Bug 588130
Summary: | SELinux is preventing /usr/libexec/kde4/kdm_greet "write" access on e16.desktop. | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | ssabchew <ssabcew> | ||||
Component: | kdebase-workspace | Assignee: | Than Ngo <than> | ||||
Status: | CLOSED RAWHIDE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
Severity: | medium | Docs Contact: | |||||
Priority: | low | ||||||
Version: | 12 | CC: | akurtako, artem.goncharov, atswartz, awilliam, bignikita, capkanada, carlg, cedricors, christoferbertonha, coder.tux, corentin.perard, dwalsh, edneymatias, fedora, fedora, frank, glux, jarin.franek, Jmlevick, jreznik, julian.fedora, kevin, l3mm1ng3, laurent.rineau__fedora, lcafiero, lebkidus, leigh123linux, lorenzo, ltinkl, magnus.tuominen, marcet, martin.nad89, mgrepl, mhlavink, mma.priv, nuovodna, orion, o.voves, pcormier, peluche20, pgueckel, piotrek.juzwiak, rdieter, redhatbugzilla, renault, rh-bugzilla, sandro, sasch.pe, smparrish, ssabcew, than, toddj1 | ||||
Target Milestone: | --- | ||||||
Target Release: | --- | ||||||
Hardware: | x86_64 | ||||||
OS: | Linux | ||||||
Whiteboard: | setroubleshoot_trace_hash:f2c96ac51cd1b3079a9de5ca9ff56ccd67c04d92b78254da2b0ec7dfd4e71c79 | ||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2010-07-16 21:44:24 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | |||||||
Bug Blocks: | 603202 | ||||||
Attachments: |
|
Description
ssabchew
2010-05-02 19:42:50 UTC
Where is the e16.desktop file located? Summary: SELinux is preventing /usr/libexec/kde4/kdm_greet "write" access on /usr/libexec/kde4/lnusertemp. Detailed Description: SELinux denied access requested by kdm_greet. It is not expected that this access is required by kdm_greet and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023 Target Context system_u:object_r:bin_t:s0 Target Objects /usr/libexec/kde4/lnusertemp [ file ] Source kdm_greet Source Path /usr/libexec/kde4/kdm_greet Port <Unknown> Host BubbleWork Source RPM Packages kdm-4.4.85-2.fc14 Target RPM Packages kdelibs-4.4.85-2.fc14 Policy RPM selinux-policy-3.8.3-1.fc14 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall Host Name Platform Linux 2.6.34-20.fc14.x86_64 #1 SMP Wed Jun 2 12:36:51 UTC 2010 x86_64 x86_64 Alert Count 7 First Seen Fri Jun 11 13:28:32 2010 Last Seen Fri Jun 11 13:28:35 2010 Local ID c0e2baba-1dd9-494a-bcac-9ea77f585840 Line Numbers Raw Audit Messages node= type=AVC msg=audit(1276277315.312:28576): avc: denied { write } for pid=3553 comm="kdm_greet" name="lnusertemp" dev=dm-1 ino=71832 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file node= type=SYSCALL msg=audit(1276277315.312:28576): arch=c000003e syscall=21 success=no exit=-13 a0=2923e18 a1=2 a2=7fff4e9b9130 a3=e8 items=0 ppid=3550 pid=3553 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="kdm_greet" exe="/usr/libexec/kde4/kdm_greet" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) Not sure if it change anything but it happened after upgrading from KDE 4.5.80 to 4.5.85 4.4.80 / 85 kde 4.5b1 & 2, my bad. If you've customized kdm/kdmrc at all, please attach it here too (/etc/kde/kdm/kdmrc) Created attachment 423378 [details]
kdmrc
(In reply to comment #1) > Where is the e16.desktop file located? $ ls -Z /usr/share/kde4/apps/kdm/sessions/e16.desktop -rw-r--r--. root root system_u:object_r:usr_t:s0 /usr/share/kde4/apps/kdm/sessions/e16.desktop We've been considering nuking the stuff under /usr/share/kde4/apps/kdm/sessions for awhile, maybe this a good excuse to do so. info provided in comment #6 and comment #7 *** Bug 614134 has been marked as a duplicate of this bug. *** * Fri Jul 16 2010 Rex Dieter <rdieter> - 4.4.92-2 - omit non-essential xsession .desktop files, runs afoul of selinux (#588130) Hi, I was directed to this report by the sealert tool. Strange, because this report seems to be closed. I'm running rawhide (FC15) and get some sort of the same avc message: "SELinux is preventing /usr/libexec/kde4/kdm_greet "write" access on /usr/bin/startkde." Source RPM: kdm-4.5.0-1.fc15.x86_64 Target RPM: kdebase-workspace-4.5.0-1.fc15 Policy RPM: selinux-policy-3.8.8-12.fc15 Platform: Linux