Selinux is denying access to files with the default label, default_t and preventing ck-get-x11-serv (consolekit_t) "search" xdm_var_run_t.
Daniel J Walsh
dwalsh at redhat.com
Tue Apr 28 12:22:33 UTC 2009
On 04/27/2009 06:10 PM, Antonio Olivares wrote:
> I'll copy/paste alerts one by one :
>
>
> Summary:
>
> SELinux is preventing access to files with the default label, default_t.
>
> Detailed Description:
>
> SELinux permission checks on files labeled default_t are being denied. These
> files/directories have the default label on them. This can indicate a labeling
> problem, especially if the files being referred to are not top level
> directories. Any files/directories under standard system directories, /usr,
> /var. /dev, /tmp, ..., should not be labeled with the default label. The default
> label is for files/directories which do not have a label on a parent directory.
> So if you create a new directory in / you might legitimately get this label.
>
> Allowing Access:
>
> If you want a confined domain to use these files you will probably need to
> relabel the file/directory with chcon. In some cases it is just easier to
> relabel the system, to relabel execute: "touch /.autorelabel; reboot"
>
> Additional Information:
>
> Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023
> Target Context system_u:object_r:default_t:s0
> Target Objects .kde [ dir ]
> Source kde4-config
> Source Path /usr/bin/kde4-config
> Port<Unknown>
> Host gray
> Source RPM Packages kdelibs-4.2.2-9.fc11
> Target RPM Packages
> Policy RPM selinux-policy-3.6.12-9.fc11
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Enforcing
> Plugin Name default
> Host Name gray
> Platform Linux gray 2.6.29.1-102.fc11.x86_64 #1 SMP Mon Apr
> 20 15:33:38 EDT 2009 x86_64 x86_64
> Alert Count 92
> First Seen Thu 23 Apr 2009 08:34:03 PM CDT
> Last Seen Tue 28 Apr 2009 04:52:40 PM CDT
> Local ID bfed3a21-1e6d-40ce-bd73-53aaabd164a7
> Line Numbers
>
> Raw Audit Messages
>
> node=gray type=AVC msg=audit(1240955560.271:36): avc: denied { search } for pid=1767 comm="kde4-config" name=".kde" dev=dm-0 ino=262 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir
>
> node=gray type=SYSCALL msg=audit(1240955560.271:36): arch=c000003e syscall=6 success=no exit=-13 a0=6e5e58 a1=7fff38fa1be0 a2=7fff38fa1be0 a3=21 items=0 ppid=1766 pid=1767 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="kde4-config" exe="/usr/bin/kde4-config" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
>
>
>
> Summary:
>
> SELinux is preventing access to files with the default label, default_t.
>
> Detailed Description:
>
> SELinux permission checks on files labeled default_t are being denied. These
> files/directories have the default label on them. This can indicate a labeling
> problem, especially if the files being referred to are not top level
> directories. Any files/directories under standard system directories, /usr,
> /var. /dev, /tmp, ..., should not be labeled with the default label. The default
> label is for files/directories which do not have a label on a parent directory.
> So if you create a new directory in / you might legitimately get this label.
