Bug 614031 - SELinux is preventing /usr/bin/kdm "signull" access .
SELinux is preventing /usr/bin/kdm "signull" access .
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
13
x86_64 Linux
medium Severity medium
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
setroubleshoot_trace_hash:58f1cfcaa6d...
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-07-13 10:30 EDT by Laurent Rineau
Modified: 2011-06-01 10:57 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-06-01 10:57:00 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Laurent Rineau 2010-07-13 10:30:32 EDT
Summary:

SELinux is preventing /usr/bin/kdm "signull" access .

Detailed Description:

SELinux denied access requested by kdm. It is not expected that this access is
required by kdm and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context                unconfined_u:system_r:sshd_t:s0-s0:c0.c1023
Target Objects                None [ process ]
Source                        kdm
Source Path                   /usr/bin/kdm
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           kdm-4.4.4-2.fc13
Target RPM Packages           
Policy RPM                    selinux-policy-3.7.19-33.fc13
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     (removed)
Platform                      Linux (removed) 2.6.33.6-147.fc13.x86_64
                              #1 SMP Tue Jul 6 22:32:17 UTC 2010 x86_64 x86_64
Alert Count                   2
First Seen                    Tue 13 Jul 2010 04:21:55 PM CEST
Last Seen                     Tue 13 Jul 2010 04:22:02 PM CEST
Local ID                      2c50bbf8-1e15-4050-a71e-5499080f5d26
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1279030922.113:1360): avc:  denied  { signull } for  pid=1750 comm="kdm" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=process

node=(removed) type=SYSCALL msg=audit(1279030922.113:1360): arch=c000003e syscall=62 success=no exit=-13 a0=7b07 a1=0 a2=0 a3=8 items=0 ppid=1 pid=1750 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="kdm" exe="/usr/bin/kdm" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)



Hash String generated from  catchall,kdm,xdm_t,sshd_t,process,signull
audit2allow suggests:

#============= xdm_t ==============
allow xdm_t sshd_t:process signull;
Comment 1 Daniel Walsh 2010-07-13 14:41:59 EDT
Did you do something to get xdm to interact with sshd?
Comment 2 Orion Poplawski 2010-07-13 15:48:28 EDT
kdm, but no, this is stock kdm configuration.
Comment 3 Daniel Walsh 2010-07-13 16:42:52 EDT
I would ask the kde guys why this is happening but I would bet they have no clue.

policy already has 

locallogin_signull(xdm_t)
userdom_signull_unpriv_users(xdm_t)
allow xdm_t xserver_t:process { signal signull };

I have no idea how it is figuring out which programs to send the signull too.
Comment 4 Daniel Walsh 2010-07-13 16:43:26 EDT
Is this happening at logout or login?
Comment 5 Laurent Rineau 2010-07-14 06:50:01 EDT
(In reply to comment #4)
> Is this happening at logout or login?    

I cannot tell. I have rebooted my computer, after a "yum update", and the setroubleshoot applet showed me that error after the login.
Comment 6 Daniel Walsh 2010-07-14 08:23:52 EDT
Miroslav add this,  It seems harmless although I don't know what is going on.

optional_policy(`
	ssh_signull(xdm_t)
')


########################################
## <summary>
##	Send a null signal to sshd processes.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`ssh_signull',`
	gen_require(`
		type sshd_t;
	')

	allow $1 sshd_t:process signull;
')
Comment 7 Miroslav Grepl 2010-07-14 08:42:31 EDT
Ok, fixed in selinux-policy-3.7.19-37.fc13
Comment 8 Laurent Rineau 2010-07-14 09:12:28 EDT
(In reply to comment #4)
> Is this happening at logout or login?    

I have an idea: it might be just before the reboot. When, in kdm, you choose the option "Reboot the computer", kdm somehow checks if somebody else is logged on the computer (either on another vt on the console, or remotely), and if so displays a list of pairs of users/ttys that are logged.

When I asked for a reboot from kdm, I was also logged remotely on the same computer by ssh. Maybe kdm checks the utmp entries, finds ssh sessions, and sends a signull signal to sshd to check something before displaying the list.
Comment 9 Daniel Walsh 2010-07-14 09:23:05 EDT
Sounds possible.
Comment 10 Fedora Update System 2010-07-14 10:26:09 EDT
selinux-policy-3.7.19-37.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-37.fc13
Comment 11 Fedora Update System 2010-07-14 19:08:01 EDT
selinux-policy-3.7.19-37.fc13 has been pushed to the Fedora 13 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-37.fc13
Comment 12 Fedora Admin XMLRPC Client 2010-11-08 16:51:20 EST
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 13 Fedora Admin XMLRPC Client 2010-11-08 16:52:43 EST
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 14 Fedora Admin XMLRPC Client 2010-11-08 16:55:12 EST
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 15 Bug Zapper 2011-06-01 10:03:19 EDT
This message is a reminder that Fedora 13 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 13.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '13'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 13's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 13 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 16 Orion Poplawski 2011-06-01 10:57:00 EDT
It appears that this has been fixed.

Note You need to log in before you can comment on or make changes to this bug.