Bug 632988

Summary: SELinux is preventing /usr/bin/kdialog "write" access on /usr/libexec/kde4/drkonqi.
Product: [Fedora] Fedora Reporter: Jaroslav Franek <jarin.franek>
Component: kdebase-runtimeAssignee: Than Ngo <than>
Status: CLOSED WONTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 14CC: dwalsh, eparis, jreznik, kevin, ltinkl, mgrepl, rdieter, rnovacek, ry, smparrish, than
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard: setroubleshoot_trace_hash:d2389721869d791ed613a44bea3e6a8bbc422faa6aa1bfcb55ca3d8da9a4aa65
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-08-16 21:05:21 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 633297    

Description Jaroslav Franek 2010-09-12 11:11:42 UTC 
Summary:

SELinux is preventing /usr/bin/kdialog "write" access on
/usr/libexec/kde4/drkonqi.

Detailed Description:

SELinux denied access requested by kdialog. It is not expected that this access
is required by kdialog and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c102
                              3
Target Context                system_u:object_r:bin_t:s0
Target Objects                /usr/libexec/kde4/drkonqi [ file ]
Source                        nspluginscan
Source Path                   /usr/bin/nspluginscan
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           kdebase-4.5.1-1.fc14
Target RPM Packages           kdebase-runtime-4.5.1-1.fc14
Policy RPM                    selinux-policy-3.9.3-4.fc14
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     (removed)
Platform                      Linux (removed) 2.6.35.4-12.fc14.i686
                              #1 SMP Fri Aug 27 08:05:49 UTC 2010 i686 i686
Alert Count                   3
First Seen                    Sat 11 Sep 2010 11:45:10 PM CEST
Last Seen                     Sat 11 Sep 2010 11:45:17 PM CEST
Local ID                      ae927ce3-f16e-4cf1-8be7-840a650a5948
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1284241517.611:46): avc:  denied  { write } for  pid=3341 comm="kdialog" name="drkonqi" dev=dm-0 ino=1719962 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file

node=(removed) type=SYSCALL msg=audit(1284241517.611:46): arch=40000003 syscall=33 success=no exit=-13 a0=8c8dec8 a1=2 a2=4b4d258 a3=bf846298 items=0 ppid=3207 pid=3341 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="kdialog" exe="/usr/bin/kdialog" subj=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 key=(null)



Hash String generated from  catchall,nspluginscan,nsplugin_t,bin_t,file,write
audit2allow suggests:

#============= nsplugin_t ==============
allow nsplugin_t bin_t:file write;
Comment 1 Daniel Walsh 2010-09-13 13:25:25 UTC 
Why is kdialog running under nsplugin?

jaraslov, you can turn off the nsplugin transition by executing

setsebool -P allow_unconfined_nsplugin_transition 0
Comment 2 Daniel Walsh 2010-09-13 13:25:39 UTC 
*** Bug 632992 has been marked as a duplicate of this bug. ***
Comment 3 Daniel Walsh 2010-09-13 13:25:46 UTC 
*** Bug 632991 has been marked as a duplicate of this bug. ***
Comment 4 Kevin Kofler 2010-09-13 14:32:59 UTC 
Konqueror ships a /usr/bin/nspluginscan tool which appears to invoke kdialog to display messages. (It's normally a tool which doesn't produce any output, but if there's an error, it fires up kdialog to show it. That said, it links kdeui among other things, so I'm not sure why it doesn't just use KMessageBox directly.)
Comment 5 Kevin Kofler 2010-09-13 14:34:28 UTC 
Well, actually, the 4.4.x version links kdeui, but that dependency may have been dropped in 4.5, using the external kdialog tool instead (to cut down on shared library dependencies).
Comment 6 Rex Dieter 2010-09-13 14:39:50 UTC 
Seems nspluginscan from kde-4.5.1 still does link kdeui, fwiw.
Comment 7 Daniel Walsh 2010-09-13 14:46:12 UTC 
Well kdialog thinks it needs write access to a whole bunch of files, which I am sure it does not. drkonqi, entry.desktop, index.theme?

Is it doing an access check on these files?
Comment 8 Rex Dieter 2010-09-13 14:48:14 UTC 
Since this seems to be popping up all over, I'd venture there's some kde library call guilty here, not kdialog specifically.
Comment 9 Daniel Walsh 2010-09-13 14:51:40 UTC 
Kerberos libries like to do something like

filecont.writable=access(PATH,W_OK)

Which causes these types of AVCs.
Comment 10 Kevin Kofler 2010-09-13 14:53:49 UTC 
Yeah, basically, kdelibs does access checks of "the world", which is triggering all those AVCs. KConfig is used to parse all INI-style files in KDE (which includes .desktop, .theme etc. files), and KConfig always checks whether it can write to a config file or not.
Comment 11 Kevin Kofler 2010-09-15 15:29:36 UTC 
I think at least the access check AVCs in KConfig could be prevented by simply checking whether the path is in /usr/share and assuming the file to be non-writable in that case. It doesn't make sense to write to /usr/share, even if you're root.

That should fix this and possibly a few other bugs. (It won't fix the issues with execute checks being done on some executables in some places though.)
Comment 12 Kevin Kofler 2010-09-15 15:31:36 UTC 
Well, actually this one is on /usr/libexec/kde4/drkonqi, that doesn't look like KConfig to me (and why is it a write check, I'd expect execute?).
Comment 13 Fedora End Of Life 2012-08-16 21:05:26 UTC 
This message is a notice that Fedora 14 is now at end of life. Fedora 
has stopped maintaining and issuing updates for Fedora 14. It is 
Fedora's policy to close all bug reports from releases that are no 
longer maintained.  At this time, all open bugs with a Fedora 'version'
of '14' have been closed as WONTFIX.

(Please note: Our normal process is to give advanced warning of this 
occurring, but we forgot to do that. A thousand apologies.)

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, feel free to reopen 
this bug and simply change the 'version' to a later Fedora version.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we were unable to fix it before Fedora 14 reached end of life. If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora, you are encouraged to click on 
"Clone This Bug" (top right of this page) and open it against that 
version of Fedora.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping