Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 450963 - Spurious selinux denials with kdm (xdm_t) and admin_home_t
Summary: Spurious selinux denials with kdm (xdm_t) and admin_home_t
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 9
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Ben Levenson
Depends On:
TreeView+ depends on / blocked
Reported: 2008-06-11 22:08 UTC by Carl Roth
Modified: 2008-11-17 22:04 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2008-11-17 22:04:33 UTC

Attachments (Terms of Use)

Description Carl Roth 2008-06-11 22:08:13 UTC
Description of problem:

My system keeps generating selinux denials of the form

host=HOST-REDACTED type=AVC msg=audit(1213205770.625:15): avc: denied { read }
for pid=3855 comm="lnusertemp" name="tmp-HOST-REDACTED" dev=dm-0 ino=569381
tcontext=system_u:object_r:admin_home_t:s0 tclass=lnk_file

host=HOST-REDACTED type=SYSCALL msg=audit(1213205770.625:15): arch=c000003e
syscall=89 success=yes exit=13 a0=7fff08cff840 a1=7fff08cfd820 a2=1000 a3=ff2
items=0 ppid=3386 pid=3855 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="lnusertemp"
exe="/usr/libexec/kde4/lnusertemp" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023

I have the 'xdm_sysadm_login' boolean turned off.

I notice in xserver.te that there are lots of dontaudit statements relating to
admin_home_t, but nothing related to the lnk_file type that KDE seems so fond of
(tmp-XXX, cache-XXX).

Perhaps something like this is needed in the 'false' branch of the
xdm_sysadm_login test (please advise):

  dontaudit xdm_t admin_home_t:lnk_file read_link_file_perms;

I think that the default behavior of kdm is that it scrapes the user list (and
possibly the user homedirs) to generate the login screen, so access attempt may
be unavoidable.

Version-Release number of selected component (if applicable):


How reproducible:

Steps to Reproduce:
Actual results:

Expected results:

Additional info:

Comment 1 Daniel Walsh 2008-06-14 11:18:25 UTC
Is this happening when you try to login as root?

Comment 2 Daniel Walsh 2008-06-14 11:22:07 UTC
Donaudit added in selinux-policy-3.3.1-68.fc9.noarch

Comment 3 Carl Roth 2008-06-14 18:24:11 UTC
I'm not using the root login on this machine.  In fact, several times after I
saw this message I deleted the /root/.kde directory.  I am wondering if this is
a wierd side-effect of running kdm.

Comment 4 Daniel Walsh 2008-06-22 12:29:09 UTC
Just say no to kdm :^)

Comment 5 Carl Roth 2008-06-22 17:34:29 UTC
i guess now would not be a good time to also point out that kwin and plasma also
generate execmem and execstack denials...

Comment 6 Daniel Walsh 2008-06-23 10:10:17 UTC
Please open bugzilla's on those packages, and cc me.

Comment 7 Carl Roth 2008-06-23 17:56:26 UTC
don't worry about those; I tracked them down to a known issue with
execmem/execstack and the nVidia vendor GL libraries.

Comment 8 Daniel Walsh 2008-11-17 22:04:33 UTC
Closing all bugs that have been in modified for over a month.  Please reopen if the bug is not actually fixed.

Note You need to log in before you can comment on or make changes to this bug.