Bug 374011 - SELinux is preventing /usr/bin/kdm (xdm_t) "execute" to (bootloader_exec_t).
SELinux is preventing /usr/bin/kdm (xdm_t) "execute" to (bootloader_exec_t).
Status: CLOSED WONTFIX
Product: Fedora
Classification: Fedora
Component: kdebase (Show other bugs)
8
i686 Linux
low Severity medium
: ---
: ---
Assigned To: Ngo Than
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-11-09 18:03 EST by Konstantin Svist
Modified: 2008-05-07 14:19 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-05-07 14:19:22 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
boot choice example (92.97 KB, image/png)
2008-02-19 12:55 EST, Konstantin Svist
no flags Details

  None (edit)
Description Konstantin Svist 2007-11-09 18:03:26 EST
Description of problem:

I'm seeing the following error in setroubleshoot:

"""
Summary
    SELinux is preventing /usr/bin/kdm (xdm_t) "execute" to <Unknown>
    (bootloader_exec_t).

Detailed Description
    SELinux denied access requested by /usr/bin/kdm. It is not expected that
    this access is required by /usr/bin/kdm and this access may signal an
    intrusion attempt. It is also possible that the specific version or
    configuration of the application is causing it to require additional access.

Allowing Access
    Sometimes labeling problems can cause SELinux denials.  You could try to
    restore the default system file context for <Unknown>, restorecon -v
    <Unknown> If this does not work, there is currently no automatic way to
    allow this access. Instead,  you can generate a local policy module to allow
    this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385
    Or you can disable SELinux protection altogether. Disabling SELinux
    protection is not recommended. Please file a
    http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.

Additional Information        

Source Context                system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context                system_u:object_r:bootloader_exec_t:s0
Target Objects                None [ file ]
Affected RPM Packages         kdebase-3.5.8-5.fc8 [application]
Policy RPM                    selinux-policy-3.0.8-44.fc8
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.catchall_file
Host Name                     mireille
Platform                      Linux mireille 2.6.23.1-42.fc8 #1 SMP Tue Oct 30
                              13:55:12 EDT 2007 i686 i686
Alert Count                   3
First Seen                    Fri 09 Nov 2007 06:17:08 AM PST
Last Seen                     Fri 09 Nov 2007 02:37:32 PM PST
Local ID                      2f4ca290-1fb0-46d1-a29a-2b672bb96565
Line Numbers                  

Raw Audit Messages            

avc: denied { execute } for comm=kdm dev=sda9 egid=0 euid=0 exe=/usr/bin/kdm
exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name=grub pid=3030
scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 sgid=0
subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 suid=0 tclass=file
tcontext=system_u:object_r:bootloader_exec_t:s0 tty=(none) uid=0
"""





Version-Release number of selected component (if applicable):
kdebase-3.5.8-5.fc8


How reproducible:
Always


Steps to Reproduce:
(suspected)
Make KDM aware of the boot manager:
1. Go to KDE Control Panel -> System Administration -> Login Manager ->
Administrative Mode -> Shutdown 
2. Select "Grub" as the boot manager
3. Log out and back in - the selinux error message appears
Comment 1 Konstantin Svist 2007-11-10 14:59:09 EST
Forgot to mention in case you don't know how to enable KDM as the login manager:
edit file /etc/sysconfig/desktop (create if doesn't already exist) and add a
following line to it:
DISPLAYMANAGER="KDE"

This will make kdm the default login manager and KDE the default environment.
Comment 2 Konstantin Svist 2007-11-11 17:18:53 EST
Update: the error also appears without actually logging out; it's sufficient to
select Log Out from the KDE menu, and cancel out of it.
Comment 3 Rex Dieter 2007-11-11 17:23:46 EST
I cannot reproduce locally.

Have you modified kdm's setup in anyway (to vary from the stock defaults)?

Further, please
1.  ensure your box is fully up-to-date
2.  try
touch /.autorelabel
and reboot

Does the problem persist?
Comment 4 Konstantin Svist 2007-11-12 16:34:41 EST
Yes, the problem remains after relabel.
The necessary parts to get this bug:
1) set the default window manager AND login manager to KDE/kdm - I used the
method described in Comment #1
2) select "Grub" as the boot manager as described in "Steps to reproduce" in the
original bug description.

I verified that when I set boot manager to default "None", then log out and log
back in - the problem disappears.
It appears that logging out at least once is necessary for the setting to take
full effect (and thus the bug to start/stop showing up)

Comment 5 Rex Dieter 2007-12-03 10:38:24 EST
What's the purpose of your setting the boot manager option to "grub" (afaik,
that's the default anyway)?
Comment 6 Konstantin Svist 2007-12-03 17:45:48 EST
This is not for "enabling grub" - this is for a nice KDE extra feature: if you
have multiple grub entries, you may choose one to reboot to, in the logout
dialog - during such reboot, the system doesn't make grub wait for input and
just boots to whatever target you have chosen. For example, if you have a
dual-boot with WinXP and Fedora is default, you can choose "reboot to Windows"
Comment 7 Rex Dieter 2007-12-03 19:49:24 EST
neat, so neat in fact I think we need to make that the default behavior, imo.

So, other than seeing the selinux alert, do you experience any concrete problems?
Comment 8 Rex Dieter 2008-02-19 08:22:28 EST
Hrm, I can't get get this feature to work.  With or without selinux being enabled.
Comment 9 Konstantin Svist 2008-02-19 12:13:13 EST
(In reply to comment #8)
> Hrm, I can't get get this feature to work.  With or without selinux being enabled.

