Bug 252368 - kdm_greet denials
kdm_greet denials
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: kdebase (Show other bugs)
rawhide
All Linux
low Severity low
: ---
: ---
Assigned To: Ngo Than
Fedora Extras Quality Assurance
: SELinux
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-08-15 13:20 EDT by Orion Poplawski
Modified: 2008-10-01 08:11 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-10-01 08:11:45 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Orion Poplawski 2007-08-15 13:20:36 EDT
Description of problem:

Aug 15 10:46:40 lynx kernel: audit(1187196400.066:26): avc:  denied  { create }
for  pid=2902 comm="kdm_greet" name="kdm"
scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
tcontext=system_u:object_r:var_lib_t:s0 tclass=dir

and then lots of (goes through lots of .desktop files), probably leaked fd:

Aug 15 10:46:40 lynx kernel: audit(1187196400.085:27): avc:  denied  { write }
for  pid=2902 comm="kdm_greet" name="kde.desktop" dev=sda3 ino=342945
scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
tcontext=system_u:object_r:usr_t:s0 tclass=file
Aug 15 10:46:40 lynx kernel: audit(1187196400.171:29): avc:  denied  { write }
for  pid=2902 comm="kdm_greet" name="9wm.desktop" dev=sda3 ino=992296
scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
tcontext=system_u:object_r:usr_t:s0 tclass=file
....

Version-Release number of selected component (if applicable):
selinux-policy-3.0.5-7.fc8
Comment 1 Bug Zapper 2008-04-04 09:36:14 EDT
Based on the date this bug was created, it appears to have been reported
during the development of Fedora 8. In order to refocus our efforts as
a project we are changing the version of this bug to '8'.

If this bug still exists in rawhide, please change the version back to
rawhide.
(If you're unable to change the bug's version, add a comment to the bug
and someone will change it for you.)

Thanks for your help and we apologize for the interruption.

The process we're following is outlined here:
http://fedoraproject.org/wiki/BugZappers/F9CleanUp

We will be following the process here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping to ensure this
doesn't happen again.
Comment 2 Orion Poplawski 2008-04-05 23:48:15 EDT
A few are still present in rawhide:



type=1400 audit(1207452761.829:5): avc:  denied  { write } for  pid=3208
comm="kdm_greet" name="fontconfig" dev=sda5 ino=47912
scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
tcontext=system_u:object_r:fonts_t:s0 tclass=dir
type=1400 audit(1207452762.706:6): avc:  denied  { write } for  pid=3208
comm="kdm_greet" name="KdmGreeterTheme.desktop" dev=sda3 ino=136490
scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
tcontext=system_u:object_r:usr_t:s0 tclass=file
type=1400 audit(1207452763.089:7): avc:  denied  { write } for  pid=3208
comm="kdm_greet" name="entry.desktop" dev=sda3 ino=185161
scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
tcontext=system_u:object_r:locale_t:s0 tclass=file
type=1400 audit(1207452763.130:8): avc:  denied  { write } for  pid=3208
comm="kdm_greet" name="entry.desktop" dev=sda3 ino=15769
scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
tcontext=system_u:object_r:locale_t:s0 tclass=file
type=1400 audit(1207452775.047:87): avc:  denied  { create } for  pid=3208
comm="kdm_greet" name="kdm" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
tcontext=system_u:object_r:var_lib_t:s0 tclass=dir
Comment 3 Orion Poplawski 2008-04-06 00:03:12 EDT
Also get this at login:

type=1400 audit(1207452775.071:88): avc:  denied  { write } for  pid=3234
comm="lnusertemp" name="root" dev=sda3 ino=106497
scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
tcontext=system_u:object_r:admin_home_t:s0 tclass=dir
Comment 4 Daniel Walsh 2008-04-06 06:46:25 EDT
/var/lib/kdm should be part of the kdm package and would there fore be labeled
correctly and not need to be created.

I will dontaudit the lnusertemp writing to the /root directory although this
seems strange.

I will allow it to manage fonts, allowing it to write to usr_t is a bit more
problematic.

The problem I have with a lot of this is giving a program that is run with not
authentication power to manipulate the machine seems very dangerous.
Comment 5 Kevin Kofler 2008-04-08 06:49:31 EDT
Already triaged, removing cleanup tag.
Comment 6 Orion Poplawski 2008-09-30 16:44:39 EDT
Still (back) in rawhide:

Sep 30 09:59:20 test kernel: type=1400 audit(1222790360.632:6): avc:  denied  { write } for  pid=2661 comm="kdm_greet" name="fontconfig" dev=dm-1 ino=40991 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fonts_t:s0 tclass=dir

Sep 30 10:00:06 test kernel: type=1400 audit(1222790406.262:8): avc:  denied  { write } for  pid=3056 comm="lnusertemp" name="root" dev=dm-0 ino=335873 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir
Comment 7 Daniel Walsh 2008-10-01 08:11:45 EDT
Fixed in selinux-policy-3.5.9-3.fc10

Added dontaudits.

Note You need to log in before you can comment on or make changes to this bug.