Bug 588130 - SELinux is preventing /usr/libexec/kde4/kdm_greet "write" access on e16.desktop.
SELinux is preventing /usr/libexec/kde4/kdm_greet "write" access on e16....
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: kdebase-workspace (Show other bugs)
12
x86_64 Linux
low Severity medium
: ---
: ---
Assigned To: Ngo Than
Fedora Extras Quality Assurance
setroubleshoot_trace_hash:f2c96ac51cd...
:
: 614134 (view as bug list)
Depends On:
Blocks: kde-4.5
  Show dependency treegraph
 
Reported: 2010-05-02 15:42 EDT by ssabchew
Modified: 2013-02-02 09:43 EST (History)
52 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-07-16 17:44:24 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
kdmrc (1.57 KB, application/octet-stream)
2010-06-11 15:31 EDT, Carl G.
no flags Details

  None (edit)
Description ssabchew 2010-05-02 15:42:50 EDT
Summary:

SELinux is preventing /usr/libexec/kde4/kdm_greet "write" access on e16.desktop.

Detailed Description:

SELinux denied access requested by kdm_greet. It is not expected that this
access is required by kdm_greet and this access may signal an intrusion attempt.
It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context                system_u:object_r:bin_t:s0
Target Objects                e16.desktop [ file ]
Source                        kdm_greet
Source Path                   /usr/libexec/kde4/kdm_greet
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           kdm-4.4.2-5.fc12
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.32-110.fc12
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     (removed)
Platform                      Linux (removed)
                              2.6.32.11-99.fc12.x86_64 #1 SMP Mon Apr 5 19:59:38
                              UTC 2010 x86_64 x86_64
Alert Count                   9
First Seen                    Sun 02 May 2010 08:00:34 PM EEST
Last Seen                     Sun 02 May 2010 08:18:57 PM EEST
Local ID                      8970c2db-a27c-46c5-a275-67a735b7eba7
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1272820737.790:290): avc:  denied  { write } for  pid=3654 comm="kdm_greet" name="e16.desktop" dev=dm-1 ino=431187 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file

node=(removed) type=SYSCALL msg=audit(1272820737.790:290): arch=c000003e syscall=21 success=no exit=-13 a0=2a48858 a1=2 a2=2a48877 a3=3f items=0 ppid=3648 pid=3654 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="kdm_greet" exe="/usr/libexec/kde4/kdm_greet" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)



Hash String generated from  catchall,kdm_greet,xdm_t,bin_t,file,write
audit2allow suggests:

#============= xdm_t ==============
allow xdm_t bin_t:file write;
Comment 1 Miroslav Grepl 2010-05-03 07:11:38 EDT
Where is the e16.desktop file located?
Comment 2 Carl G. 2010-06-11 14:00:18 EDT
Summary:

SELinux is preventing /usr/libexec/kde4/kdm_greet "write" access on
/usr/libexec/kde4/lnusertemp.

Detailed Description:

SELinux denied access requested by kdm_greet. It is not expected that this
access is required by kdm_greet and this access may signal an intrusion attempt.
It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context                system_u:object_r:bin_t:s0
Target Objects                /usr/libexec/kde4/lnusertemp [ file ]
Source                        kdm_greet
Source Path                   /usr/libexec/kde4/kdm_greet
Port                          <Unknown>
Host                          BubbleWork
Source RPM Packages           kdm-4.4.85-2.fc14
Target RPM Packages           kdelibs-4.4.85-2.fc14
Policy RPM                    selinux-policy-3.8.3-1.fc14
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     
Platform                      Linux  2.6.34-20.fc14.x86_64 #1 SMP Wed
                              Jun 2 12:36:51 UTC 2010 x86_64 x86_64
Alert Count                   7
First Seen                    Fri Jun 11 13:28:32 2010
Last Seen                     Fri Jun 11 13:28:35 2010
Local ID                      c0e2baba-1dd9-494a-bcac-9ea77f585840
Line Numbers                  

