Bug 450963 - Spurious selinux denials with kdm (xdm_t) and admin_home_t
Spurious selinux denials with kdm (xdm_t) and admin_home_t
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
9
All Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-06-11 18:08 EDT by Carl Roth
Modified: 2008-11-17 17:04 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-11-17 17:04:33 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Carl Roth 2008-06-11 18:08:13 EDT
Description of problem:

My system keeps generating selinux denials of the form

host=HOST-REDACTED type=AVC msg=audit(1213205770.625:15): avc: denied { read }
for pid=3855 comm="lnusertemp" name="tmp-HOST-REDACTED" dev=dm-0 ino=569381
scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
tcontext=system_u:object_r:admin_home_t:s0 tclass=lnk_file

host=HOST-REDACTED type=SYSCALL msg=audit(1213205770.625:15): arch=c000003e
syscall=89 success=yes exit=13 a0=7fff08cff840 a1=7fff08cfd820 a2=1000 a3=ff2
items=0 ppid=3386 pid=3855 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="lnusertemp"
exe="/usr/libexec/kde4/lnusertemp" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023
key=(null) 

I have the 'xdm_sysadm_login' boolean turned off.

I notice in xserver.te that there are lots of dontaudit statements relating to
admin_home_t, but nothing related to the lnk_file type that KDE seems so fond of
(tmp-XXX, cache-XXX).

Perhaps something like this is needed in the 'false' branch of the
xdm_sysadm_login test (please advise):

  dontaudit xdm_t admin_home_t:lnk_file read_link_file_perms;

I think that the default behavior of kdm is that it scrapes the user list (and
possibly the user homedirs) to generate the login screen, so access attempt may
be unavoidable.

Version-Release number of selected component (if applicable):

kde-settings-kdm-4.0-23.fc9.noarch
selinux-policy-targeted-3.3.1-62.fc9.noarch

How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Daniel Walsh 2008-06-14 07:18:25 EDT
Is this happening when you try to login as root?
Comment 2 Daniel Walsh 2008-06-14 07:22:07 EDT
Donaudit added in selinux-policy-3.3.1-68.fc9.noarch
Comment 3 Carl Roth 2008-06-14 14:24:11 EDT
I'm not using the root login on this machine.  In fact, several times after I
saw this message I deleted the /root/.kde directory.  I am wondering if this is
a wierd side-effect of running kdm.
Comment 4 Daniel Walsh 2008-06-22 08:29:09 EDT
Just say no to kdm :^)
Comment 5 Carl Roth 2008-06-22 13:34:29 EDT
i guess now would not be a good time to also point out that kwin and plasma also
generate execmem and execstack denials...
Comment 6 Daniel Walsh 2008-06-23 06:10:17 EDT
Please open bugzilla's on those packages, and cc me.
Comment 7 Carl Roth 2008-06-23 13:56:26 EDT
don't worry about those; I tracked them down to a known issue with
execmem/execstack and the nVidia vendor GL libraries.
Comment 8 Daniel Walsh 2008-11-17 17:04:33 EST
Closing all bugs that have been in modified for over a month.  Please reopen if the bug is not actually fixed.

Note You need to log in before you can comment on or make changes to this bug.