Bug 596931 - SELinux is preventing /usr/libexec/kde4/kdm_greet "write" access on /bin.
Summary: SELinux is preventing /usr/libexec/kde4/kdm_greet "write" access on /bin.
Status: CLOSED DUPLICATE of bug 590883
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy   
(Show other bugs)
Version: 13
Hardware: x86_64
OS: Linux
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
Whiteboard: setroubleshoot_trace_hash:d3045667d80...
Depends On:
TreeView+ depends on / blocked
Reported: 2010-05-27 19:08 UTC by Martin Naď
Modified: 2010-05-27 19:37 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2010-05-27 19:37:37 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description Martin Naď 2010-05-27 19:08:57 UTC

SELinux is preventing /usr/libexec/kde4/kdm_greet "write" access on /bin.

Podrobný popis:

[kdm_greet je v toleratním režimu (xdm_t). Přístup byl povolen.]

SELinux denied access requested by kdm_greet. It is not expected that this
access is required by kdm_greet and this access may signal an intrusion attempt.
It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Povolení přístupu:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug

Další informace:

Kontext zdroje                system_u:system_r:xdm_t:s0-s0:c0.c1023
Kontext cíle                 system_u:object_r:bin_t:s0
Objekty cíle                 /bin [ dir ]
Zdroj                         kdm_greet
Cesta zdroje                  /usr/libexec/kde4/kdm_greet
Port                          <Neznámé>
Počítač                    (removed)
RPM balíčky zdroje          kdm-4.4.80-2.fc13
RPM balíčky cíle           filesystem-2.4.31-1.fc13
RPM politiky                  selinux-policy-3.7.19-15.fc13
Selinux povolen               True
Typ politiky                  targeted
Vynucovací režim            Enforcing
Název zásuvného modulu     catchall
Název počítače            (removed)
Platforma                     Linux (removed)
                     #1 SMP Thu May 13 05:16:23
                              UTC 2010 x86_64 x86_64
Počet upozornění           8
Poprvé viděno               Čt 27. květen 2010, 21:05:41 CEST
Naposledy viděno             Čt 27. květen 2010, 21:05:41 CEST
Místní ID                   e4468821-c3a7-4c75-a24f-d48fdba537bd
Čísla řádků              

Původní zprávy auditu      

node=(removed) type=AVC msg=audit(1274987141.832:55): avc:  denied  { write } for  pid=5615 comm="kdm_greet" name="bin" dev=sda2 ino=262162 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=dir

node=(removed) type=SYSCALL msg=audit(1274987141.832:55): arch=c000003e syscall=21 success=yes exit=4294967424 a0=1d06418 a1=2 a2=7fffbdca1350 a3=8 items=0 ppid=5612 pid=5615 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="kdm_greet" exe="/usr/libexec/kde4/kdm_greet" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)

Hash String generated from  catchall,kdm_greet,xdm_t,bin_t,dir,write
audit2allow suggests:

#============= xdm_t ==============
#!!!! The source type 'xdm_t' can write to a 'dir' of the following types:
# pcscd_var_run_t, xdm_home_t, pam_var_console_t, xkb_var_lib_t, xdm_rw_etc_t, var_lock_t, root_t, tmp_t, var_t, user_fonts_t, user_tmpfs_t, user_home_dir_t, xdm_spool_t, fonts_cache_t, locale_t, var_auth_t, tmpfs_t, user_tmp_t, var_spool_t, auth_cache_t, xdm_tmpfs_t, var_lib_t, var_run_t, xdm_tmp_t, xserver_log_t, var_log_t, xdm_log_t, pam_var_run_t, xdm_var_lib_t, xdm_var_run_t, gconf_home_t

allow xdm_t bin_t:dir write;

Comment 1 Daniel Walsh 2010-05-27 19:37:37 UTC

*** This bug has been marked as a duplicate of bug 590883 ***

Note You need to log in before you can comment on or make changes to this bug.