Bug 505408

Summary: SELinux error on logout - SELinux is preventing kdm (xdm_t) "execute" bootloader_exec_t.
Product: [Fedora] Fedora Reporter: Tim Scofield <twscofi>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED WONTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: low    
Version: 11CC: dwalsh, jkubin, mgrepl, nalin
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 503061 Environment:
Last Closed: 2009-06-11 21:49:34 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Tim Scofield 2009-06-11 19:41:24 UTC
+++ This bug was initially created as a clone of Bug #503061 +++
Bug #503061 was - SELinux policy prevents krb5 logins

Description of problem:
Get the following error on logout. 

Version-Release number of selected component (if applicable):
selinux-policy-3.6.12-44.fc11.noarch

How reproducible: Very


Steps to Reproduce:
1. Login to KDE then logout
  
Actual results:
Get selinux alert on logout

Expected results:
No selinux alerts on logout

Additional info:
Copied the following information from seaudit -g :
Summary:                                     

SELinux is preventing kdm (xdm_t) "execute" bootloader_exec_t. 

Detailed Description:

SELinux denied access requested by kdm. It is not expected that this access is r
equired by kdm and this access may signal an intrusion attempt. It is also possi
ble that the specific version or configuration of the application is causing it 
to require additional access.                                                   

Allowing Access:

You can generate a local policy module to allow this access - see FAQ Or you can
 disable SELinux protection altogether. Disabling SELinux protection is not reco
mmended. Please file a bug report against this package.                         

Additional Information:
Source Context:  system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context:  system_u:object_r:bootloader_exec_t:s0
Target Objects:  grub [ file ]
Source:  kdmSource
Path:  /usr/bin/kdm
Port:  <Unknown>
Host:  hostname.deleted
Source RPM Packages:  kdm-4.2.3-5.fc11
Target RPM Packages:  
Policy RPM:  selinux-policy-3.6.12-44.fc11
Selinux Enabled:  True
Policy Type:  targeted
MLS Enabled:  True
Enforcing Mode:  Enforcing
Plugin Name:  catchall
Host Name:  hostname.deleted
Platform:  Linux hostname.deleted 2.6.29.4-167.fc11.x86_64 #1 SMP Wed May 27 17:
27:08 EDT 2009 x86_64 x86_64
Alert Count:  6
First Seen:  Wed 03 Jun 2009 09:12:39 AM MDT
Last Seen:  Thu 11 Jun 2009 10:25:48 AM MDT
Local ID:  53dfc5c0-9319-4b81-a5b1-9f832b6f0f54
Line Numbers:  

Raw Audit Messages :

node=hostname.deleted type=AVC msg=audit(1244737548.319:27226): avc: denied { ex
ecute } for pid=1978 comm="kdm" name="grub" dev=dm-0 ino=60363 scontext=system_u
:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bootloader_exec_t:s0 t
class=file

node=hostname.deleted type=SYSCALL msg=audit(1244737548.319:27226): arch=c000003
e syscall=21 success=no exit=-13 a0=7fffaa72d966 a1=1 a2=0 a3=10 items=0 ppid=1
pid=1978 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
 tty=(none) ses=4294967295 comm="kdm" exe="/usr/bin/kdm" subj=system_u:system_r:
xdm_t:s0-s0:c0.c1023 key=(null)

Comment 1 Tim Scofield 2009-06-11 20:01:35 UTC
Unlike the previous, copied Bug #503061, this one is limited to KDE.

Comment 2 Daniel Walsh 2009-06-11 21:49:34 UTC
This is not supported by SELinux if you want to add this support you can do so using audit2allow.

ALlowing the login screen to modify grub without logging in is considered by the selinux security team to be a security problem, which is why it is turned off by default.