SELinux is preventing /usr/libexec/kde4/kdm_config from 'read' accesses on the lnk_file /usr/share/config/kdm. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that kdm_config should be allowed read access on the kdm lnk_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep kdm_config /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023 Target Context system_u:object_r:config_usr_t:s0 Target Objects /usr/share/config/kdm [ lnk_file ] Source kdm_config Source Path /usr/libexec/kde4/kdm_config Port <Unknown> Host (removed) Source RPM Packages kdm-4.6.1-2.fc14 Target RPM Packages kde-settings-kdm-4.5-11.fc14 Policy RPM selinux-policy-3.9.7-35.fc14 Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 2.6.35.11-83.fc14.x86_64 #1 SMP Mon Feb 7 07:06:44 UTC 2011 x86_64 x86_64 Alert Count 2 First Seen Sun 20 Mar 2011 12:26:45 PM EET Last Seen Sun 20 Mar 2011 08:17:11 PM EET Local ID b3d2f1d7-4ab2-4425-8249-fa76070a2010 Raw Audit Messages type=AVC msg=audit(1300645031.743:10): avc: denied { read } for pid=2033 comm="kdm_config" name="kdm" dev=dm-0 ino=140930 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:config_usr_t:s0 tclass=lnk_file type=SYSCALL msg=audit(1300645031.743:10): arch=x86_64 syscall=open success=yes exit=ESRCH a0=4050e9 a1=0 a2=405013 a3=1999999999999999 items=0 ppid=2015 pid=2033 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=kdm_config exe=/usr/libexec/kde4/kdm_config subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) Hash: kdm_config,xdm_t,config_usr_t,lnk_file,read audit2allow #============= xdm_t ============== allow xdm_t config_usr_t:lnk_file read; audit2allow -R #============= xdm_t ============== allow xdm_t config_usr_t:lnk_file read;
So I think this one is the real blocker. The rest is just the config file which affect what, if any, debug messages to output, not being able to access it shouldn't be fatal.
xdm_t needs to be able to read /usr/share/config/kdm
This is a regression from: http://pkgs.fedoraproject.org/gitweb/?p=selinux-policy.git;a=commitdiff;h=9bb1b8a48e190d2f713283a50d695faf6ca0a710 i.e. selinux-policy-3.9.7-35.fc14 (compared to -34.fc14 and older). This: ++/usr/share/config(/.*)? gen_context(system_u:object_r:config_usr_t,s0) changes the context of /usr/share/config. xdm_t needs access to that new config_usr_t context.
*** Bug 689269 has been marked as a duplicate of this bug. ***
xdm_t needs at least 'open', 'read' and 'getattr' access on config_usr_t.
Yes, I need to push a new update to update-testing. It can be fixed for now using the following local policy # cat mykde.te policy_module(mykde, 1.0) require{ type xdm_t; type config_usr_t; } list_dirs_pattern(xdm_t, config_usr_t, config_usr_t) read_files_pattern(xdm_t, config_usr_t, config_usr_t) read_lnk_files_pattern(xdm_t, config_usr_t, config_usr_t) and executing # make -f /usr/share/selinux/devel/Makefile # semodule -i mykde.pp
Magnus, could you try this out?
There is a new build from koji for now http://koji.fedoraproject.org/koji/buildinfo?buildID=234770
(In reply to comment #8) > There is a new build from koji for now > > http://koji.fedoraproject.org/koji/buildinfo?buildID=234770 I tried the above build in Fedora 14 i686 with kde 4.6.1 in a VirtualBox VM, and kdm is running just fine, and no AVC are logged to /var/log/audit/audit.log thanks, Gabrielo
Another user from #fedora-kde IRC is also confirming that selinux-policy-3.9.7-36.fc14 from Koji fixes this regression.
I can confirm that the build ( selinux-policy-3.9.7-36.fc14 ) is working, I have kdm back.
selinux-policy-3.9.7-37.fc14 has been submitted as an update for Fedora 14. https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-37.fc14
Thanks for your testing. Could you update the karma.
Update works. Karma given
selinux-policy-3.9.7-37.fc14 has been pushed to the Fedora 14 stable repository. If problems still persist, please make note of it in this bug report.