LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Fedora
User Name
Password
Fedora This forum is for the discussion of the Fedora Project.

Notices

Reply
 
Search this Thread
Old 11-05-2010, 12:05 PM   #1
mickeyboa
Senior Member
 
Registered: May 2004
Location: Indianapolis, Indiana
Distribution: FC-KDE, 32 and 64 bit
Posts: 1,398

Rep: Reputation: 55
SELinux is preventing /usr/bin/kdm "write" access on /root


Fedora 14 / KDE

I get this Selinux error message when in A KDE Desktop and right/left click on anything on Desktop.

This is a error message I get when I go into a User or Root Desktop.

I put Selinux in the permissive mode and it corrected the problem.

How and what policy would I make to fix this problem ?


Summary:

SELinux is preventing /usr/bin/kdm "write" access on /root.

Detailed Description:

SELinux denied access requested by kdm. It is not expected that this access is
required by kdm and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinu...fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context system_ubject_r:admin_home_t:s0
Target Objects /root [ dir ]
Source kdm
Source Path /usr/bin/kdm
Port <Unknown>
Host (removed)
Source RPM Packages kdm-4.5.2-3.fc14
Target RPM Packages filesystem-2.4.35-1.fc14
Policy RPM selinux-policy-3.9.7-7.fc14
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Plugin Name catchall
Host Name (removed)
Platform Linux (removed) 2.6.35.6-48.fc14.i686 #1 SMP Fri Oct
22 15:34:36 UTC 2010 i686 i686
Alert Count 3
First Seen Thu 04 Nov 2010 10:08:00 PM EDT
Last Seen Thu 04 Nov 2010 10:11:36 PM EDT
Local ID 5e9e287e-cab0-40ed-8ae3-cbb947f9fc44
Line Numbers

Raw Audit Messages

node=(removed) type=AVC msg=audit(1288923096.835:99): avc: denied { write } for pid=16148 comm="kdm" name="root" dev=sda1 ino=798 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_ubject_r:admin_home_t:s0 tclass=dir
node=(removed) type=SYSCALL msg=audit(1288923096.835:99): arch=40000003 syscall=5 success=no exit=-13 a0=bfdb0c9b a1=c1 a2=180 a3=1 items=0 ppid=5003 pid=16148 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=7 comm="kdm" exe="/usr/bin/kdm" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
Edit/Delete Message
 
Old 11-05-2010, 12:40 PM   #2
falcom
Member
 
Registered: May 2009
Posts: 102

Rep: Reputation: 13
try
Quote:
vim /etc/selinux/config
and put
SELINUX=disabled
SELINUXTYPE=targeted

it's all!
 
Old 11-05-2010, 12:57 PM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,987
Blog Entries: 54

Rep: Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742
0. You're running F14: file a bug report to help make Fedora better.
1. SELinux permissive mode doesn't "correct" anything. It runs Fedora without SELinux restrictions.
1. 'audit2allow' may help to adjust your local policy (allow xdm_t s0:dir write.
 
Old 11-05-2010, 12:57 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,987
Blog Entries: 54

Rep: Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742
Quote:
Originally Posted by falcom View Post
try and put
SELINUX=disabled
SELINUXTYPE=targeted

it's all!
I see a SELinux guru walks amongst us...
 
Old 11-05-2010, 02:06 PM   #5
mickeyboa
Senior Member
 
Registered: May 2004
Location: Indianapolis, Indiana
Distribution: FC-KDE, 32 and 64 bit
Posts: 1,398

Original Poster
Rep: Reputation: 55
A Guru is some one that knows ALL about Linux, And that Person does not exist.

Every time you think you know it all, The developers will change it in the next version and you have to start over.

But I do agree, it is good for Linux. And that is what counts.

For some reason I cannot get a log in /var/log/audit for Selinux , is there a config file for Selinux that turns on Logging.

Selinux is in the Permissive mode.

This bug is every where in Bugzilla and on the Internet , but no one has fixed it yet, and I'm to impatient to wait.

This line,
1. 'audit2allow' may help to adjust your local policy (allow xdm_t s0:dir write

in your post there is a smiley face at the end of line, what character is supposed to be there ?

This is a flaw in linuxquestions.org display of a character, is the character a,
semicolon or colon?

Last edited by mickeyboa; 11-05-2010 at 02:19 PM.
 
Old 11-05-2010, 03:23 PM   #6
falcom
Member
 
Registered: May 2009
Posts: 102

Rep: Reputation: 13
again
Quote:
try and put
SELINUX=disabled
SELINUXTYPE=targeted
it's all!
and you need a some firewall script to make safe your machine !
 
Old 11-05-2010, 07:06 PM   #7
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,987
Blog Entries: 54

Rep: Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742
Quote:
Originally Posted by mickeyboa View Post
For some reason I cannot get a log in /var/log/audit for Selinux , is there a config file for Selinux that turns on Logging.
Enable the Auditd service?


Quote:
Originally Posted by mickeyboa View Post
This bug is every where in Bugzilla and on the Internet , but no one has fixed it yet, and I'm to impatient to wait.
Point me the bug tracker ticket?


Quote:
Originally Posted by mickeyboa View Post
This is a flaw in linuxquestions.org display of a character, is the character a, semicolon or colon?
Semicolon. Just 'echo "node=(removed) type=AVC msg=audit(1288923096.835:99): avc: denied { write } for pid=16148 comm="kdm" name="root" dev=sda1 ino=798 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_ubject_r:admin_home_t:s0 tclass=dir; node=(removed) type=SYSCALL msg=audit(1288923096.835:99): arch=40000003 syscall=5 success=no exit=-13 a0=bfdb0c9b a1=c1 a2=180 a3=1 items=0 ppid=5003 pid=16148 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=7 comm="kdm" exe="/usr/bin/kdm" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)"|audit2allow;'.
 
Old 11-05-2010, 08:00 PM   #8
mickeyboa
Senior Member
 
Registered: May 2004
Location: Indianapolis, Indiana
Distribution: FC-KDE, 32 and 64 bit
Posts: 1,398

Original Poster
Rep: Reputation: 55
Is this what I'm supposed to get ?

# 'echo "node=(removed) type=AVC msg=audit(1288923096.835:99): avc: denied { write } for pid=16148 comm="kdm" name="root" dev=sda1 ino=798 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_ubject_r:admin_home_t:s0 tclass=dir; node=(removed) type=SYSCALL msg=audit(1288923096.835:99): arch=40000003 syscall=5 success=no exit=-13 a0=bfdb0c9b a1=c1 a2=180 a3=1 items=0 ppid=5003 pid=16148 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=7 comm="kdm" exe="/usr/bin/kdm" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)"|audit2allow;'.
 
Old 11-05-2010, 11:29 PM   #9
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,987
Blog Entries: 54

Rep: Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742
yes
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
SFTP and SELinux is preventing sshd "create" access djlinuxquestions Fedora 4 10-22-2010 12:34 AM
Summary: SELinux is preventing vbetool (vbetool_t) "read write" to ./video.rom kuwaitikid Linux - Newbie 6 10-20-2009 10:11 PM
SELinux is preventing certwatch (certwatch_t) "write" to ./cache CZTY Linux - Software 3 09-12-2009 01:57 AM
SELinux is preventing in.tftpd (tftpd_t) "write" to my tftp server designlogicmedia Linux - Newbie 4 09-07-2009 11:30 AM
"selinux is preventing sshd getattr to /usr/NX/home.nx" ericcarlson Fedora 3 08-25-2008 12:04 PM


All times are GMT -5. The time now is 01:10 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration