Description of problem: 2 problems with SELinux policy not updating after an upgrade to kde4 via rawhide: SELinux is preventing /usr/bin/kdm_greet (xdm_t) "create" to (var_lib_t) SELinux is preventing /usr/bin/kdm_greet (xdm_t) "write" to (usr_t). Version-Release number of selected component (if applicable): Affected RPM Packages: kdebase-3.5.8-9.fc8 [application]Policy <--I'm no selinux expert, but I'm guessing this might be a problem as kdebase has been updated to 3.97 RPM: selinux-policy-3.0.8-64.fc8 How reproducible: Upgrade FC8 KDE3.5 to KDE4 via yum update kdelibs kdebase, restart computer. Steps to Reproduce: 1. 2. 3. Actual results: X Login screen fails to launch with KDM error. Expected results: Additional info: Summary SELinux is preventing /usr/bin/kdm_greet (xdm_t) "write" to <Unknown> (usr_t). Detailed Description SELinux denied access requested by /usr/bin/kdm_greet. It is not expected that this access is required by /usr/bin/kdm_greet and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for <Unknown>, restorecon -v <Unknown> If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Additional Information Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023 Target Context system_u:object_r:usr_t:s0 Target Objects None [ file ] Affected RPM Packages kdebase-3.5.8-9.fc8 [application] Policy RPM selinux-policy-3.0.8-64.fc8 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.catchall_file Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.23.8-63.fc8 #1 SMP Wed Nov 21 18:51:08 EST 2007 i686 athlon Alert Count 308 First Seen Mon 17 Dec 2007 10:22:14 PM EST Last Seen Tue 18 Dec 2007 08:26:03 PM EST Local ID bdd4e798-5128-4a43-9cee-482207ce71ee Line Numbers Raw Audit Messages avc: denied { write } for comm=kdm_greet dev=sdb6 egid=0 euid=0 exe=/usr/bin/kdm_greet exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name=GdmGreeterTheme.desktop pid=2817 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 sgid=0 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 suid=0 tclass=file tcontext=system_u:object_r:usr_t:s0 tty=(none) uid=0 avc: denied { create } for comm=kdm_greet egid=0 euid=0 exe=/usr/bin/kdm_greet exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name=kdm pid=2817 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 sgid=0 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 suid=0 tclass=dir tcontext=system_u:object_r:var_lib_t:s0 tty=(none) uid=0
Created attachment 290359 [details] selinux policy alert report
/var/lib/kde should be owned by an rpm, and would be created with the correct context on install so that kde_greet could write to it. kde_greet should not be writing to a file in /usr GdmGreeterTheme.desktop /usr should be considered r/o The attachment above has nothing to do with this bug report.
Changing version to '9' as part of upcoming Fedora 9 GA. More information and reason for this action is here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Is this still an issue?
The information we've requested above is required in order to review this problem report further and diagnose or fix the issue if it is still present. Since it has been thirty days or more since we first requested additional information, we're assuming the problem is either no longer present in the current Fedora release, or that there is no longer any interest in tracking the problem. Setting status to "CLOSED INSUFFICIENT_DATA". If you still experience this problem after updating to our latest Fedora release and can provide the information previously requested, please feel free to reopen the bug report. Thank you in advance.