Bug 985768

Summary: SELinux is preventing /usr/libexec/kde4/lnusertemp from 'create' accesses on the directory .kde.
Product: Red Hat Enterprise Linux 7 Reporter: Martin Bříza <mbriza>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED WONTFIX QA Contact: Milos Malik <mmalik>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.2CC: lvrabec, mmalik, orion, zpytela
Target Milestone: rcKeywords: Reopened
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard: abrt_hash:43e36891067671c50a7ae8aaa89c250011c631d3f4c0dfd432e3115c492a6786
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-03-12 14:40:37 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Martin Bříza 2013-07-18 08:22:07 UTC
Description of problem:
Started in FIPS mode.
SELinux is preventing /usr/libexec/kde4/lnusertemp from 'create' accesses on the directory .kde.

*****  Plugin catchall_boolean (89.3 confidence) suggests  *******************

If you want to allow polyinstantiation to enabled
Then you must tell SELinux about this by enabling the 'polyinstantiation_enabled' boolean.
You can read 'None' man page for more details.
Do
setsebool -P polyinstantiation_enabled 1

*****  Plugin catchall (11.6 confidence) suggests  ***************************

If you believe that lnusertemp should be allowed create access on the .kde directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep lnusertemp /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context                system_u:object_r:admin_home_t:s0
Target Objects                .kde [ dir ]
Source                        lnusertemp
Source Path                   /usr/libexec/kde4/lnusertemp
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           kdelibs-4.10.5-1.el7.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-63.el7.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.10.0-1.el7.x86_64 #1 SMP Tue Jul
                              9 12:25:09 EDT 2013 x86_64 x86_64
Alert Count                   6
First Seen                    2013-07-17 14:32:24 CEST
Last Seen                     2013-07-17 15:12:59 CEST
Local ID                      087558f6-4121-47f5-b7cb-a138c44fa230

Raw Audit Messages
type=AVC msg=audit(1374066779.503:395): avc:  denied  { create } for  pid=1341 comm="lnusertemp" name=".kde" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir


type=SYSCALL msg=audit(1374066779.503:395): arch=x86_64 syscall=mkdir success=no exit=EACCES a0=7fff320ddf60 a1=1c0 a2=ffffffffffffff80 a3=7fff320ddc80 items=0 ppid=1339 pid=1341 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=lnusertemp exe=/usr/libexec/kde4/lnusertemp subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)

Hash: lnusertemp,xdm_t,admin_home_t,dir,create

Additional info:
reporter:       libreport-2.1.5
hashmarkername: setroubleshoot
kernel:         3.10.0-1.el7.x86_64
type:           libreport

Comment 2 Miroslav Grepl 2013-07-22 07:12:57 UTC
Did you log in as root? This is not supported by SELinux.

Comment 3 Martin Bříza 2013-07-22 09:35:44 UTC
I did not, my regular administrator account

Comment 4 Orion Poplawski 2016-03-10 22:06:43 UTC
Same here with regular login.

Comment 8 Zdenek Pytela 2019-03-12 14:40:37 UTC
This issue was not selected to be included in Red Hat Enterprise Linux 7.7 because it is seen either as low or moderate impact to a small number of use-cases. The next release will be in Maintenance Support 1 Phase, which means that qualified Critical and Important Security errata advisories (RHSAs) and Urgent Priority Bug Fix errata advisories (RHBAs) may be released as they become available.

We will now close this issue, but if you believe that it qualifies for the Maintenance Support 1 Phase, please re-open; otherwise, we recommend moving the request to Red Hat Enterprise Linux 8 if applicable.