Bug 505408 - SELinux error on logout - SELinux is preventing kdm (xdm_t) "execute" bootloader_exec_t.
SELinux error on logout - SELinux is preventing kdm (xdm_t) "execute" bootloa...
Status: CLOSED WONTFIX
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
11
x86_64 Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-06-11 15:41 EDT by Tim Scofield
Modified: 2009-06-11 17:49 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 503061
Environment:
Last Closed: 2009-06-11 17:49:34 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Tim Scofield 2009-06-11 15:41:24 EDT
+++ This bug was initially created as a clone of Bug #503061 +++
Bug #503061 was - SELinux policy prevents krb5 logins

Description of problem:
Get the following error on logout. 

Version-Release number of selected component (if applicable):
selinux-policy-3.6.12-44.fc11.noarch

How reproducible: Very


Steps to Reproduce:
1. Login to KDE then logout
  
Actual results:
Get selinux alert on logout

Expected results:
No selinux alerts on logout

Additional info:
Copied the following information from seaudit -g :
Summary:                                     

SELinux is preventing kdm (xdm_t) "execute" bootloader_exec_t. 

Detailed Description:

SELinux denied access requested by kdm. It is not expected that this access is r
equired by kdm and this access may signal an intrusion attempt. It is also possi
ble that the specific version or configuration of the application is causing it 
to require additional access.                                                   

Allowing Access:

You can generate a local policy module to allow this access - see FAQ Or you can
 disable SELinux protection altogether. Disabling SELinux protection is not reco
mmended. Please file a bug report against this package.                         

Additional Information:
Source Context:  system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context:  system_u:object_r:bootloader_exec_t:s0
Target Objects:  grub [ file ]
Source:  kdmSource
Path:  /usr/bin/kdm
Port:  <Unknown>
Host:  hostname.deleted
Source RPM Packages:  kdm-4.2.3-5.fc11
Target RPM Packages:  
Policy RPM:  selinux-policy-3.6.12-44.fc11
Selinux Enabled:  True
Policy Type:  targeted
MLS Enabled:  True
Enforcing Mode:  Enforcing
Plugin Name:  catchall
Host Name:  hostname.deleted
Platform:  Linux hostname.deleted 2.6.29.4-167.fc11.x86_64 #1 SMP Wed May 27 17:
27:08 EDT 2009 x86_64 x86_64
Alert Count:  6
First Seen:  Wed 03 Jun 2009 09:12:39 AM MDT
Last Seen:  Thu 11 Jun 2009 10:25:48 AM MDT
Local ID:  53dfc5c0-9319-4b81-a5b1-9f832b6f0f54
Line Numbers:  

Raw Audit Messages :

node=hostname.deleted type=AVC msg=audit(1244737548.319:27226): avc: denied { ex
ecute } for pid=1978 comm="kdm" name="grub" dev=dm-0 ino=60363 scontext=system_u
:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bootloader_exec_t:s0 t
class=file

node=hostname.deleted type=SYSCALL msg=audit(1244737548.319:27226): arch=c000003
e syscall=21 success=no exit=-13 a0=7fffaa72d966 a1=1 a2=0 a3=10 items=0 ppid=1
pid=1978 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
 tty=(none) ses=4294967295 comm="kdm" exe="/usr/bin/kdm" subj=system_u:system_r:
xdm_t:s0-s0:c0.c1023 key=(null)
Comment 1 Tim Scofield 2009-06-11 16:01:35 EDT
Unlike the previous, copied Bug #503061, this one is limited to KDE.
Comment 2 Daniel Walsh 2009-06-11 17:49:34 EDT
This is not supported by SELinux if you want to add this support you can do so using audit2allow.

ALlowing the login screen to modify grub without logging in is considered by the selinux security team to be a security problem, which is why it is turned off by default.

Note You need to log in before you can comment on or make changes to this bug.