Bug 588130 - SELinux is preventing /usr/libexec/kde4/kdm_greet "write" access on e16.desktop.
Summary: SELinux is preventing /usr/libexec/kde4/kdm_greet "write" access on e16....
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: kdebase-workspace   
(Show other bugs)
Version: 12
Hardware: x86_64 Linux
low
medium
Target Milestone: ---
Assignee: Ngo Than
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:f2c96ac51cd...
Keywords:
: 614134 (view as bug list)
Depends On:
Blocks: kde-4.5
TreeView+ depends on / blocked
 
Reported: 2010-05-02 19:42 UTC by ssabchew
Modified: 2013-02-02 14:43 UTC (History)
52 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-07-16 21:44:24 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
kdmrc (1.57 KB, application/octet-stream)
2010-06-11 19:31 UTC, Carl G.
no flags Details

Description ssabchew 2010-05-02 19:42:50 UTC
Summary:

SELinux is preventing /usr/libexec/kde4/kdm_greet "write" access on e16.desktop.

Detailed Description:

SELinux denied access requested by kdm_greet. It is not expected that this
access is required by kdm_greet and this access may signal an intrusion attempt.
It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context                system_u:object_r:bin_t:s0
Target Objects                e16.desktop [ file ]
Source                        kdm_greet
Source Path                   /usr/libexec/kde4/kdm_greet
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           kdm-4.4.2-5.fc12
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.32-110.fc12
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     (removed)
Platform                      Linux (removed)
                              2.6.32.11-99.fc12.x86_64 #1 SMP Mon Apr 5 19:59:38
                              UTC 2010 x86_64 x86_64
Alert Count                   9
First Seen                    Sun 02 May 2010 08:00:34 PM EEST
Last Seen                     Sun 02 May 2010 08:18:57 PM EEST
Local ID                      8970c2db-a27c-46c5-a275-67a735b7eba7
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1272820737.790:290): avc:  denied  { write } for  pid=3654 comm="kdm_greet" name="e16.desktop" dev=dm-1 ino=431187 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file

node=(removed) type=SYSCALL msg=audit(1272820737.790:290): arch=c000003e syscall=21 success=no exit=-13 a0=2a48858 a1=2 a2=2a48877 a3=3f items=0 ppid=3648 pid=3654 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="kdm_greet" exe="/usr/libexec/kde4/kdm_greet" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)



Hash String generated from  catchall,kdm_greet,xdm_t,bin_t,file,write
audit2allow suggests:

#============= xdm_t ==============
allow xdm_t bin_t:file write;

Comment 1 Miroslav Grepl 2010-05-03 11:11:38 UTC
Where is the e16.desktop file located?

Comment 2 Carl G. 2010-06-11 18:00:18 UTC
Summary:

SELinux is preventing /usr/libexec/kde4/kdm_greet "write" access on
/usr/libexec/kde4/lnusertemp.

Detailed Description:

SELinux denied access requested by kdm_greet. It is not expected that this
access is required by kdm_greet and this access may signal an intrusion attempt.
It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context                system_u:object_r:bin_t:s0
Target Objects                /usr/libexec/kde4/lnusertemp [ file ]
Source                        kdm_greet
Source Path                   /usr/libexec/kde4/kdm_greet
Port                          <Unknown>
Host                          BubbleWork
Source RPM Packages           kdm-4.4.85-2.fc14
Target RPM Packages           kdelibs-4.4.85-2.fc14
Policy RPM                    selinux-policy-3.8.3-1.fc14
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     
Platform                      Linux  2.6.34-20.fc14.x86_64 #1 SMP Wed
                              Jun 2 12:36:51 UTC 2010 x86_64 x86_64
Alert Count                   7
First Seen                    Fri Jun 11 13:28:32 2010
Last Seen                     Fri Jun 11 13:28:35 2010
Local ID                      c0e2baba-1dd9-494a-bcac-9ea77f585840
Line Numbers                  

