LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Fedora (http://www.linuxquestions.org/questions/fedora-35/)
-   -   SELinux is preventing /usr/bin/kdm "write" access on /root (http://www.linuxquestions.org/questions/fedora-35/selinux-is-preventing-usr-bin-kdm-write-access-on-root-842577/)

mickeyboa 11-05-2010 12:05 PM

SELinux is preventing /usr/bin/kdm "write" access on /root
 
Fedora 14 / KDE

I get this Selinux error message when in A KDE Desktop and right/left click on anything on Desktop.

This is a error message I get when I go into a User or Root Desktop.

I put Selinux in the permissive mode and it corrected the problem.

How and what policy would I make to fix this problem ?


Summary:

SELinux is preventing /usr/bin/kdm "write" access on /root.

Detailed Description:

SELinux denied access requested by kdm. It is not expected that this access is
required by kdm and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinu...fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context system_u:object_r:admin_home_t:s0
Target Objects /root [ dir ]
Source kdm
Source Path /usr/bin/kdm
Port <Unknown>
Host (removed)
Source RPM Packages kdm-4.5.2-3.fc14
Target RPM Packages filesystem-2.4.35-1.fc14
Policy RPM selinux-policy-3.9.7-7.fc14
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Plugin Name catchall
Host Name (removed)
Platform Linux (removed) 2.6.35.6-48.fc14.i686 #1 SMP Fri Oct
22 15:34:36 UTC 2010 i686 i686
Alert Count 3
First Seen Thu 04 Nov 2010 10:08:00 PM EDT
Last Seen Thu 04 Nov 2010 10:11:36 PM EDT
Local ID 5e9e287e-cab0-40ed-8ae3-cbb947f9fc44
Line Numbers

Raw Audit Messages

node=(removed) type=AVC msg=audit(1288923096.835:99): avc: denied { write } for pid=16148 comm="kdm" name="root" dev=sda1 ino=798 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir
node=(removed) type=SYSCALL msg=audit(1288923096.835:99): arch=40000003 syscall=5 success=no exit=-13 a0=bfdb0c9b a1=c1 a2=180 a3=1 items=0 ppid=5003 pid=16148 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=7 comm="kdm" exe="/usr/bin/kdm" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
Edit/Delete Message

falcom 11-05-2010 12:40 PM

try
Quote:

vim /etc/selinux/config
and put
SELINUX=disabled
SELINUXTYPE=targeted

it's all!

unSpawn 11-05-2010 12:57 PM

0. You're running F14: file a bug report to help make Fedora better.
1. SELinux permissive mode doesn't "correct" anything. It runs Fedora without SELinux restrictions.
1. 'audit2allow' may help to adjust your local policy (allow xdm_t s0:dir write;).

unSpawn 11-05-2010 12:57 PM

Quote:

Originally Posted by falcom (Post 4150339)
try and put
SELINUX=disabled
SELINUXTYPE=targeted

it's all!

I see a SELinux guru walks amongst us...

mickeyboa 11-05-2010 02:06 PM

A Guru is some one that knows ALL about Linux, And that Person does not exist.

Every time you think you know it all, The developers will change it in the next version and you have to start over.

But I do agree, it is good for Linux. And that is what counts.

For some reason I cannot get a log in /var/log/audit for Selinux , is there a config file for Selinux that turns on Logging.

Selinux is in the Permissive mode.

This bug is every where in Bugzilla and on the Internet , but no one has fixed it yet, and I'm to impatient to wait.

This line,
1. 'audit2allow' may help to adjust your local policy (allow xdm_t s0:dir write

in your post there is a smiley face at the end of line, what character is supposed to be there ?

This is a flaw in linuxquestions.org display of a character, is the character a,
semicolon or colon?

falcom 11-05-2010 03:23 PM

again
Quote:

try and put
SELINUX=disabled
SELINUXTYPE=targeted
it's all!
and you need a some firewall script to make safe your machine !

unSpawn 11-05-2010 07:06 PM

Quote:

Originally Posted by mickeyboa (Post 4150433)
For some reason I cannot get a log in /var/log/audit for Selinux , is there a config file for Selinux that turns on Logging.

Enable the Auditd service?


Quote:

Originally Posted by mickeyboa (Post 4150433)
This bug is every where in Bugzilla and on the Internet , but no one has fixed it yet, and I'm to impatient to wait.

Point me the bug tracker ticket?


Quote:

Originally Posted by mickeyboa (Post 4150433)
This is a flaw in linuxquestions.org display of a character, is the character a, semicolon or colon?

Semicolon. Just 'echo "node=(removed) type=AVC msg=audit(1288923096.835:99): avc: denied { write } for pid=16148 comm="kdm" name="root" dev=sda1 ino=798 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_ubject_r:admin_home_t:s0 tclass=dir; node=(removed) type=SYSCALL msg=audit(1288923096.835:99): arch=40000003 syscall=5 success=no exit=-13 a0=bfdb0c9b a1=c1 a2=180 a3=1 items=0 ppid=5003 pid=16148 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=7 comm="kdm" exe="/usr/bin/kdm" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)"|audit2allow;'.

mickeyboa 11-05-2010 08:00 PM

Is this what I'm supposed to get ?

# 'echo "node=(removed) type=AVC msg=audit(1288923096.835:99): avc: denied { write } for pid=16148 comm="kdm" name="root" dev=sda1 ino=798 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_ubject_r:admin_home_t:s0 tclass=dir; node=(removed) type=SYSCALL msg=audit(1288923096.835:99): arch=40000003 syscall=5 success=no exit=-13 a0=bfdb0c9b a1=c1 a2=180 a3=1 items=0 ppid=5003 pid=16148 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=7 comm="kdm" exe="/usr/bin/kdm" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)"|audit2allow;'.

unSpawn 11-05-2010 11:29 PM

yes


All times are GMT -5. The time now is 09:26 PM.