FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 03-05-2009, 12:56 AM
Antonio Olivares
 
Default kde avc(SELinux prevented kde4-config from writing .kde.)will it be on next selinux policy update?

Dear selinux experts,

I have a question about a repeated avc, I ask if I should apply the suggested fix or wait for an selinux policy update which addressses this?


Summary:

SELinux prevented kde4-config from writing .kde.

Detailed Description:

SELinux prevented kde4-config from writing .kde. If .kde is a core file, you may
want to allow this. If .kde is not a core file, this could signal a intrusion
attempt.

Allowing Access:

Changing the "allow_daemons_dump_core" boolean to true will allow this access:
"setsebool -P allow_daemons_dump_core=1."

Fix Command:

setsebool -P allow_daemons_dump_core=1

Additional Information:

Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context system_ubject_r:root_t:s0
Target Objects .kde [ dir ]
Source kde4-config
Source Path /usr/bin/kde4-config
Port <Unknown>
Host riohigh
Source RPM Packages kdelibs-4.2.1-2.fc11
Target RPM Packages
Policy RPM selinux-policy-3.6.7-1.fc11
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name allow_daemons_dump_core
Host Name riohigh
Platform Linux riohigh 2.6.29-0.197.rc7.fc11.i586 #1 SMP
Tue Mar 3 23:01:11 EST 2009 i686 athlon
Alert Count 20
First Seen Tue 17 Feb 2009 08:36:03 AM CST
Last Seen Wed 04 Mar 2009 07:44:55 PM CST
Local ID 6d47417b-4b4b-4c4f-9c12-6210059fc418
Line Numbers

Raw Audit Messages

node=riohigh type=AVC msg=audit(1236217495.274:8): avc: denied { create } for pid=2386 comm="kde4-config" name=".kde" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_ubject_r:root_t:s0 tclass=dir

node=riohigh type=SYSCALL msg=audit(1236217495.274:8): arch=40000003 syscall=39 success=no exit=-13 a0=87163f8 a1=1c0 a2=49e32ec a3=0 items=0 ppid=2385 pid=2386 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="kde4-config" exe="/usr/bin/kde4-config" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)




Regards,

Antonio




--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 03-05-2009, 01:18 PM
Daniel J Walsh
 
Default kde avc(SELinux prevented kde4-config from writing .kde.)will it be on next selinux policy update?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Antonio Olivares wrote:
> Dear selinux experts,
>
> I have a question about a repeated avc, I ask if I should apply the suggested fix or wait for an selinux policy update which addressses this?
>
>
> Summary:
>
> SELinux prevented kde4-config from writing .kde.
>
> Detailed Description:
>
> SELinux prevented kde4-config from writing .kde. If .kde is a core file, you may
> want to allow this. If .kde is not a core file, this could signal a intrusion
> attempt.
>
> Allowing Access:
>
> Changing the "allow_daemons_dump_core" boolean to true will allow this access:
> "setsebool -P allow_daemons_dump_core=1."
>
> Fix Command:
>
> setsebool -P allow_daemons_dump_core=1
>
> Additional Information:
>
> Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023
> Target Context system_ubject_r:root_t:s0
> Target Objects .kde [ dir ]
> Source kde4-config
> Source Path /usr/bin/kde4-config
> Port <Unknown>
> Host riohigh
> Source RPM Packages kdelibs-4.2.1-2.fc11
> Target RPM Packages
> Policy RPM selinux-policy-3.6.7-1.fc11
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Enforcing
> Plugin Name allow_daemons_dump_core
> Host Name riohigh
> Platform Linux riohigh 2.6.29-0.197.rc7.fc11.i586 #1 SMP
> Tue Mar 3 23:01:11 EST 2009 i686 athlon
> Alert Count 20
> First Seen Tue 17 Feb 2009 08:36:03 AM CST
> Last Seen Wed 04 Mar 2009 07:44:55 PM CST
> Local ID 6d47417b-4b4b-4c4f-9c12-6210059fc418
> Line Numbers
>
> Raw Audit Messages
>
> node=riohigh type=AVC msg=audit(1236217495.274:8): avc: denied { create } for pid=2386 comm="kde4-config" name=".kde" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_ubject_r:root_t:s0 tclass=dir
>
> node=riohigh type=SYSCALL msg=audit(1236217495.274:8): arch=40000003 syscall=39 success=no exit=-13 a0=87163f8 a1=1c0 a2=49e32ec a3=0 items=0 ppid=2385 pid=2386 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="kde4-config" exe="/usr/bin/kde4-config" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
>
>
>
>
> Regards,
>
> Antonio
>
>
>
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
This is a bug in kdebase. The kdm login program thinks it's home dir is
/ so it is trying to create /.kde in the root directory. There are bugs
files on this. Not being able to create this directory does not seem to
bother the login app, so I think it is deep down in the libraries.

I can change SELinux to cover this up but I would rather put pression on
kde maintainers to fix there code.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkmv3zUACgkQrlYvE4MpobOY/ACgh2G8BOA3U5qE2Iqyy+W7U3vf
/RIAn3tFrawkATHmI24SSUDrMVKzFgHC
=KZEf
-----END PGP SIGNATURE-----

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 

Thread Tools




All times are GMT. The time now is 06:18 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org