Bug 252368 - kdm_greet denials
Summary: kdm_greet denials
Alias: None
Product: Fedora
Classification: Fedora
Component: kdebase   
(Show other bugs)
Version: rawhide
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Ngo Than
QA Contact: Fedora Extras Quality Assurance
Keywords: SELinux
Depends On:
TreeView+ depends on / blocked
Reported: 2007-08-15 17:20 UTC by Orion Poplawski
Modified: 2008-10-01 12:11 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-10-01 12:11:45 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description Orion Poplawski 2007-08-15 17:20:36 UTC
Description of problem:

Aug 15 10:46:40 lynx kernel: audit(1187196400.066:26): avc:  denied  { create }
for  pid=2902 comm="kdm_greet" name="kdm"
tcontext=system_u:object_r:var_lib_t:s0 tclass=dir

and then lots of (goes through lots of .desktop files), probably leaked fd:

Aug 15 10:46:40 lynx kernel: audit(1187196400.085:27): avc:  denied  { write }
for  pid=2902 comm="kdm_greet" name="kde.desktop" dev=sda3 ino=342945
tcontext=system_u:object_r:usr_t:s0 tclass=file
Aug 15 10:46:40 lynx kernel: audit(1187196400.171:29): avc:  denied  { write }
for  pid=2902 comm="kdm_greet" name="9wm.desktop" dev=sda3 ino=992296
tcontext=system_u:object_r:usr_t:s0 tclass=file

Version-Release number of selected component (if applicable):

Comment 1 Bug Zapper 2008-04-04 13:36:14 UTC
Based on the date this bug was created, it appears to have been reported
during the development of Fedora 8. In order to refocus our efforts as
a project we are changing the version of this bug to '8'.

If this bug still exists in rawhide, please change the version back to
(If you're unable to change the bug's version, add a comment to the bug
and someone will change it for you.)

Thanks for your help and we apologize for the interruption.

The process we're following is outlined here:

We will be following the process here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping to ensure this
doesn't happen again.

Comment 2 Orion Poplawski 2008-04-06 03:48:15 UTC
A few are still present in rawhide:

type=1400 audit(1207452761.829:5): avc:  denied  { write } for  pid=3208
comm="kdm_greet" name="fontconfig" dev=sda5 ino=47912
tcontext=system_u:object_r:fonts_t:s0 tclass=dir
type=1400 audit(1207452762.706:6): avc:  denied  { write } for  pid=3208
comm="kdm_greet" name="KdmGreeterTheme.desktop" dev=sda3 ino=136490
tcontext=system_u:object_r:usr_t:s0 tclass=file
type=1400 audit(1207452763.089:7): avc:  denied  { write } for  pid=3208
comm="kdm_greet" name="entry.desktop" dev=sda3 ino=185161
tcontext=system_u:object_r:locale_t:s0 tclass=file
type=1400 audit(1207452763.130:8): avc:  denied  { write } for  pid=3208
comm="kdm_greet" name="entry.desktop" dev=sda3 ino=15769
tcontext=system_u:object_r:locale_t:s0 tclass=file
type=1400 audit(1207452775.047:87): avc:  denied  { create } for  pid=3208
comm="kdm_greet" name="kdm" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
tcontext=system_u:object_r:var_lib_t:s0 tclass=dir

Comment 3 Orion Poplawski 2008-04-06 04:03:12 UTC
Also get this at login:

type=1400 audit(1207452775.071:88): avc:  denied  { write } for  pid=3234
comm="lnusertemp" name="root" dev=sda3 ino=106497
tcontext=system_u:object_r:admin_home_t:s0 tclass=dir

Comment 4 Daniel Walsh 2008-04-06 10:46:25 UTC
/var/lib/kdm should be part of the kdm package and would there fore be labeled
correctly and not need to be created.

I will dontaudit the lnusertemp writing to the /root directory although this
seems strange.

I will allow it to manage fonts, allowing it to write to usr_t is a bit more

The problem I have with a lot of this is giving a program that is run with not
authentication power to manipulate the machine seems very dangerous.

Comment 5 Kevin Kofler 2008-04-08 10:49:31 UTC
Already triaged, removing cleanup tag.

Comment 6 Orion Poplawski 2008-09-30 20:44:39 UTC
Still (back) in rawhide:

Sep 30 09:59:20 test kernel: type=1400 audit(1222790360.632:6): avc:  denied  { write } for  pid=2661 comm="kdm_greet" name="fontconfig" dev=dm-1 ino=40991 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fonts_t:s0 tclass=dir

Sep 30 10:00:06 test kernel: type=1400 audit(1222790406.262:8): avc:  denied  { write } for  pid=3056 comm="lnusertemp" name="root" dev=dm-0 ino=335873 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir

Comment 7 Daniel Walsh 2008-10-01 12:11:45 UTC
Fixed in selinux-policy-3.5.9-3.fc10

Added dontaudits.

Note You need to log in before you can comment on or make changes to this bug.