FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 02-16-2009, 12:37 PM
Antonio Olivares
 
Default denied avcs for kde again :(

Am I the only that one that sees the following :

I think I am going crazy with these repeating avc's


Summary:

SELinux prevented kde4-config from writing .kde.

Detailed Description:

SELinux prevented kde4-config from writing .kde. If .kde is a core file, you may
want to allow this. If .kde is not a core file, this could signal a intrusion
attempt.

Allowing Access:

Changing the "allow_daemons_dump_core" boolean to true will allow this access:
"setsebool -P allow_daemons_dump_core=1."

Fix Command:

setsebool -P allow_daemons_dump_core=1

Additional Information:

Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context system_ubject_r:root_t:s0
Target Objects .kde [ dir ]
Source kde4-config
Source Path /usr/bin/kde4-config
Port <Unknown>
Host riohigh
Source RPM Packages kdelibs-4.2.0-10.fc11
Target RPM Packages
Policy RPM selinux-policy-3.6.5-3.fc11
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name allow_daemons_dump_core
Host Name riohigh
Platform Linux riohigh 2.6.29-0.119.rc5.fc11.i586 #1 SMP
Sat Feb 14 18:38:24 EST 2009 i686 athlon
Alert Count 3
First Seen Thu 12 Feb 2009 08:38:18 AM CST
Last Seen Mon 16 Feb 2009 06:56:52 AM CST
Local ID 8e781235-d7ca-4c98-b8c9-ed9dac40a2ff
Line Numbers

Raw Audit Messages

node=riohigh type=AVC msg=audit(1234789012.965:7): avc: denied { create } for pid=2245 comm="kde4-config" name=".kde" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_ubject_r:root_t:s0 tclass=dir

node=riohigh type=SYSCALL msg=audit(1234789012.965:7): arch=40000003 syscall=39 success=no exit=-13 a0=82fc358 a1=1c0 a2=2f0438c a3=1 items=0 ppid=2244 pid=2245 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="kde4-config" exe="/usr/bin/kde4-config" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)







--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 02-16-2009, 05:34 PM
Daniel J Walsh
 
Default denied avcs for kde again :(

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Antonio Olivares wrote:
> Am I the only that one that sees the following :
>
> I think I am going crazy with these repeating avc's
>
>
> Summary:
>
> SELinux prevented kde4-config from writing .kde.
>
> Detailed Description:
>
> SELinux prevented kde4-config from writing .kde. If .kde is a core file, you may
> want to allow this. If .kde is not a core file, this could signal a intrusion
> attempt.
>
> Allowing Access:
>
> Changing the "allow_daemons_dump_core" boolean to true will allow this access:
> "setsebool -P allow_daemons_dump_core=1."
>
> Fix Command:
>
> setsebool -P allow_daemons_dump_core=1
>
> Additional Information:
>
> Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023
> Target Context system_ubject_r:root_t:s0
> Target Objects .kde [ dir ]
> Source kde4-config
> Source Path /usr/bin/kde4-config
> Port <Unknown>
> Host riohigh
> Source RPM Packages kdelibs-4.2.0-10.fc11
> Target RPM Packages
> Policy RPM selinux-policy-3.6.5-3.fc11
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Enforcing
> Plugin Name allow_daemons_dump_core
> Host Name riohigh
> Platform Linux riohigh 2.6.29-0.119.rc5.fc11.i586 #1 SMP
> Sat Feb 14 18:38:24 EST 2009 i686 athlon
> Alert Count 3
> First Seen Thu 12 Feb 2009 08:38:18 AM CST
> Last Seen Mon 16 Feb 2009 06:56:52 AM CST
> Local ID 8e781235-d7ca-4c98-b8c9-ed9dac40a2ff
> Line Numbers
>
> Raw Audit Messages
>
> node=riohigh type=AVC msg=audit(1234789012.965:7): avc: denied { create } for pid=2245 comm="kde4-config" name=".kde" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_ubject_r:root_t:s0 tclass=dir
>
> node=riohigh type=SYSCALL msg=audit(1234789012.965:7): arch=40000003 syscall=39 success=no exit=-13 a0=82fc358 a1=1c0 a2=2f0438c a3=1 items=0 ppid=2244 pid=2245 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="kde4-config" exe="/usr/bin/kde4-config" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
>
>
>
>
>
>
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
No you are not the only one.

This is a bug in kde-login which thinks it's homedir is / and wants to
create a directory in the / directory.

I have also seen similar with it trying to create the directory in
/root. Which is also somewhat bad. I do not want to give login
programs the ability to write to these directories, because attackers
without passwords can get the login programs to execute large amounts of
codes without ever identifying themselves. gdm is setup with a homedir
of /var/lib/gdm, which allows us to confine the gdm login program.

Kde login needs something similar, I believe there is a bug on this,
but it would not hurt to open another.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkmZsacACgkQrlYvE4MpobOTugCgp6QgNdLuOh pmfFllxKruNUyl
LhwAn2b4q5yTb2hL7C8mJsHbwYHmOdTh
=mRi+
-----END PGP SIGNATURE-----

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 02-17-2009, 06:45 AM
Kevin Kofler
 
Default denied avcs for kde again :(

Daniel J Walsh wrote:
> I have also seen similar with it trying to create the directory in
> /root. Which is also somewhat bad. I do not want to give login
> programs the ability to write to these directories, because attackers
> without passwords can get the login programs to execute large amounts of
> codes without ever identifying themselves. gdm is setup with a homedir
> of /var/lib/gdm, which allows us to confine the gdm login program.
>
> Kde login needs something similar, I believe there is a bug on this,
> but it would not hurt to open another.

KDM runs as root, so of course its homedir is /root. KDM does not support
running as anything other than root (just like XDM and pretty much any
display manager other than the latest GDM).

Kevin Kofler

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 02-17-2009, 12:34 PM
Daniel J Walsh
 
Default denied avcs for kde again :(

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Kevin Kofler wrote:
> Daniel J Walsh wrote:
>> I have also seen similar with it trying to create the directory in
>> /root. Which is also somewhat bad. I do not want to give login
>> programs the ability to write to these directories, because attackers
>> without passwords can get the login programs to execute large amounts of
>> codes without ever identifying themselves. gdm is setup with a homedir
>> of /var/lib/gdm, which allows us to confine the gdm login program.
>>
>> Kde login needs something similar, I believe there is a bug on this,
>> but it would not hurt to open another.
>
> KDM runs as root, so of course its homedir is /root. KDM does not support
> running as anything other than root (just like XDM and pretty much any
> display manager other than the latest GDM).
>
> Kevin Kofler
>
Its homedir is not currently /root it is /. That is what the AVC's are
indicating.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkmavNUACgkQrlYvE4MpobNtFQCffL+nby+dxc vRxeO+Vwtd3TKM
zRoAn1DJ4/7ilc25OBsZ+bDv43G8uR4H
=HT6G
-----END PGP SIGNATURE-----

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 

Thread Tools




All times are GMT. The time now is 04:28 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org