Raw Audit Messages            

node= type=AVC msg=audit(1276277315.312:28576): avc:  denied  { write } for  pid=3553 comm="kdm_greet" name="lnusertemp" dev=dm-1 ino=71832 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file

node= type=SYSCALL msg=audit(1276277315.312:28576): arch=c000003e syscall=21 success=no exit=-13 a0=2923e18 a1=2 a2=7fff4e9b9130 a3=e8 items=0 ppid=3550 pid=3553 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="kdm_greet" exe="/usr/libexec/kde4/kdm_greet" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)

Not sure if it change anything but it happened after upgrading from KDE 4.5.80 to 4.5.85

Comment 3 Carl G. 2010-06-11 18:26:47 UTC
4.4.80 / 85

kde 4.5b1 & 2, my bad.

Comment 4 Rex Dieter 2010-06-11 19:26:44 UTC
If you've customized kdm/kdmrc at all, please attach it here too (/etc/kde/kdm/kdmrc)

Comment 5 Carl G. 2010-06-11 19:31:07 UTC
Created attachment 423378 [details]
kdmrc

Comment 6 Carl G. 2010-07-16 02:38:12 UTC
(In reply to comment #1)
> Where is the e16.desktop file located?    

$ ls -Z /usr/share/kde4/apps/kdm/sessions/e16.desktop
-rw-r--r--. root root system_u:object_r:usr_t:s0       /usr/share/kde4/apps/kdm/sessions/e16.desktop

Comment 7 Rex Dieter 2010-07-16 03:25:42 UTC
We've been considering nuking the stuff under
/usr/share/kde4/apps/kdm/sessions
for awhile, maybe this a good excuse to do so.

Comment 8 Rex Dieter 2010-07-16 03:26:41 UTC
info provided in comment #6 and comment #7

Comment 9 Carl G. 2010-07-16 03:47:44 UTC
*** Bug 614134 has been marked as a duplicate of this bug. ***

Comment 10 Rex Dieter 2010-07-16 21:44:24 UTC
* Fri Jul 16 2010 Rex Dieter <rdieter@fedoraproject.org> - 4.4.92-2
- omit non-essential xsession .desktop files, runs afoul of selinux (#588130)

Comment 11 Martin Kho 2010-08-13 12:21:59 UTC
Hi,

I was directed to this report by the sealert tool. Strange, because this report seems to be closed. I'm running rawhide (FC15) and get some sort of the same avc message: "SELinux is preventing /usr/libexec/kde4/kdm_greet "write" access on /usr/bin/startkde."

Source RPM: kdm-4.5.0-1.fc15.x86_64
Target RPM: kdebase-workspace-4.5.0-1.fc15
Policy RPM:  selinux-policy-3.8.8-12.fc15
Platform:  Linux ps-1866.localdomain 2.6.36-0.0.rc0.git1.fc15.x86_64 #1 SMP Wed Aug 4 16:26:35 UTC 2010 x86_64 x86_64

I have no customized kderc (comment #4).

So is this bug still present or ...?

Martin Kho

Comment 12 Rex Dieter 2010-08-13 12:59:16 UTC
the original report is closed because the extraneous *.desktop files no longer exist.  I suspect your issue is something different, perhaps similar to bug #590883 ?

Comment 13 Daniel Walsh 2010-08-13 14:05:07 UTC
martin, please attach the AVC message that you received

Comment 14 Sandro Mathys 2010-08-13 14:09:27 UTC
sealert brought me to this bug on a fresh Fedora 14 Alpha RC4 installation.


Summary:

SELinux is preventing /usr/libexec/kde4/kdm_greet "write" access on lnusertemp.

