Bug 596931

Summary: SELinux is preventing /usr/libexec/kde4/kdm_greet "write" access on /bin.
Product: [Fedora] Fedora Reporter: Martin Naď <martin.nad89>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 13CC: dwalsh, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard: setroubleshoot_trace_hash:d3045667d805abbfb4405e9e4e20c2e06f1d064d5f3adb342b4afaf3d76e80a1
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-05-27 19:37:37 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Martin Naď 2010-05-27 19:08:57 UTC 
Souhrn:

SELinux is preventing /usr/libexec/kde4/kdm_greet "write" access on /bin.

Podrobný popis:

[kdm_greet je v toleratním režimu (xdm_t). Přístup byl povolen.]

SELinux denied access requested by kdm_greet. It is not expected that this
access is required by kdm_greet and this access may signal an intrusion attempt.
It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Povolení přístupu:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Další informace:

Kontext zdroje                system_u:system_r:xdm_t:s0-s0:c0.c1023
Kontext cíle                 system_u:object_r:bin_t:s0
Objekty cíle                 /bin [ dir ]
Zdroj                         kdm_greet
Cesta zdroje                  /usr/libexec/kde4/kdm_greet
Port                          <Neznámé>
Počítač                    (removed)
RPM balíčky zdroje          kdm-4.4.80-2.fc13
RPM balíčky cíle           filesystem-2.4.31-1.fc13
RPM politiky                  selinux-policy-3.7.19-15.fc13
Selinux povolen               True
Typ politiky                  targeted
Vynucovací režim            Enforcing
Název zásuvného modulu     catchall
Název počítače            (removed)
Platforma                     Linux (removed)
                              2.6.33.4-95.fc13.x86_64 #1 SMP Thu May 13 05:16:23
                              UTC 2010 x86_64 x86_64
Počet upozornění           8
Poprvé viděno               Čt 27. květen 2010, 21:05:41 CEST
Naposledy viděno             Čt 27. květen 2010, 21:05:41 CEST
Místní ID                   e4468821-c3a7-4c75-a24f-d48fdba537bd
Čísla řádků              

Původní zprávy auditu      

node=(removed) type=AVC msg=audit(1274987141.832:55): avc:  denied  { write } for  pid=5615 comm="kdm_greet" name="bin" dev=sda2 ino=262162 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=dir

node=(removed) type=SYSCALL msg=audit(1274987141.832:55): arch=c000003e syscall=21 success=yes exit=4294967424 a0=1d06418 a1=2 a2=7fffbdca1350 a3=8 items=0 ppid=5612 pid=5615 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="kdm_greet" exe="/usr/libexec/kde4/kdm_greet" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)



Hash String generated from  catchall,kdm_greet,xdm_t,bin_t,dir,write
audit2allow suggests:

#============= xdm_t ==============
#!!!! The source type 'xdm_t' can write to a 'dir' of the following types:
# pcscd_var_run_t, xdm_home_t, pam_var_console_t, xkb_var_lib_t, xdm_rw_etc_t, var_lock_t, root_t, tmp_t, var_t, user_fonts_t, user_tmpfs_t, user_home_dir_t, xdm_spool_t, fonts_cache_t, locale_t, var_auth_t, tmpfs_t, user_tmp_t, var_spool_t, auth_cache_t, xdm_tmpfs_t, var_lib_t, var_run_t, xdm_tmp_t, xserver_log_t, var_log_t, xdm_log_t, pam_var_run_t, xdm_var_lib_t, xdm_var_run_t, gconf_home_t

allow xdm_t bin_t:dir write;
Comment 1 Daniel Walsh 2010-05-27 19:37:37 UTC 

*** This bug has been marked as a duplicate of bug 590883 ***