-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Antonio Olivares wrote:
> Am I the only that one that sees the following :
>
> I think I am going crazy with these repeating avc's :(
>
>
> Summary:
>
> SELinux prevented kde4-config from writing .kde.
>
> Detailed Description:
>
> SELinux prevented kde4-config from writing .kde. If .kde is a core file, you may
> want to allow this. If .kde is not a core file, this could signal a intrusion
> attempt.
>
> Allowing Access:
>
> Changing the "allow_daemons_dump_core" boolean to true will allow this access:
> "setsebool -P allow_daemons_dump_core=1."
>
> Fix Command:
>
> setsebool -P allow_daemons_dump_core=1
>
> Additional Information:
>
> Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023
> Target Context system_u:object_r:root_t:s0
> Target Objects .kde [ dir ]
> Source kde4-config
> Source Path /usr/bin/kde4-config
> Port <Unknown>
> Host riohigh
> Source RPM Packages kdelibs-4.2.0-10.fc11
> Target RPM Packages
> Policy RPM selinux-policy-3.6.5-3.fc11
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Enforcing
> Plugin Name allow_daemons_dump_core
> Host Name riohigh
> Platform Linux riohigh 2.6.29-0.119.rc5.fc11.i586 #1 SMP
> Sat Feb 14 18:38:24 EST 2009 i686 athlon
> Alert Count 3
> First Seen Thu 12 Feb 2009 08:38:18 AM CST
> Last Seen Mon 16 Feb 2009 06:56:52 AM CST
> Local ID 8e781235-d7ca-4c98-b8c9-ed9dac40a2ff
> Line Numbers
>
> Raw Audit Messages
>
> node=riohigh type=AVC msg=audit(1234789012.965:7): avc: denied { create } for pid=2245 comm="kde4-config" name=".kde" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:root_t:s0 tclass=dir
>
> node=riohigh type=SYSCALL msg=audit(1234789012.965:7): arch=40000003 syscall=39 success=no exit=-13 a0=82fc358 a1=1c0 a2=2f0438c a3=1 items=0 ppid=2244 pid=2245 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="kde4-config" exe="/usr/bin/kde4-config" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
>
>
>
>
>
>
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
No you are not the only one.
This is a bug in kde-login which thinks it's homedir is / and wants to
create a directory in the / directory.
I have also seen similar with it trying to create the directory in
/root. Which is also somewhat bad. I do not want to give login
programs the ability to write to these directories, because attackers
without passwords can get the login programs to execute large amounts of
codes without ever identifying themselves. gdm is setup with a homedir
of /var/lib/gdm, which allows us to confine the gdm login program.
Kde login needs something similar, I believe there is a bug on this,
but it would not hurt to open another.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkmZsacACgkQrlYvE4MpobOTugCgp6QgNdLuOhpmfFllxKruNUyl
LhwAn2b4q5yTb2hL7C8mJsHbwYHmOdTh
=mRi+
-----END PGP SIGNATURE-----
--
fedora-test-list mailing list
fedora-test-list@xxxxxxxxxx
To unsubscribe:
https://www.redhat.com/mailman/listinfo/fedora-test-list
