Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be available on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.
Bug 528719 - SELinux is preventing /usr/bin/kdm "read" access on .dmrc.
Summary: SELinux is preventing /usr/bin/kdm "read" access on .dmrc.
Alias: None
Product: Fedora
Classification: Fedora
Component: kdebase
Version: 12
Hardware: x86_64
OS: Linux
Target Milestone: ---
Assignee: Than Ngo
QA Contact: Fedora Extras Quality Assurance
Whiteboard: setroubleshoot_trace_hash:639fcb6745c...
Depends On:
TreeView+ depends on / blocked
Reported: 2009-10-13 13:43 UTC by Mary Ellen Foster
Modified: 2010-03-23 12:49 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2010-03-23 12:49:27 UTC
Type: ---

Attachments (Terms of Use)

Description Mary Ellen Foster 2009-10-13 13:43:28 UTC

SELinux is preventing /usr/bin/kdm "read" access on .dmrc.

Detailed Description:

SELinux denied access requested by kdm. It is not expected that this access is
required by kdm and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Please file a bug

Additional Information:

Source Context                system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context                system_u:object_r:default_t:s0
Target Objects                .dmrc [ file ]
Source                        kdm
Source Path                   /usr/bin/kdm
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           kdm-4.3.2-1.fc12
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.32-24.fc12
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     (removed)
Platform                      Linux (removed) #1 SMP Tue
                              Sep 29 16:16:22 EDT 2009 x86_64 x86_64
Alert Count                   2
First Seen                    Tue 13 Oct 2009 09:31:32 AM BST
Last Seen                     Tue 13 Oct 2009 09:31:40 AM BST
Local ID                      42f95668-7057-44d7-9489-f4abcdf95895
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1255422700.891:16): avc:  denied  { read } for  pid=1398 comm="kdm" name=".dmrc" dev=sda8 ino=131205 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=file

node=(removed) type=SYSCALL msg=audit(1255422700.891:16): arch=c000003e syscall=2 success=no exit=-13 a0=41f547 a1=800 a2=0 a3=4000 items=0 ppid=1316 pid=1398 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="kdm" exe="/usr/bin/kdm" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)

Hash String generated from  selinux-policy-3.6.32-24.fc12,catchall,kdm,xdm_t,default_t,file,read
audit2allow suggests:

#============= xdm_t ==============
allow xdm_t default_t:file read;

Comment 1 Daniel Walsh 2009-10-13 15:00:26 UTC
kdm created a directory under /.kde which is wrong.  The labels in this directory are wrong, and this is denied access.

Probably not blocking you from logging in.

Comment 2 Bug Zapper 2009-11-16 13:36:33 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 12 development cycle.
Changing version to '12'.

More information and reason for this action is here:

Comment 3 Rex Dieter 2010-03-23 12:49:27 UTC
this is likely an artifact of bug #498809 (or similar, init'ing kde4 runtime in kdm context).

I'll mark this fixed (please re-open if there's evidence to the contrary this this is still a problem).

Note You need to log in before you can comment on or make changes to this bug.