Detailed Description:

SELinux denied access requested by kdm_greet. It is not expected that this
access is required by kdm_greet and this access may signal an intrusion attempt.
It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context                system_u:object_r:bin_t:s0
Target Objects                lnusertemp [ file ]
Source                        kdm_greet
Source Path                   /usr/libexec/kde4/kdm_greet
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           kdm-4.5.0-2.fc14
Target RPM Packages           
Policy RPM                    selinux-policy-3.8.8-10.fc14
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     (removed)
Platform                      Linux mjolnir.ethz.ch 2.6.35-3.fc14.x86_64 #1 SMP
                              Fri Aug 6 19:41:28 UTC 2010 x86_64 x86_64
Alert Count                   10
First Seen                    Fri 13 Aug 2010 03:57:47 PM CEST
Last Seen                     Fri 13 Aug 2010 04:03:41 PM CEST
Local ID                      79507af7-bb02-4c79-9de0-9f0f6afec772
Line Numbers                  

Raw Audit Messages            

node=mjolnir.ethz.ch type=AVC msg=audit(1281708221.860:503): avc:  denied  { write } for  pid=2642 comm="kdm_greet" name="lnusertemp" dev=dm-1 ino=14297533 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file

node=mjolnir.ethz.ch type=SYSCALL msg=audit(1281708221.860:503): arch=c000003e syscall=21 success=no exit=-13 a0=158d7c8 a1=2 a2=7fffc0d3c340 a3=e8 items=0 ppid=2639 pid=2642 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="kdm_greet" exe="/usr/libexec/kde4/kdm_greet" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)

Comment 15 Daniel Walsh 2010-08-13 17:13:14 UTC
I think this is being caused by the update to python2.7  If you run 

yum -y update

You should not see the avc any longer.

Comment 16 Martin Kho 2010-08-14 07:46:28 UTC
Hi Daniel,

@comment13:

Raw Audit Messages :
node=ps-1866.localdomain type=AVC msg=audit(1281771115.168:11): avc: denied { write } for pid=1362 comm="kdm_greet" name="startkde" dev=sda8 ino=14529 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file

node=ps-1866.localdomain type=SYSCALL msg=audit(1281771115.168:11): arch=c000003e syscall=21 success=yes exit=0 a0=1377788 a1=2 a2=7fffdf46c7b0 a3=30 items=0 ppid=1359 pid=1362 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="kdm_greet" exe="/usr/libexec/kde4/kdm_greet" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)

@comment 15:
I updated my system yesterday. The above messages are from to day.

Martin Kho

Comment 17 Daniel Walsh 2010-08-15 12:10:01 UTC
It does look like you are having the same problem discussed in 590883

Comment 18 Michal Hlavinka 2010-08-18 16:28:33 UTC
this bug is closed:rawhide, but problem (still) exist in Fedora 13 :

SELinux is preventing /usr/libexec/kde4/kdm_greet "write" access on /usr/libexec/kde4/lnusertemp.

Raw Audit Messages :node=nbone.mihlnet type=AVC msg=audit(1282147876.74:22491): avc: denied { write } for pid=27911 comm="kdm_greet" name="lnusertemp" dev=sda5 ino=139022 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file node=nbone.mihlnet type=SYSCALL msg=audit(1282147876.74:22491): arch=c000003e syscall=21 success=no exit=-13 a0=26fef48 a1=2 a2=7fffaf6dc300 a3=34 items=0 ppid=27908 pid=27911 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="kdm_greet" exe="/usr/libexec/kde4/kdm_greet" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)

Comment 19 Rex Dieter 2010-08-18 16:53:42 UTC
Yours is a different denial (though similar), closer to a few others, including bug #590883 ,

Comment 20 Rex Dieter 2010-08-18 16:54:57 UTC
on second thought, mind filing a new bug ?  (and provide any hints on how to reproduce it).

Comment 21 Edney Matias 2010-08-18 20:59:40 UTC
Don't know if i should answer that, but i think it's related to suspend/resume. 
Actually i couldn't reproduce it again, but normally it occurs when i unlock 
my notebook after resuming from suspend.

Comment 22 Frank Thieme 2010-08-18 21:48:19 UTC
I get those messages when booting my laptop and logging in. No suspend/resume...

KDE 4.5.0 and F13

Comment 23 Michal Hlavinka 2010-08-19 08:02:11 UTC
(In reply to comment #20)
> on second thought, mind filing a new bug ?  (and provide any hints on how to
> reproduce it).

filled as bug #625367


Note You need to log in before you can comment on or make changes to this bug.