ps-1866.localdomain 2.6.36-0.0.rc0.git1.fc15.x86_64 #1 SMP Wed Aug 4 16:26:35 UTC 2010 x86_64 x86_64 I have no customized kderc (comment #4). So is this bug still present or ...? Martin Kho the original report is closed because the extraneous *.desktop files no longer exist. I suspect your issue is something different, perhaps similar to bug #590883 ? martin, please attach the AVC message that you received sealert brought me to this bug on a fresh Fedora 14 Alpha RC4 installation. Summary: SELinux is preventing /usr/libexec/kde4/kdm_greet "write" access on lnusertemp. Detailed Description: SELinux denied access requested by kdm_greet. It is not expected that this access is required by kdm_greet and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023 Target Context system_u:object_r:bin_t:s0 Target Objects lnusertemp [ file ] Source kdm_greet Source Path /usr/libexec/kde4/kdm_greet Port <Unknown> Host (removed) Source RPM Packages kdm-4.5.0-2.fc14 Target RPM Packages Policy RPM selinux-policy-3.8.8-10.fc14 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall Host Name (removed) Platform Linux mjolnir.ethz.ch 2.6.35-3.fc14.x86_64 #1 SMP Fri Aug 6 19:41:28 UTC 2010 x86_64 x86_64 Alert Count 10 First Seen Fri 13 Aug 2010 03:57:47 PM CEST Last Seen Fri 13 Aug 2010 04:03:41 PM CEST Local ID 79507af7-bb02-4c79-9de0-9f0f6afec772 Line Numbers Raw Audit Messages node=mjolnir.ethz.ch type=AVC msg=audit(1281708221.860:503): avc: denied { write } for pid=2642 comm="kdm_greet" name="lnusertemp" dev=dm-1 ino=14297533 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file node=mjolnir.ethz.ch type=SYSCALL msg=audit(1281708221.860:503): arch=c000003e syscall=21 success=no exit=-13 a0=158d7c8 a1=2 a2=7fffc0d3c340 a3=e8 items=0 ppid=2639 pid=2642 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="kdm_greet" exe="/usr/libexec/kde4/kdm_greet" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) I think this is being caused by the update to python2.7 If you run yum -y update You should not see the avc any longer. Hi Daniel, @comment13: Raw Audit Messages : node=ps-1866.localdomain type=AVC msg=audit(1281771115.168:11): avc: denied { write } for pid=1362 comm="kdm_greet" name="startkde" dev=sda8 ino=14529 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file node=ps-1866.localdomain type=SYSCALL msg=audit(1281771115.168:11): arch=c000003e syscall=21 success=yes exit=0 a0=1377788 a1=2 a2=7fffdf46c7b0 a3=30 items=0 ppid=1359 pid=1362 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="kdm_greet" exe="/usr/libexec/kde4/kdm_greet" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) @comment 15: I updated my system yesterday. The above messages are from to day. Martin Kho It does look like you are having the same problem discussed in 590883 this bug is closed:rawhide, but problem (still) exist in Fedora 13 : SELinux is preventing /usr/libexec/kde4/kdm_greet "write" access on /usr/libexec/kde4/lnusertemp. Raw Audit Messages :node=nbone.mihlnet type=AVC msg=audit(1282147876.74:22491): avc: denied { write } for pid=27911 comm="kdm_greet" name="lnusertemp" dev=sda5 ino=139022 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file node=nbone.mihlnet type=SYSCALL msg=audit(1282147876.74:22491): arch=c000003e syscall=21 success=no exit=-13 a0=26fef48 a1=2 a2=7fffaf6dc300 a3=34 items=0 ppid=27908 pid=27911 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="kdm_greet" exe="/usr/libexec/kde4/kdm_greet" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) Yours is a different denial (though similar), closer to a few others, including bug #590883 , on second thought, mind filing a new bug ? (and provide any hints on how to reproduce it). Don't know if i should answer that, but i think it's related to suspend/resume. Actually i couldn't reproduce it again, but normally it occurs when i unlock my notebook after resuming from suspend. I get those messages when booting my laptop and logging in. No suspend/resume... KDE 4.5.0 and F13 (In reply to comment #20) > on second thought, mind filing a new bug ? (and provide any hints on how to > reproduce it). filled as bug #625367 |