Description of problem: Upon clicking 'leave' in the kdemenu (or whatever it's called in kde4), I get a SELinux denial. Version-Release number of selected component (if applicable): - Fedora 10 S3 (installed from KDE LiveCD-ISO on USB-key), updated to latest rawhide - selinux-policy-3.5.13-8.fc10.noarch How reproducible: Always. Steps to Reproduce: 1. Open the kdemenu (I'm using the 'traditional' one) 2. Click 'leave' Actual results: SELinux denial Expected results: No SELinux denial Additional info: In the 'Login Manager' (started from the 'System Settings') on tab 'Shutdown (5)', I manually set 'Boot manager' to 'Grub' previously. --------------- Summary: SELinux is preventing kdm (xdm_t) "execute" to ./grub (bootloader_exec_t). Detailed Description: SELinux denied access requested by kdm. It is not expected that this access is required by kdm and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for ./grub, restorecon -v './grub' If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023 Target Context system_u:object_r:bootloader_exec_t:s0 Target Objects ./grub [ file ] Source kdm Source Path /usr/bin/kdm Port <Unknown> Host nebuchadnezzar Source RPM Packages kdebase-workspace-4.1.2-7.fc10 Target RPM Packages Policy RPM selinux-policy-3.5.13-8.fc10 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall_file Host Name nebuchadnezzar Platform Linux nebuchadnezzar 2.6.27.4-51.fc10.i686 #1 SMP Sun Oct 26 21:04:43 EDT 2008 i686 i686 Alert Count 1 First Seen Wed 29 Oct 2008 10:39:29 PM CET Last Seen Wed 29 Oct 2008 10:41:29 PM CET Local ID 2b9bd3e7-38c7-44fa-9572-71d0c275c7f0 Line Numbers Raw Audit Messages node=nebuchadnezzar type=AVC msg=audit(1225316489.528:79): avc: denied { execute } for pid=2475 comm="kdm" name="grub" dev=dm-1 ino=19639 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bootloader_exec_t:s0 tclass=file node=nebuchadnezzar type=SYSCALL msg=audit(1225316489.528:79): arch=40000003 syscall=33 success=no exit=-13 a0=bff3370d a1=1 a2=bff36f8e a3=bff36f89 items=0 ppid=1 pid=2475 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="kdm" exe="/usr/bin/kdm" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
I'm unable to reproduce this Have you modified your system in any way? 3rd party software/drivers, or modified kdm's configuration?
I added the Livna/RPM Fusion Repos and installed some pkgs from there, yes. But nothing for kdm, kde or grub. No drivers. Nothing modified except for what I stated above (Additional Information).$ Is there an easy way to see what packages I installed from those repos? If that information is important to this problem.
> Is there an easy way to see what packages I installed from those repos? rpm -qa --qf "%{name} %{vendir}" | grep "RPM Fusion" rpm -qa --qf "%{name} %{vendor}" | grep rpm.livna.org"
> Is there an easy way to see what packages I installed from those repos? rpm -qa --qf "%{name} %{vendor}" | grep "RPM Fusion" rpm -qa --qf "%{name} %{vendor}" | grep rpm.livna.org"
I know kdm used to try to modify the grub entry by executing grubby but that was supposedly turned off.
Fwiw, it was never turned on... we explored the possibility of enabling it... (but that idea was NACK'd due to security concerns)
$ rpm -qa --qf "%{name} %{vendor}\n" | grep -v "Fedora Project" adobe-release-i386 Adobe Systems Inc. rpmfusion-free-release RPM Fusion gpg-pubkey (none) rootfiles Red Hat, Inc. rpmfusion-nonfree-release RPM Fusion htmlview Koji flash-plugin Adobe Systems Inc. gpg-pubkey (none) livna-release rpm.livna.org --- I'm not sure if that's related or if I should file that as a new bug: If I start the "Login Manager" from the "System Settings" I'm asked for the root pwd by "KDE su". After I provide that, the application is starting. When I then click "OK" (doesn't matter if I made some changes and "Apply" doesn't change anything, either) KDE su brings up a dialog "Command '/usr/bin/kcmshell4 kdm --lang en_US' not found." (the command I initially gave the password for).
Sandro, to check for sure what Dan is talking about, look for BootManager= in /etc/kde/kdm/kdmrc it should say BootManager=None changing to BootManager=Grub will yield selinux denials and is unsupported.
The "lang... not found" error is known and already reported,
$ cat /etc/kde/kdm/kdmrc | grep BootManager BootManager=Grub --- I changed that manually to "None" and logged out / in again -> denial has gone. That's btw the thing that I mentioned in my initial post: "Additional info: In the 'Login Manager' (started from the 'System Settings') on tab 'Shutdown (5)', I manually set 'Boot manager' to 'Grub' previously." Changing the value there from 'None' to 'Grub' does the change in the kdmrc that produced this problem.
If you really want to be able to use that option, you have to either turn off SELinux or customize it (maybe try audit2allow) to allow this. It is turned off for security reasons and the SELinux policy maintainers decided against enabling it (and there's nothing which can be done in KDE to avoid this, it is the very action you're trying to perform which is blocked by design).