Red Hat Bugzilla – Bug 504209
Invalid config path /.kde
Last modified: 2009-06-04 19:21:04 EDT
Description of problem: Summary: SELinux is preventing access to files with the default label, default_t. Detailed Description: [SELinux is in permissive mode, the operation would have been denied but was permitted due to permissive mode.] SELinux permission checks on files labeled default_t are being denied. These files/directories have the default label on them. This can indicate a labeling problem, especially if the files being referred to are not top level directories. Any files/directories under standard system directories, /usr, /var. /dev, /tmp, ..., should not be labeled with the default label. The default label is for files/directories which do not have a label on a parent directory. So if you create a new directory in / you might legitimately get this label. Allowing Access: If you want a confined domain to use these files you will probably need to relabel the file/directory with chcon. In some cases it is just easier to relabel the system, to relabel execute: "touch /.autorelabel; reboot" Additional Information: Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023 Target Context system_u:object_r:default_t:s0 Target Objects /.kde [ dir ] Source kde4-config Source Path /usr/bin/kde4-config Port <Unknown> Host p3000fedora.lania-intra.net Source RPM Packages kdelibs-4.2.3-2.fc11 Target RPM Packages Policy RPM selinux-policy-3.6.12-39.fc11 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Permissive Plugin Name default Host Name p3000fedora.lania-intra.net Platform Linux p3000fedora.lania-intra.net 2.6.29.4-167.fc11.i686.PAE #1 SMP Wed May 27 17:28:22 EDT 2009 i686 i686 Alert Count 23 First Seen Tue 26 May 2009 09:20:32 PM CEST Last Seen Thu 04 Jun 2009 08:53:05 PM CEST Local ID 7ea85457-f2c1-4db4-bff5-4d6df7189c72 Line Numbers Raw Audit Messages node=p3000fedora.lania-intra.net type=AVC msg=audit(1244141585.807:5): avc: denied { getattr } for pid=2023 comm="kde4-config" path="/.kde" dev=sda3 ino=5788616 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir node=p3000fedora.lania-intra.net type=SYSCALL msg=audit(1244141585.807:5): arch=40000003 syscall=196 success=yes exit=0 a0=bf99353b a1=bf993488 a2=7d3ff4 a3=82c8531 items=0 ppid=2022 pid=2023 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="kde4-config" exe="/usr/bin/kde4-config" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info: This is a bug in kdebase. The kdm login program thinks it's home dir is / so it is trying to create /.kde in the root directory
Odd, I can't reproduce this... we've had similar reports about invalid access to /root/.kde as well (which I do see too)
I removed /.kde and rebooted. The ./kde directory is being re-created automatically and following is in selinux troubleshooter: Summary: SELinux prevented kde4-config from writing .kde. Detailed Description: [SELinux is in permissive mode, the operation would have been denied but was permitted due to permissive mode.] SELinux prevented kde4-config from writing .kde. If .kde is a core file, you may want to allow this. If .kde is not a core file, this could signal a intrusion attempt. Allowing Access: Changing the "allow_daemons_dump_core" boolean to true will allow this access: "setsebool -P allow_daemons_dump_core=1." Fix Command: setsebool -P allow_daemons_dump_core=1 Additional Information: Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023 Target Context system_u:object_r:root_t:s0 Target Objects .kde [ dir ] Source kde4-config Source Path /usr/bin/kde4-config Port <Unknown> Host p3000fedora.lania-intra.net Source RPM Packages kdelibs-4.2.3-2.fc11 Target RPM Packages Policy RPM selinux-policy-3.6.12-39.fc11 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Permissive Plugin Name allow_daemons_dump_core Host Name p3000fedora.lania-intra.net Platform Linux p3000fedora.lania-intra.net 2.6.29.4-167.fc11.i686.PAE #1 SMP Wed May 27 17:28:22 EDT 2009 i686 i686 Alert Count 1 First Seen Thu 04 Jun 2009 10:16:11 PM CEST Last Seen Thu 04 Jun 2009 10:16:11 PM CEST Local ID c8501e92-5f90-4446-a24f-3a12e8ea5838 Line Numbers Raw Audit Messages node=p3000fedora.lania-intra.net type=AVC msg=audit(1244146571.282:5): avc: denied { create } for pid=2017 comm="kde4-config" name=".kde" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:root_t:s0 tclass=dir node=p3000fedora.lania-intra.net type=SYSCALL msg=audit(1244146571.282:5): arch=40000003 syscall=39 success=yes exit=0 a0=8440088 a1=1c0 a2=6aef990 a3=0 items=0 ppid=2016 pid=2017 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="kde4-config" exe="/usr/bin/kde4-config" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
I think it's a dupe of Bug 498809
Right, this is kde4-config being called at an inappropriate point in time. It will be fixed by the Qt 4.5.1 update group (in particular, the matching kdelibs), which is now queued for stable. *** This bug has been marked as a duplicate of bug 498809 ***