Bug 443473 - SELinux is preventing kdm_greet (xdm_t) "write" to ./kde.desktop (usr_t).
SELinux is preventing kdm_greet (xdm_t) "write" to ./kde.desktop (usr_t).
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
rawhide
All Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-04-21 15:14 EDT by TR Bentley
Modified: 2008-04-21 15:29 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-04-21 15:29:08 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description TR Bentley 2008-04-21 15:14:13 EDT
Summary:

SELinux is preventing kdm_greet (xdm_t) "write" to ./kde.desktop (usr_t).

Detailed Description:

[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]

SELinux denied access requested by kdm_greet. It is not expected that this
access is required by kdm_greet and this access may signal an intrusion attempt.
It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for ./kde.desktop,

restorecon -v './kde.desktop'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context                system_u:object_r:usr_t:s0
Target Objects                ./kde.desktop [ file ]
Source                        kdm_greet
Source Path                   /usr/libexec/kde4/kdm_greet
Port                          <Unknown>
Host                          tigger3
Source RPM Packages           kdebase-workspace-4.0.3-15.fc9
Target RPM Packages           
Policy RPM                    selinux-policy-3.3.1-35.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   catchall_file
Host Name                     tigger3
Platform                      Linux tigger3 2.6.25-1.fc9.i686 #1 SMP Thu Apr 17
                              01:47:10 EDT 2008 i686 i686
Alert Count                   3
First Seen                    Sat 19 Apr 2008 06:46:32 BST
Last Seen                     Mon 21 Apr 2008 18:19:14 BST
Local ID                      871cc483-e85e-4967-b9dd-f43a07e74faf
Line Numbers                  

Raw Audit Messages            

host=tigger3 type=AVC msg=audit(1208798354.578:8): avc:  denied  { write } for 
pid=2215 comm="kdm_greet" name="kde.desktop" dev=sda1 ino=426732
scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
tcontext=system_u:object_r:usr_t:s0 tclass=file

host=tigger3 type=SYSCALL msg=audit(1208798354.578:8): arch=40000003 syscall=33
success=yes exit=0 a0=9d0ea20 a1=2 a2=2236290 a3=9d0ea10 items=0 ppid=2211
pid=2215 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) ses=4294967295 comm="kdm_greet" exe="/usr/libexec/kde4/kdm_greet"
subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)



Summary:

SELinux is preventing kdm_greet (xdm_t) "write" to ./kde.desktop (usr_t).

Detailed Description:

[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]

SELinux denied access requested by kdm_greet. It is not expected that this
access is required by kdm_greet and this access may signal an intrusion attempt.
It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for ./kde.desktop,

restorecon -v './kde.desktop'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context                system_u:object_r:usr_t:s0
Target Objects                ./kde.desktop [ file ]
Source                        kdm_greet
Source Path                   /usr/libexec/kde4/kdm_greet
Port                          <Unknown>
Host                          tigger3
Source RPM Packages           kdebase-workspace-4.0.3-15.fc9
Target RPM Packages           
Policy RPM                    selinux-policy-3.3.1-35.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   catchall_file
Host Name                     tigger3
Platform                      Linux tigger3 2.6.25-1.fc9.i686 #1 SMP Thu Apr 17
                              01:47:10 EDT 2008 i686 i686
Alert Count                   3
First Seen                    Sat 19 Apr 2008 06:46:32 BST
Last Seen                     Mon 21 Apr 2008 18:19:14 BST
Local ID                      871cc483-e85e-4967-b9dd-f43a07e74faf
Line Numbers                  

Raw Audit Messages            

host=tigger3 type=AVC msg=audit(1208798354.578:8): avc:  denied  { write } for 
pid=2215 comm="kdm_greet" name="kde.desktop" dev=sda1 ino=426732
scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
tcontext=system_u:object_r:usr_t:s0 tclass=file

host=tigger3 type=SYSCALL msg=audit(1208798354.578:8): arch=40000003 syscall=33
success=yes exit=0 a0=9d0ea20 a1=2 a2=2236290 a3=9d0ea10 items=0 ppid=2211
pid=2215 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) ses=4294967295 comm="kdm_greet" exe="/usr/libexec/kde4/kdm_greet"
subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
Comment 1 Daniel Walsh 2008-04-21 15:29:08 EDT
Fixed in selinux-policy-3.3.1-37.fc9.noarch

Note You need to log in before you can comment on or make changes to this bug.