Bug 426715 - SELinux fails to update permissions for KDM on upgrade to KDE4
SELinux fails to update permissions for KDM on upgrade to KDE4
Product: Fedora
Classification: Fedora
Component: kdebase (Show other bugs)
All Linux
low Severity medium
: ---
: ---
Assigned To: Ngo Than
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2007-12-24 16:02 EST by logan
Modified: 2008-07-28 16:29 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-07-28 16:29:03 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
selinux policy alert report (1.81 KB, text/plain)
2007-12-24 16:02 EST, logan
no flags Details

  None (edit)
Description logan 2007-12-24 16:02:22 EST
Description of problem:
2 problems with SELinux policy not updating after an upgrade to kde4 via rawhide:
SELinux is preventing /usr/bin/kdm_greet (xdm_t) "create" to (var_lib_t)
SELinux is preventing /usr/bin/kdm_greet (xdm_t) "write" to (usr_t).

Version-Release number of selected component (if applicable):

Affected RPM Packages:  kdebase-3.5.8-9.fc8 [application]Policy <--I'm no
selinux expert, but I'm guessing this might be a problem as kdebase has been
updated to 3.97
RPM:  selinux-policy-3.0.8-64.fc8

How reproducible:
Upgrade FC8 KDE3.5 to KDE4 via yum update kdelibs kdebase, restart computer.

Steps to Reproduce:
Actual results:
X Login screen fails to launch with KDM error.

Expected results:

Additional info:
    SELinux is preventing /usr/bin/kdm_greet (xdm_t) "write" to <Unknown>

Detailed Description
    SELinux denied access requested by /usr/bin/kdm_greet. It is not expected
    that this access is required by /usr/bin/kdm_greet and this access may
    signal an intrusion attempt. It is also possible that the specific version
    or configuration of the application is causing it to require additional

Allowing Access
    Sometimes labeling problems can cause SELinux denials.  You could try to
    restore the default system file context for <Unknown>, restorecon -v
    <Unknown> If this does not work, there is currently no automatic way to
    allow this access. Instead,  you can generate a local policy module to allow
    this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385
    Or you can disable SELinux protection altogether. Disabling SELinux
    protection is not recommended. Please file a
    http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.

Additional Information        

Source Context                system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context                system_u:object_r:usr_t:s0
Target Objects                None [ file ]
Affected RPM Packages         kdebase-3.5.8-9.fc8 [application]
Policy RPM                    selinux-policy-3.0.8-64.fc8
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.catchall_file
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain #1 SMP
                              Wed Nov 21 18:51:08 EST 2007 i686 athlon
Alert Count                   308
First Seen                    Mon 17 Dec 2007 10:22:14 PM EST
Last Seen                     Tue 18 Dec 2007 08:26:03 PM EST
Local ID                      bdd4e798-5128-4a43-9cee-482207ce71ee
Line Numbers                  

Raw Audit Messages            

avc: denied { write } for comm=kdm_greet dev=sdb6 egid=0 euid=0
exe=/usr/bin/kdm_greet exit=-13 fsgid=0 fsuid=0 gid=0 items=0
name=GdmGreeterTheme.desktop pid=2817
scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 sgid=0
subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 suid=0 tclass=file
tcontext=system_u:object_r:usr_t:s0 tty=(none) uid=0

avc: denied { create } for comm=kdm_greet egid=0 euid=0 exe=/usr/bin/kdm_greet
exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name=kdm pid=2817
scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 sgid=0
subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 suid=0 tclass=dir
tcontext=system_u:object_r:var_lib_t:s0 tty=(none) uid=0
Comment 1 logan 2007-12-24 16:02:22 EST
Created attachment 290359 [details]
selinux policy alert report
Comment 2 Daniel Walsh 2007-12-31 07:47:44 EST
/var/lib/kde should be owned by an rpm, and would be created with the correct
context on install so that kde_greet could write to it.

kde_greet should not be writing to a file in /usr

/usr should be considered r/o

The attachment above has nothing to do with this bug report.

Comment 3 Bug Zapper 2008-05-14 00:15:04 EDT
Changing version to '9' as part of upcoming Fedora 9 GA.
More information and reason for this action is here:
Comment 4 Steven M. Parrish 2008-06-23 16:06:56 EDT
Is this still an issue?
Comment 5 Steven M. Parrish 2008-07-28 16:29:03 EDT
The information we've requested above is required in order
to review this problem report further and diagnose or fix the
issue if it is still present.  Since it has been thirty days or
more since we first requested additional information, we're assuming
the problem is either no longer present in the current Fedora release, or
that there is no longer any interest in tracking the problem.

Setting status to "CLOSED INSUFFICIENT_DATA".  If you still
experience this problem after updating to our latest Fedora
release and can provide the information previously requested,
please feel free to reopen the bug report.

Thank you in advance.

Note You need to log in before you can comment on or make changes to this bug.