/etc/sysconfig/desktop should have
DISPLAYMANAGER="KDE"
DESKTOP="KDE"

and you should be running a KDE session :)
Comment 10 Rex Dieter 2008-02-19 12:20:34 EST
Yes, I have all that, it's the 
"if you have multiple grub entries, you may choose one to reboot to, in the
logout dialog" 
feature that doesn't work for me.
Comment 11 Konstantin Svist 2008-02-19 12:55:59 EST
Created attachment 295313 [details]
boot choice example

(In reply to comment #10)
> Yes, I have all that, it's the 
> "if you have multiple grub entries, you may choose one to reboot to, in the
> logout dialog" 
> feature that doesn't work for me.

I don't know what to tell you, then :(
As far as I know, using KDM/KDE and setting grub as the bootloader enables this
menu (see screenshot)
Comment 12 Konstantin Svist 2008-02-19 12:58:13 EST
P.S. have to press down and hold the reboot button for the menu to appear -
otherwise it just follows default reboot
Comment 13 Rex Dieter 2008-02-19 13:08:22 EST
Thanks!  It was the "Press down and hold" part that I was missing.  Real Neat.

Reassigning selinux-policy-targetted, see if we can get it updated to allow this.
Comment 14 Rex Dieter 2008-02-19 13:09:25 EST
Daniel, what do you think of allowing kdm the ability to nudge grub to select
the next boot selection?
Comment 15 Daniel Walsh 2008-02-19 15:06:11 EST
This looks like when you login you are running as xdm_t which is the problem. 
You should be logged in as unconfined_t.  I think you have a problem with your
pam configuration.

Login, run a shell

$ id -Z

Should show unconfined_t, if it shows xdm_t you never transitioned properly.
Comment 16 Rex Dieter 2008-02-19 15:14:29 EST
For me (on my f7 box) anyway:
$ id -Z
user_u:system_r:unconfined_t    
Comment 17 Daniel Walsh 2008-02-19 15:59:59 EST
Alright I read the bug again. The login program will allow a non logged in user
to change the way the machine reboots?
Comment 18 Konstantin Svist 2008-02-19 16:20:34 EST
(In reply to comment #17)
> Alright I read the bug again. The login program will allow a non logged in user
> to change the way the machine reboots?

Yes, the dialog for rebooting while not logged in also changes. (You probably
already know this, but that dialog looks a little different)
I can't confirm if that one also causes selinux error, since I'm running with
selinux disabled (got really tired of all the warnings I can't even understand
most of the time)
Comment 19 Rex Dieter 2008-02-19 16:22:18 EST
Re: Dan's comment #17:
That's the gist of it, yeah.  grub has a feature to be able to specify the
default choice of the next boot, we'd like to allow kdm to use that.

Feel free to respond with "what kind of crack are you smoking?" if you're not
keen on allowing that via selinux-policy.
Comment 20 Rex Dieter 2008-02-25 08:42:26 EST
Konstantin,  I don't know what your problem was/is, but the
Bootloader=Grub
feature worksforme on f7,f8 using selinux-policy-targeted

Please consider relabeling your filesystem, and see if the problem(s) persist: 
touch /.autorelabel
(re)enable selinux (if disabled, not just in permissive mode)
reboot
Comment 21 Daniel Walsh 2008-02-26 10:10:40 EST
I talked to the gdm developers and they think this is crackrock and should be
removed from kdm.  Allowing a non logged in user to change the boot/runlevel is
not considered a great idea.  Can you give a justification for this? 

Comment 22 Rex Dieter 2008-02-26 10:21:10 EST
Shrug, folks can already tell the system to shutdown/restart on the login
screen, then wait, and choose the next boot choice when grub's menu appears. 
kdm is simply offering the ability to skip the wait.

But, as I said in comment #20, it would appear, afaict, that this feature works
*now*.

That said, I'm definitely ok concluding that this is all crackrock security-wise
(and not enabling this feature by default).
Comment 23 Daniel Walsh 2008-02-26 10:44:54 EST
What about an X Screen where I don't have access to the console?  Does this work
when I have a grub password?  Of course some people argue that allowing the
machine to be rebooted without logging in is also a security flaw.  :^(
Comment 24 Rex Dieter 2008-02-26 10:47:31 EST
We're talking about defaults here, where kdm 
1.  Doesn't allow remote XDMCP 
2.  even with remote/xdmcp, non-local connections aren't allowed shutdown/reboot
options anyway

Wrt, grub passwords, dunno.  I thought that only affected a users ability to
modify an existing grub entry, not restrict which entries are choosable.
Comment 25 Daniel Walsh 2008-02-26 10:56:16 EST
I have no idea, I am just throwing out possible problems with this.
Comment 26 Rex Dieter 2008-02-26 11:03:14 EST
Dan, thanks, so, afaict, the only low-priority issue I see left is whether
selinux policy should address the "/usr/bin/kdm (xdm_t) "execute" to <Unknown>
(bootloader_exec_t)" logged message or not.

If the answer is no, then feel free to re-assign this back to kdebase.
Comment 27 Daniel Walsh 2008-05-07 14:13:45 EDT
I don't think fedora should support this feature.
Comment 28 Rex Dieter 2008-05-07 14:19:22 EDT
OK, you heard the man, WONTFIX.

Feel free to enable the feature and create a custom local selinux policy to
allow that at your site.

Note You need to log in before you can comment on or make changes to this bug.