>
> Allowing Access:
>
> If you want a confined domain to use these files you will probably need to
> relabel the file/directory with chcon. In some cases it is just easier to
> relabel the system, to relabel execute: "touch /.autorelabel; reboot"
>
> Additional Information:
>
> Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023
> Target Context system_u:object_r:default_t:s0
> Target Objects /.kde [ dir ]
> Source kde4-config
> Source Path /usr/bin/kde4-config
> Port<Unknown>
> Host gray
> Source RPM Packages kdelibs-4.2.2-9.fc11
> Target RPM Packages
> Policy RPM selinux-policy-3.6.12-9.fc11
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Enforcing
> Plugin Name default
> Host Name gray
> Platform Linux gray 2.6.29.1-102.fc11.x86_64 #1 SMP Mon Apr
> 20 15:33:38 EDT 2009 x86_64 x86_64
> Alert Count 28
> First Seen Thu 23 Apr 2009 08:34:03 PM CDT
> Last Seen Tue 28 Apr 2009 04:52:40 PM CDT
> Local ID 6da3a105-c4c8-4352-bd0e-3f438b1634a8
> Line Numbers
>
> Raw Audit Messages
>
> node=gray type=AVC msg=audit(1240955560.107:34): avc: denied { getattr } for pid=1767 comm="kde4-config" path="/.kde" dev=dm-0 ino=262 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir
>
> node=gray type=SYSCALL msg=audit(1240955560.107:34): arch=c000003e syscall=6 success=no exit=-13 a0=7fff38fa1c80 a1=7fff38fa1b80 a2=7fff38fa1b80 a3=6d3b20 items=0 ppid=1766 pid=1767 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="kde4-config" exe="/usr/bin/kde4-config" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
>
>
>
> Summary:
>
> SELinux is preventing ck-get-x11-serv (consolekit_t) "search" xdm_var_run_t.
>
> Detailed Description:
>
> SELinux denied access requested by ck-get-x11-serv. It is not expected that this
> access is required by ck-get-x11-serv and this access may signal an intrusion
> attempt. It is also possible that the specific version or configuration of the
> application is causing it to require additional access.
>
> Allowing Access:
>
> You can generate a local policy module to allow this access - see FAQ
> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
> SELinux protection altogether. Disabling SELinux protection is not recommended.
> Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
> against this package.
>
> Additional Information:
>
> Source Context system_u:system_r:consolekit_t:s0-s0:c0.c1023
> Target Context system_u:object_r:xdm_var_run_t:s0
> Target Objects gdm [ dir ]
> Source ck-get-x11-serv
> Source Path /usr/libexec/ck-get-x11-server-pid
> Port<Unknown>
> Host gray
> Source RPM Packages ConsoleKit-x11-0.3.0-8.fc11
> Target RPM Packages
> Policy RPM selinux-policy-3.6.12-9.fc11
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Enforcing
> Plugin Name catchall
> Host Name gray
> Platform Linux gray 2.6.29.1-102.fc11.x86_64 #1 SMP Mon Apr
> 20 15:33:38 EDT 2009 x86_64 x86_64
> Alert Count 9
> First Seen Thu 23 Apr 2009 03:55:23 PM CDT
> Last Seen Tue 28 Apr 2009 04:52:47 PM CDT
> Local ID 93d6261d-88da-4ca0-9328-743e29739a13
> Line Numbers
>
> Raw Audit Messages
>
> node=gray type=AVC msg=audit(1240955567.631:44): avc: denied { search } for pid=1938 comm="ck-get-x11-serv" name="gdm" dev=dm-0 ino=263869 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_var_run_t:s0 tclass=dir
>
> node=gray type=SYSCALL msg=audit(1240955567.631:44): arch=c000003e syscall=21 success=no exit=-13 a0=7fff62086fab a1=4 a2=0 a3=7fff62083710 items=0 ppid=1937 pid=1938 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ck-get-x11-serv" exe="/usr/libexec/ck-get-x11-server-pid" subj=system_u:system_r:consolekit_t:s0-s0:c0.c1023 key=(null)
>
>
>
> I have tried the fixes. I still see the same sealerts :(
>
> touch, reboot autorelabel.
>
> I have booted in permissive mode and still see the alters :(
>
> Should I file a bug here?
>
> Thanks,
>
> Antonio
>
>
>
>
>
>
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
/.kde is not a labeling problem, it is a bug in kdm that thinks its
homedir is /. So it put its the .kde directory there and this /.kde got
the default_t label. You can change this by executing
# semanage fcontext -a -t xdm_var_run_t '/\.kde(/.*)?'
# restorecon -R -v /.kde
The consolekit bug is fixed in the -20 policy package.
More information about the fedora-selinux-list
mailing list