Bug 524583
| Summary: | setroubleshoot: SELinux is preventing the /usr/bin/kdm from using potentially mislabeled files (/home/mef/.Xauthority-c). | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Mary Ellen Foster <mefoster> |
| Component: | kdebase-workspace | Assignee: | Than Ngo <than> |
| Status: | CLOSED RAWHIDE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | rawhide | CC: | dwalsh, fedora, fedora, jreznik, kevin, lorenzo, ltinkl, mgrepl, olivares14031, rdieter, rstrode, sergei.litvinenko, smparrish, than |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | i386 | ||
| OS: | Linux | ||
| Whiteboard: | setroubleshoot_trace_hash:1840583d795c35ffed8153f9d359d1042cca1dedf42488950a7683acefd84fbc | ||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2009-09-21 15:15:34 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
SELinux does not handle have two files written in the same directory at the same time with different security labels. I the case of kdm it is trying to write .xsession-errors and .Xauthority* .xsession-errors has to allow all processes in the user domain to write to it, since this is where they report their errors. .Xauthority wants very few processes to write to it, and most need to read. So I label them differently xauth_home_t and xdm_home_t. xdm was changed to write the Xauth file in /var/run/ echo $XAUTHORITY /var/run/gdm/auth-for-dwalsh-m67cxI/database I believe this solves other problems also, around kerberized NFS. Can we` get kdm to do something similar? Maybe? kdmrc contains the option: # Where to store authorization files. # Default is "/var/run/xauth" #AuthDir=/tmp it's putting something in /var/run/xauth on my box (though, oops, that's currently an unowned directory). Fwiw, is this something new to F-12? I don't see any selinux-related issues on my F-11 box. I don't know. But maybe this is an upgrade issue, so the user needs to change his defaults? This is not an upgrade install -- I installed the alpha freshly a few weeks ago and have been updating against Rawhide since. I have exactly the same content in my kdmrc as Rex mentions in Comment #2. Any preference for kdm using /var/run/xauth vs /var/run/kdm here? The latter would be easier for folks upgrading (no/less config change), if that makes any difference. There's also this option: # Where to put the user's X-server authorization file if ~/.Xauthority # cannot be created. # Default is "/tmp" #UserAuthDir= So, Dan, this is the one you'd rather be in /var/run somewhere too? I would rather /var/run/kdm, since I think we already have the correct label there. okie dokie, fixed in kde-settings-kdm-4.3-9 %changelog * Mon Sep 21 2009 Rex Dieter <rdieter> - 4.3-9 - kdmrc: ForceUserAuthDir=true (#524583) * Mon Sep 21 2009 Rex Dieter <rdieter> - 4.3-8 - kdmrc: use /var/run/kdm for pid/xauth (#524583) *** Bug 527843 has been marked as a duplicate of this bug. *** *** Bug 566582 has been marked as a duplicate of this bug. *** |
The following was filed automatically by setroubleshoot: Summary: SELinux is preventing the /usr/bin/kdm from using potentially mislabeled files (/home/mef/.Xauthority-c). Detailed Description: SELinux has denied kdm access to potentially mislabeled file(s) (/home/mef/.Xauthority-c). This means that SELinux will not allow kdm to use these files. It is common for users to edit files in their home directory or tmp directories and then move (mv) them to system directories. The problem is that the files end up with the wrong file context which confined applications are not allowed to access. Allowing Access: If you want kdm to access this files, you need to relabel them using restorecon -v '/home/mef/.Xauthority-c'. You might want to relabel the entire directory using restorecon -R -v '/home/mef'. Additional Information: Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023 Target Context unconfined_u:object_r:xauth_home_t:s0 Target Objects /home/mef/.Xauthority-c [ file ] Source kdm Source Path /usr/bin/kdm Port <Unknown> Host (removed) Source RPM Packages kdm-4.3.1-3.fc12 Target RPM Packages Policy RPM selinux-policy-3.6.31-3.fc12 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name home_tmp_bad_labels Host Name (removed) Platform Linux (removed) 2.6.31-2.fc12.i686 #1 SMP Thu Sep 10 00:41:03 EDT 2009 i686 i686 Alert Count 6 First Seen Tue 15 Sep 2009 02:35:21 PM BST Last Seen Mon 21 Sep 2009 10:57:48 AM BST Local ID 33c5b4da-0121-49c8-9888-11c87ac4dbcc Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1253527068.628:27): avc: denied { unlink } for pid=1457 comm="kdm" name=".Xauthority-c" dev=sda5 ino=66 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:xauth_home_t:s0 tclass=file node=(removed) type=SYSCALL msg=audit(1253527068.628:27): arch=40000003 syscall=10 success=no exit=-13 a0=bfaa12bb a1=0 a2=112bb8 a3=1 items=0 ppid=1417 pid=1457 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="kdm" exe="/usr/bin/kdm" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) audit2allow suggests: #============= xdm_t ============== allow xdm_t xauth_home_t:file unlink;