Summary: SELinux is preventing /usr/libexec/kde4/kdm_greet "write" access on /usr/libexec/kde4/lnusertemp. Detailed Description: SELinux denied access requested by kdm_greet. It is not expected that this access is required by kdm_greet and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023 Target Context system_u:object_r:bin_t:s0 Target Objects /usr/libexec/kde4/lnusertemp [ file ] Source kdm_greet Source Path /usr/libexec/kde4/kdm_greet Port <Unknown> Host (removed) Source RPM Packages kdm-4.5.2-0.1.fc13 Target RPM Packages kdelibs-4.5.2-0.2.fc13 Policy RPM selinux-policy-3.7.19-62.fc13 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall Host Name (removed) Platform Linux gioia 2.6.33.3-85.fc13.i686 #1 SMP Thu May 6 18:44:12 UTC 2010 i686 i686 Alert Count 5 First Seen Thu 07 Oct 2010 09:29:13 AM CEST Last Seen Thu 07 Oct 2010 09:29:14 AM CEST Local ID d7efeff4-4235-4f17-b4a1-bb7ea0493aa5 Line Numbers Raw Audit Messages node=gioia type=AVC msg=audit(1286436554.403:20044): avc: denied { write } for pid=2376 comm="kdm_greet" name="lnusertemp" dev=dm-3 ino=72118 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file node=gioia type=SYSCALL msg=audit(1286436554.403:20044): arch=40000003 syscall=33 success=no exit=-13 a0=8a04988 a1=2 a2=109d258 a3=bf9d2488 items=0 ppid=2373 pid=2376 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="kdm_greet" exe="/usr/libexec/kde4/kdm_greet" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) Hash String generated from catchall,kdm_greet,xdm_t,bin_t,file,write audit2allow suggests: #============= xdm_t ============== allow xdm_t bin_t:file write;
Dan, I have noticed you added to F14 corecmd_dontaudit_write_bin_files(xdm_t)
Yes Add that to F13 until we get access to work correctly
Fixed in selinux-policy-3.7.19-65.fc13.
selinux-policy-3.7.19-65.fc13 has been submitted as an update for Fedora 13. https://admin.fedoraproject.org/updates/selinux-policy-3.7.19-65.fc13
selinux-policy-3.7.19-65.fc13 has been pushed to the Fedora 13 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: https://admin.fedoraproject.org/updates/selinux-policy-3.7.19-65.fc13
I have the same problem after a fresh installation from F14 Final TC1.1 x86_64 KDE LiveCD, which installed selinux-policy-3.9.5-7.fc14.noarch
selinux-policy-3.9.7-1.fc14 seems to have fixed the problem in F14, though.
selinux-policy-3.7.19-65.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report.
I am testing right now, and looks like the problem has disappeared, indeed. Kudos for the very quick fix!