Bug 469106

Summary: SELinux denial with KDE's "leave" (kdemenu)
Product: [Fedora] Fedora Reporter: Sandro Mathys <red>
Component: kdebaseAssignee: Than Ngo <than>
Status: CLOSED WONTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: medium    
Version: rawhideCC: dwalsh, jkubin, jreznik, kevin, lorenzo, ltinkl, mgrepl, rdieter, than, tuxbrewr
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-10-30 18:18:53 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Sandro Mathys 2008-10-29 21:42:27 UTC 
Description of problem:
Upon clicking 'leave' in the kdemenu (or whatever it's called in kde4), I get a SELinux denial.

Version-Release number of selected component (if applicable):
- Fedora 10 S3 (installed from KDE LiveCD-ISO on USB-key), updated to latest
rawhide
- selinux-policy-3.5.13-8.fc10.noarch


How reproducible:
Always.

Steps to Reproduce:
1. Open the kdemenu (I'm using the 'traditional' one)
2. Click 'leave'
  
Actual results:
SELinux denial

Expected results:
No SELinux denial

Additional info:
In the 'Login Manager' (started from the 'System Settings') on tab 'Shutdown (5)', I manually set 'Boot manager' to 'Grub' previously.
---------------
Summary:

SELinux is preventing kdm (xdm_t) "execute" to ./grub (bootloader_exec_t).

Detailed Description:

SELinux denied access requested by kdm. It is not expected that this access is
required by kdm and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for ./grub,

restorecon -v './grub'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context                system_u:object_r:bootloader_exec_t:s0
Target Objects                ./grub [ file ]
Source                        kdm
Source Path                   /usr/bin/kdm
Port                          <Unknown>
Host                          nebuchadnezzar
Source RPM Packages           kdebase-workspace-4.1.2-7.fc10
Target RPM Packages           
Policy RPM                    selinux-policy-3.5.13-8.fc10
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall_file
Host Name                     nebuchadnezzar
Platform                      Linux nebuchadnezzar 2.6.27.4-51.fc10.i686 #1 SMP
                              Sun Oct 26 21:04:43 EDT 2008 i686 i686
Alert Count                   1
First Seen                    Wed 29 Oct 2008 10:39:29 PM CET
Last Seen                     Wed 29 Oct 2008 10:41:29 PM CET
Local ID                      2b9bd3e7-38c7-44fa-9572-71d0c275c7f0
Line Numbers                  

Raw Audit Messages            

node=nebuchadnezzar type=AVC msg=audit(1225316489.528:79): avc:  denied  { execute } for  pid=2475 comm="kdm" name="grub" dev=dm-1 ino=19639 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bootloader_exec_t:s0 tclass=file

node=nebuchadnezzar type=SYSCALL msg=audit(1225316489.528:79): arch=40000003 syscall=33 success=no exit=-13 a0=bff3370d a1=1 a2=bff36f8e a3=bff36f89 items=0 ppid=1 pid=2475 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="kdm" exe="/usr/bin/kdm" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
Comment 1 Rex Dieter 2008-10-30 15:22:50 UTC 
I'm unable to reproduce this

Have you modified your system in any way?  3rd party software/drivers, or modified kdm's configuration?
Comment 2 Sandro Mathys 2008-10-30 17:07:32 UTC 
I added the Livna/RPM Fusion Repos and installed some pkgs from there, yes. But nothing for kdm, kde or grub. No drivers. Nothing modified except for what I stated above (Additional Information).$

Is there an easy way to see what packages I installed from those repos? If that information is important to this problem.
Comment 3 Rex Dieter 2008-10-30 17:19:00 UTC 
> Is there an easy way to see what packages I installed from those repos?

rpm -qa --qf "%{name} %{vendir}" | grep "RPM Fusion"

rpm -qa --qf "%{name} %{vendor}" | grep rpm.livna.org"
Comment 4 Rex Dieter 2008-10-30 17:19:10 UTC 
> Is there an easy way to see what packages I installed from those repos?

rpm -qa --qf "%{name} %{vendor}" | grep "RPM Fusion"

rpm -qa --qf "%{name} %{vendor}" | grep rpm.livna.org"
Comment 5 Daniel Walsh 2008-10-30 17:49:45 UTC 
I know kdm used to try to modify the grub entry by executing grubby but that was supposedly turned off.
Comment 6 Rex Dieter 2008-10-30 17:59:16 UTC 
Fwiw, it was never turned on... we explored the possibility of enabling it... (but that idea was NACK'd due to security concerns)
Comment 7 Sandro Mathys 2008-10-30 18:00:26 UTC 
$ rpm -qa --qf "%{name} %{vendor}\n" | grep -v "Fedora Project"
adobe-release-i386 Adobe Systems Inc.
rpmfusion-free-release RPM Fusion
gpg-pubkey (none)
rootfiles Red Hat, Inc.
rpmfusion-nonfree-release RPM Fusion
htmlview Koji
flash-plugin Adobe Systems Inc.
gpg-pubkey (none)
livna-release rpm.livna.org

---

I'm not sure if that's related or if I should file that as a new bug:
If I start the "Login Manager" from the "System Settings" I'm asked for the root pwd by "KDE su". After I provide that, the application is starting. When I then click "OK" (doesn't matter if I made some changes and "Apply" doesn't change anything, either) KDE su brings up a dialog "Command '/usr/bin/kcmshell4 kdm --lang en_US' not found." (the command I initially gave the password for).
Comment 8 Rex Dieter 2008-10-30 18:02:53 UTC 
Sandro, to check for sure what Dan is talking about, look for
BootManager=
in /etc/kde/kdm/kdmrc
it should say
BootManager=None
changing to
BootManager=Grub
will yield selinux denials and is unsupported.
Comment 9 Rex Dieter 2008-10-30 18:03:35 UTC 
The "lang... not found" error is known and already reported,
Comment 10 Sandro Mathys 2008-10-30 18:17:13 UTC 
$ cat /etc/kde/kdm/kdmrc | grep BootManager
BootManager=Grub

---

I changed that manually to "None" and logged out / in again -> denial has gone.

That's btw the thing that I mentioned in my initial post:
"Additional info:
In the 'Login Manager' (started from the 'System Settings') on tab 'Shutdown
(5)', I manually set 'Boot manager' to 'Grub' previously."

Changing the value there from 'None' to 'Grub' does the change in the kdmrc that produced this problem.
Comment 11 Kevin Kofler 2008-10-30 22:33:55 UTC 
If you really want to be able to use that option, you have to either turn off SELinux or customize it (maybe try audit2allow) to allow this. It is turned off for security reasons and the SELinux policy maintainers decided against enabling it (and there's nothing which can be done in KDE to avoid this, it is the very action you're trying to perform which is blocked by design).