Bug 426715 - SELinux fails to update permissions for KDM on upgrade to KDE4
Summary: SELinux fails to update permissions for KDM on upgrade to KDE4
Keywords:
Status: CLOSED INSUFFICIENT_DATA
Alias: None
Product: Fedora
Classification: Fedora
Component: kdebase
Version: 9
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: Than Ngo
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-12-24 21:02 UTC by logan
Modified: 2008-07-28 20:29 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-07-28 20:29:03 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)
selinux policy alert report (1.81 KB, text/plain)
2007-12-24 21:02 UTC, logan
no flags Details

Description logan 2007-12-24 21:02:22 UTC
Description of problem:
2 problems with SELinux policy not updating after an upgrade to kde4 via rawhide:
SELinux is preventing /usr/bin/kdm_greet (xdm_t) "create" to (var_lib_t)
SELinux is preventing /usr/bin/kdm_greet (xdm_t) "write" to (usr_t).

Version-Release number of selected component (if applicable):

Affected RPM Packages:  kdebase-3.5.8-9.fc8 [application]Policy <--I'm no
selinux expert, but I'm guessing this might be a problem as kdebase has been
updated to 3.97
RPM:  selinux-policy-3.0.8-64.fc8

How reproducible:
Upgrade FC8 KDE3.5 to KDE4 via yum update kdelibs kdebase, restart computer.

Steps to Reproduce:
1.
2.
3.
  
Actual results:
X Login screen fails to launch with KDM error.

Expected results:


Additional info:
Summary
    SELinux is preventing /usr/bin/kdm_greet (xdm_t) "write" to <Unknown>
    (usr_t).

Detailed Description
    SELinux denied access requested by /usr/bin/kdm_greet. It is not expected
    that this access is required by /usr/bin/kdm_greet and this access may
    signal an intrusion attempt. It is also possible that the specific version
    or configuration of the application is causing it to require additional
    access.

Allowing Access
    Sometimes labeling problems can cause SELinux denials.  You could try to
    restore the default system file context for <Unknown>, restorecon -v
    <Unknown> If this does not work, there is currently no automatic way to
    allow this access. Instead,  you can generate a local policy module to allow
    this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385
    Or you can disable SELinux protection altogether. Disabling SELinux
    protection is not recommended. Please file a
    http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.

Additional Information        

Source Context                system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context                system_u:object_r:usr_t:s0
Target Objects                None [ file ]
Affected RPM Packages         kdebase-3.5.8-9.fc8 [application]
Policy RPM                    selinux-policy-3.0.8-64.fc8
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.catchall_file
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 2.6.23.8-63.fc8 #1 SMP
                              Wed Nov 21 18:51:08 EST 2007 i686 athlon
Alert Count                   308
First Seen                    Mon 17 Dec 2007 10:22:14 PM EST
Last Seen                     Tue 18 Dec 2007 08:26:03 PM EST
Local ID                      bdd4e798-5128-4a43-9cee-482207ce71ee
Line Numbers                  

Raw Audit Messages            

avc: denied { write } for comm=kdm_greet dev=sdb6 egid=0 euid=0
exe=/usr/bin/kdm_greet exit=-13 fsgid=0 fsuid=0 gid=0 items=0
name=GdmGreeterTheme.desktop pid=2817
scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 sgid=0
subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 suid=0 tclass=file
tcontext=system_u:object_r:usr_t:s0 tty=(none) uid=0

avc: denied { create } for comm=kdm_greet egid=0 euid=0 exe=/usr/bin/kdm_greet
exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name=kdm pid=2817
scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 sgid=0
subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 suid=0 tclass=dir
tcontext=system_u:object_r:var_lib_t:s0 tty=(none) uid=0

Comment 1 logan 2007-12-24 21:02:22 UTC
Created attachment 290359 [details]
selinux policy alert report

Comment 2 Daniel Walsh 2007-12-31 12:47:44 UTC
/var/lib/kde should be owned by an rpm, and would be created with the correct
context on install so that kde_greet could write to it.

kde_greet should not be writing to a file in /usr
GdmGreeterTheme.desktop 

/usr should be considered r/o

The attachment above has nothing to do with this bug report.



Comment 3 Bug Zapper 2008-05-14 04:15:04 UTC
Changing version to '9' as part of upcoming Fedora 9 GA.
More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping

Comment 4 Steven M. Parrish 2008-06-23 20:06:56 UTC
Is this still an issue?

Comment 5 Steven M. Parrish 2008-07-28 20:29:03 UTC
The information we've requested above is required in order
to review this problem report further and diagnose or fix the
issue if it is still present.  Since it has been thirty days or
more since we first requested additional information, we're assuming
the problem is either no longer present in the current Fedora release, or
that there is no longer any interest in tracking the problem.

Setting status to "CLOSED INSUFFICIENT_DATA".  If you still
experience this problem after updating to our latest Fedora
release and can provide the information previously requested,
please feel free to reopen the bug report.

Thank you in advance.



Note You need to log in before you can comment on or make changes to this bug.