Raw Audit Messages            

node= type=AVC msg=audit(1276277315.312:28576): avc:  denied  { write } for  pid=3553 comm="kdm_greet" name="lnusertemp" dev=dm-1 ino=71832 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file

node= type=SYSCALL msg=audit(1276277315.312:28576): arch=c000003e syscall=21 success=no exit=-13 a0=2923e18 a1=2 a2=7fff4e9b9130 a3=e8 items=0 ppid=3550 pid=3553 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="kdm_greet" exe="/usr/libexec/kde4/kdm_greet" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)

Not sure if it change anything but it happened after upgrading from KDE 4.5.80 to 4.5.85
Comment 3 Carl G. 2010-06-11 14:26:47 EDT
4.4.80 / 85

kde 4.5b1 & 2, my bad.
Comment 4 Rex Dieter 2010-06-11 15:26:44 EDT
If you've customized kdm/kdmrc at all, please attach it here too (/etc/kde/kdm/kdmrc)
Comment 5 Carl G. 2010-06-11 15:31:07 EDT
Created attachment 423378 [details]
kdmrc
Comment 6 Carl G. 2010-07-15 22:38:12 EDT
(In reply to comment #1)
> Where is the e16.desktop file located?    

$ ls -Z /usr/share/kde4/apps/kdm/sessions/e16.desktop
-rw-r--r--. root root system_u:object_r:usr_t:s0       /usr/share/kde4/apps/kdm/sessions/e16.desktop
Comment 7 Rex Dieter 2010-07-15 23:25:42 EDT
We've been considering nuking the stuff under
/usr/share/kde4/apps/kdm/sessions
for awhile, maybe this a good excuse to do so.
Comment 8 Rex Dieter 2010-07-15 23:26:41 EDT
info provided in comment #6 and comment #7
Comment 9 Carl G. 2010-07-15 23:47:44 EDT
*** Bug 614134 has been marked as a duplicate of this bug. ***
Comment 10 Rex Dieter 2010-07-16 17:44:24 EDT
* Fri Jul 16 2010 Rex Dieter <rdieter@fedoraproject.org> - 4.4.92-2
- omit non-essential xsession .desktop files, runs afoul of selinux (#588130)
Comment 11 Martin Kho 2010-08-13 08:21:59 EDT
Hi,

I was directed to this report by the sealert tool. Strange, because this report seems to be closed. I'm running rawhide (FC15) and get some sort of the same avc message: "SELinux is preventing /usr/libexec/kde4/kdm_greet "write" access on /usr/bin/startkde."

Source RPM: kdm-4.5.0-1.fc15.x86_64
Target RPM: kdebase-workspace-4.5.0-1.fc15
Policy RPM:  selinux-policy-3.8.8-12.fc15
Platform:  Linux ps-1866.localdomain 2.6.36-0.0.rc0.git1.fc15.x86_64 #1 SMP Wed Aug 4 16:26:35 UTC 2010 x86_64 x86_64

I have no customized kderc (comment #4).

So is this bug still present or ...?

Martin Kho
Comment 12 Rex Dieter 2010-08-13 08:59:16 EDT
the original report is closed because the extraneous *.desktop files no longer exist.  I suspect your issue is something different, perhaps similar to bug #590883 ?
Comment 13 Daniel Walsh 2010-08-13 10:05:07 EDT
martin, please attach the AVC message that you received
Comment 14 Sandro Mathys 2010-08-13 10:09:27 EDT
sealert brought me to this bug on a fresh Fedora 14 Alpha RC4 installation.


Summary:

SELinux is preventing /usr/libexec/kde4/kdm_greet "write" access on lnusertemp.

