Dear selinux experts,
I have a question about a repeated avc, I ask if I should apply the suggested fix or wait for an selinux policy update which addressses this?
Summary:
SELinux prevented kde4-config from writing .kde.
Detailed Description:
SELinux prevented kde4-config from writing .kde. If .kde is a core file, you may want to allow this. If .kde is not a core file, this could signal a intrusion attempt.
Allowing Access:
Changing the "allow_daemons_dump_core" boolean to true will allow this access: "setsebool -P allow_daemons_dump_core=1."
Fix Command:
setsebool -P allow_daemons_dump_core=1
Additional Information:
Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023 Target Context system_u:object_r:root_t:s0 Target Objects .kde [ dir ] Source kde4-config Source Path /usr/bin/kde4-config Port <Unknown> Host riohigh Source RPM Packages kdelibs-4.2.1-2.fc11 Target RPM Packages Policy RPM selinux-policy-3.6.7-1.fc11 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name allow_daemons_dump_core Host Name riohigh Platform Linux riohigh 2.6.29-0.197.rc7.fc11.i586 #1 SMP Tue Mar 3 23:01:11 EST 2009 i686 athlon Alert Count 20 First Seen Tue 17 Feb 2009 08:36:03 AM CST Last Seen Wed 04 Mar 2009 07:44:55 PM CST Local ID 6d47417b-4b4b-4c4f-9c12-6210059fc418 Line Numbers
Raw Audit Messages
node=riohigh type=AVC msg=audit(1236217495.274:8): avc: denied { create } for pid=2386 comm="kde4-config" name=".kde" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:root_t:s0 tclass=dir
node=riohigh type=SYSCALL msg=audit(1236217495.274:8): arch=40000003 syscall=39 success=no exit=-13 a0=87163f8 a1=1c0 a2=49e32ec a3=0 items=0 ppid=2385 pid=2386 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="kde4-config" exe="/usr/bin/kde4-config" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
Regards,
Antonio
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Antonio Olivares wrote:
Dear selinux experts,
I have a question about a repeated avc, I ask if I should apply the suggested fix or wait for an selinux policy update which addressses this?
Summary:
SELinux prevented kde4-config from writing .kde.
Detailed Description:
SELinux prevented kde4-config from writing .kde. If .kde is a core file, you may want to allow this. If .kde is not a core file, this could signal a intrusion attempt.
Allowing Access:
Changing the "allow_daemons_dump_core" boolean to true will allow this access: "setsebool -P allow_daemons_dump_core=1."
Fix Command:
setsebool -P allow_daemons_dump_core=1
Additional Information:
Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023 Target Context system_u:object_r:root_t:s0 Target Objects .kde [ dir ] Source kde4-config Source Path /usr/bin/kde4-config Port <Unknown> Host riohigh Source RPM Packages kdelibs-4.2.1-2.fc11 Target RPM Packages Policy RPM selinux-policy-3.6.7-1.fc11 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name allow_daemons_dump_core Host Name riohigh Platform Linux riohigh 2.6.29-0.197.rc7.fc11.i586 #1 SMP Tue Mar 3 23:01:11 EST 2009 i686 athlon Alert Count 20 First Seen Tue 17 Feb 2009 08:36:03 AM CST Last Seen Wed 04 Mar 2009 07:44:55 PM CST Local ID 6d47417b-4b4b-4c4f-9c12-6210059fc418 Line Numbers
Raw Audit Messages
node=riohigh type=AVC msg=audit(1236217495.274:8): avc: denied { create } for pid=2386 comm="kde4-config" name=".kde" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:root_t:s0 tclass=dir
node=riohigh type=SYSCALL msg=audit(1236217495.274:8): arch=40000003 syscall=39 success=no exit=-13 a0=87163f8 a1=1c0 a2=49e32ec a3=0 items=0 ppid=2385 pid=2386 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="kde4-config" exe="/usr/bin/kde4-config" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
Regards,
Antonio
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
This is a bug in kdebase. The kdm login program thinks it's home dir is / so it is trying to create /.kde in the root directory. There are bugs files on this. Not being able to create this directory does not seem to bother the login app, so I think it is deep down in the libraries.
I can change SELinux to cover this up but I would rather put pression on kde maintainers to fix there code.
Daniel J Walsh writes:
Antonio Olivares wrote:
SELinux prevented kde4-config from writing .kde.
Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023 Target Context system_u:object_r:root_t:s0 Target Objects .kde [ dir ]
This is a bug in kdebase. The kdm login program thinks it's home dir is / so it is trying to create /.kde in the root directory. There are bugs files on this.
I don't find the bugzilla. Do you have a reference?
There must be something more than kdm causing this. I get the same, and I use the default gdm as login manager.
Göran Uddeborg wrote:
Daniel J Walsh writes:
Antonio Olivares wrote:
SELinux prevented kde4-config from writing .kde.
Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023 Target Context system_u:object_r:root_t:s0 Target Objects .kde [ dir ]
This is a bug in kdebase. The kdm login program thinks it's home dir is / so it is trying to create /.kde in the root directory. There are bugs files on this.
I don't find the bugzilla. Do you have a reference?
https://bugzilla.redhat.com/show_bug.cgi?id=484370
-- Rex
selinux@lists.fedoraproject.org