }
for  pid=2902 comm="kdm_greet" name="kde.desktop" dev=sda3 ino=342945
scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
tcontext=system_u:object_r:usr_t:s0 tclass=file
Aug 15 10:46:40 lynx kernel: audit(1187196400.171:29): avc:  denied  { write }
for  pid=2902 comm="kdm_greet" name="9wm.desktop" dev=sda3 ino=992296
scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
tcontext=system_u:object_r:usr_t:s0 tclass=file
....

Version-Release number of selected component (if applicable):
selinux-policy-3.0.5-7.fc8

Comment 1 Bug Zapper 2008-04-04 13:36:14 UTC

Based on the date this bug was created, it appears to have been reported
during the development of Fedora 8. In order to refocus our efforts as
a project we are changing the version of this bug to '8'.

If this bug still exists in rawhide, please change the version back to
rawhide.
(If you're unable to change the bug's version, add a comment to the bug
and someone will change it for you.)

Thanks for your help and we apologize for the interruption.

The process we're following is outlined here:
http://fedoraproject.org/wiki/BugZappers/F9CleanUp

We will be following the process here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping to ensure this
doesn't happen again.

Comment 2 Orion Poplawski 2008-04-06 03:48:15 UTC

A few are still present in rawhide:



type=1400 audit(1207452761.829:5): avc:  denied  { write } for  pid=3208
comm="kdm_greet" name="fontconfig" dev=sda5 ino=47912
scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
tcontext=system_u:object_r:fonts_t:s0 tclass=dir
type=1400 audit(1207452762.706:6): avc:  denied  { write } for  pid=3208
comm="kdm_greet" name="KdmGreeterTheme.desktop" dev=sda3 ino=136490
scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
tcontext=system_u:object_r:usr_t:s0 tclass=file
type=1400 audit(1207452763.089:7): avc:  denied  { write } for  pid=3208
comm="kdm_greet" name="entry.desktop" dev=sda3 ino=185161
scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
tcontext=system_u:object_r:locale_t:s0 tclass=file
type=1400 audit(1207452763.130:8): avc:  denied  { write } for  pid=3208
comm="kdm_greet" name="entry.desktop" dev=sda3 ino=15769
scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
tcontext=system_u:object_r:locale_t:s0 tclass=file
type=1400 audit(1207452775.047:87): avc:  denied  { create } for  pid=3208
comm="kdm_greet" name="kdm" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
tcontext=system_u:object_r:var_lib_t:s0 tclass=dir

Comment 3 Orion Poplawski 2008-04-06 04:03:12 UTC

Also get this at login:

type=1400 audit(1207452775.071:88): avc:  denied  { write } for  pid=3234
comm="lnusertemp" name="root" dev=sda3 ino=106497
scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
tcontext=system_u:object_r:admin_home_t:s0 tclass=dir

Comment 4 Daniel Walsh 2008-04-06 10:46:25 UTC

/var/lib/kdm should be part of the kdm package and would there fore be labeled
correctly and not need to be created.

I will dontaudit the lnusertemp writing to the /root directory although this
seems strange.

I will allow it to manage fonts, allowing it to write to usr_t is a bit more
problematic.

The problem I have with a lot of this is giving a program that is run with not
authentication power to manipulate the machine seems very dangerous.

Comment 5 Kevin Kofler 2008-04-08 10:49:31 UTC

Already triaged, removing cleanup tag.

Comment 6 Orion Poplawski 2008-09-30 20:44:39 UTC

Still (back) in rawhide:

Sep 30 09:59:20 test kernel: type=1400 audit(1222790360.632:6): avc:  denied  { write } for  pid=2661 comm="kdm_greet" name="fontconfig" dev=dm-1 ino=40991 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fonts_t:s0 tclass=dir

Sep 30 10:00:06 test kernel: type=1400 audit(1222790406.262:8): avc:  denied  { write } for  pid=3056 comm="lnusertemp" name="root" dev=dm-0 ino=335873 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir

Comment 7 Daniel Walsh 2008-10-01 12:11:45 UTC

Fixed in selinux-policy-3.5.9-3.fc10

Added dontaudits.