Detailed Description:

SELinux denied access requested by kdm_greet. It is not expected that this
access is required by kdm_greet and this access may signal an intrusion attempt.
It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context                system_u:object_r:bin_t:s0
Target Objects                lnusertemp [ file ]
Source                        kdm_greet
Source Path                   /usr/libexec/kde4/kdm_greet
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           kdm-4.5.0-2.fc14
Target RPM Packages           
Policy RPM                    selinux-policy-3.8.8-10.fc14
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     (removed)
Platform                      Linux mjolnir.ethz.ch 2.6.35-3.fc14.x86_64 #1 SMP
                              Fri Aug 6 19:41:28 UTC 2010 x86_64 x86_64
Alert Count                   10
First Seen                    Fri 13 Aug 2010 03:57:47 PM CEST
Last Seen                     Fri 13 Aug 2010 04:03:41 PM CEST
Local ID                      79507af7-bb02-4c79-9de0-9f0f6afec772
Line Numbers                  

Raw Audit Messages            

node=mjolnir.ethz.ch type=AVC msg=audit(1281708221.860:503): avc:  denied  { write } for  pid=2642 comm="kdm_greet" name="lnusertemp" dev=dm-1 ino=14297533 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file

node=mjolnir.ethz.ch type=SYSCALL msg=audit(1281708221.860:503): arch=c000003e syscall=21 success=no exit=-13 a0=158d7c8 a1=2 a2=7fffc0d3c340 a3=e8 items=0 ppid=2639 pid=2642 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="kdm_greet" exe="/usr/libexec/kde4/kdm_greet" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
Comment 15 Daniel Walsh 2010-08-13 13:13:14 EDT
I think this is being caused by the update to python2.7  If you run 

yum -y update

You should not see the avc any longer.
Comment 16 Martin Kho 2010-08-14 03:46:28 EDT
Hi Daniel,

@comment13:

Raw Audit Messages :
node=ps-1866.localdomain type=AVC msg=audit(1281771115.168:11): avc: denied { write } for pid=1362 comm="kdm_greet" name="startkde" dev=sda8 ino=14529 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file

node=ps-1866.localdomain type=SYSCALL msg=audit(1281771115.168:11): arch=c000003e syscall=21 success=yes exit=0 a0=1377788 a1=2 a2=7fffdf46c7b0 a3=30 items=0 ppid=1359 pid=1362 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="kdm_greet" exe="/usr/libexec/kde4/kdm_greet" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)

@comment 15:
I updated my system yesterday. The above messages are from to day.

Martin Kho
Comment 17 Daniel Walsh 2010-08-15 08:10:01 EDT
It does look like you are having the same problem discussed in 590883
Comment 18 Michal Hlavinka 2010-08-18 12:28:33 EDT
this bug is closed:rawhide, but problem (still) exist in Fedora 13 :

SELinux is preventing /usr/libexec/kde4/kdm_greet "write" access on /usr/libexec/kde4/lnusertemp.

Raw Audit Messages :node=nbone.mihlnet type=AVC msg=audit(1282147876.74:22491): avc: denied { write } for pid=27911 comm="kdm_greet" name="lnusertemp" dev=sda5 ino=139022 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file node=nbone.mihlnet type=SYSCALL msg=audit(1282147876.74:22491): arch=c000003e syscall=21 success=no exit=-13 a0=26fef48 a1=2 a2=7fffaf6dc300 a3=34 items=0 ppid=27908 pid=27911 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="kdm_greet" exe="/usr/libexec/kde4/kdm_greet" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
Comment 19 Rex Dieter 2010-08-18 12:53:42 EDT
Yours is a different denial (though similar), closer to a few others, including bug #590883 ,
Comment 20 Rex Dieter 2010-08-18 12:54:57 EDT
on second thought, mind filing a new bug ?  (and provide any hints on how to reproduce it).
Comment 21 Edney Matias 2010-08-18 16:59:40 EDT
Don't know if i should answer that, but i think it's related to suspend/resume. 
Actually i couldn't reproduce it again, but normally it occurs when i unlock 
my notebook after resuming from suspend.
Comment 22 Frank Thieme 2010-08-18 17:48:19 EDT
I get those messages when booting my laptop and logging in. No suspend/resume...

KDE 4.5.0 and F13
Comment 23 Michal Hlavinka 2010-08-19 04:02:11 EDT
(In reply to comment #20)
> on second thought, mind filing a new bug ?  (and provide any hints on how to
> reproduce it).

filled as bug #625367

Note You need to log in before you can comment on or make changes to this bug.