450963 – Spurious selinux denials with kdm (xdm_t) and admin_home_t

Bug 450963 - Spurious selinux denials with kdm (xdm_t) and admin_home_t

Summary: Spurious selinux denials with kdm (xdm_t) and admin_home_t

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy-targeted
Sub Component:
Version:	9
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Daniel Walsh
QA Contact:	Ben Levenson
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2008-06-11 22:08 UTC by Carl Roth
Modified:	2008-11-17 22:04 UTC (History)
CC List:	0 users
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2008-11-17 22:04:33 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Carl Roth 2008-06-11 22:08:13 UTC

Description of problem:

My system keeps generating selinux denials of the form

host=HOST-REDACTED type=AVC msg=audit(1213205770.625:15): avc: denied { read }
for pid=3855 comm="lnusertemp" name="tmp-HOST-REDACTED" dev=dm-0 ino=569381
scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
tcontext=system_u:object_r:admin_home_t:s0 tclass=lnk_file

host=HOST-REDACTED type=SYSCALL msg=audit(1213205770.625:15): arch=c000003e
syscall=89 success=yes exit=13 a0=7fff08cff840 a1=7fff08cfd820 a2=1000 a3=ff2
items=0 ppid=3386 pid=3855 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="lnusertemp"
exe="/usr/libexec/kde4/lnusertemp" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023
key=(null) 

I have the 'xdm_sysadm_login' boolean turned off.

I notice in xserver.te that there are lots of dontaudit statements relating to
admin_home_t, but nothing related to the lnk_file type that KDE seems so fond of
(tmp-XXX, cache-XXX).

Perhaps something like this is needed in the 'false' branch of the
xdm_sysadm_login test (please advise):

  dontaudit xdm_t admin_home_t:lnk_file read_link_file_perms;

I think that the default behavior of kdm is that it scrapes the user list (and
possibly the user homedirs) to generate the login screen, so access attempt may
be unavoidable.

Version-Release number of selected component (if applicable):

kde-settings-kdm-4.0-23.fc9.noarch
selinux-policy-targeted-3.3.1-62.fc9.noarch

How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:

Comment 1 Daniel Walsh 2008-06-14 11:18:25 UTC

Is this happening when you try to login as root?

Comment 2 Daniel Walsh 2008-06-14 11:22:07 UTC

Donaudit added in selinux-policy-3.3.1-68.fc9.noarch

Comment 3 Carl Roth 2008-06-14 18:24:11 UTC

I'm not using the root login on this machine.  In fact, several times after I
saw this message I deleted the /root/.kde directory.  I am wondering if this is
a wierd side-effect of running kdm.

Comment 4 Daniel Walsh 2008-06-22 12:29:09 UTC

Just say no to kdm :^)

Comment 5 Carl Roth 2008-06-22 17:34:29 UTC

i guess now would not be a good time to also point out that kwin and plasma also
generate execmem and execstack denials...

Comment 6 Daniel Walsh 2008-06-23 10:10:17 UTC

Please open bugzilla's on those packages, and cc me.

Comment 7 Carl Roth 2008-06-23 17:56:26 UTC

don't worry about those; I tracked them down to a known issue with
execmem/execstack and the nVidia vendor GL libraries.

Comment 8 Daniel Walsh 2008-11-17 22:04:33 UTC

Closing all bugs that have been in modified for over a month.  Please reopen if the bug is not actually fixed.

Note You need to log in before you can comment on or make changes to this bug.