Small SELinux issue with kdm and grub

Marko Vojinovic vvmarko at panet.co.yu
Sun Mar 8 14:55:39 UTC 2009 

Greetings everyone! :-)

This is not a big issue, but it annoys me every time I logout, so... Anyway, 
setroubleshoot says the following:

###################################
Summary:

SELinux is preventing kdm (xdm_t) "execute" to ./grub (bootloader_exec_t).

Detailed Description:

SELinux denied access requested by kdm. It is not expected that this access is
required by kdm and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to 
restore
the default system file context for ./grub,

restorecon -v './grub'

If this does not work, there is currently no automatic way to allow this 
access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not 
recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context                system_u:object_r:bootloader_exec_t:s0
Target Objects                ./grub [ file ]
Source                        kdm
Source Path                   /usr/bin/kdm
Port                          <Unknown>
Host                          Yoda
Source RPM Packages           kdebase-workspace-4.2.0-8.fc10
Target RPM Packages
Policy RPM                    selinux-policy-3.5.13-46.fc10
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall_file
Host Name                     Yoda
Platform                      Linux Yoda 2.6.27.19-170.2.35.fc10.x86_64 #1 SMP
                              Mon Feb 23 13:00:23 EST 2009 x86_64 x86_64
Alert Count                   3
First Seen                    Sun 08 Mar 2009 02:49:39 PM CET
Last Seen                     Sun 08 Mar 2009 03:02:41 PM CET
Local ID                      7b01f900-90de-434d-9587-f187d0fd0388
Line Numbers

Raw Audit Messages

node=Yoda type=AVC msg=audit(1236520961.646:18): avc:  denied  { execute } for  
pid=2486 comm="kdm" name="grub" dev=sda1 ino=905977 
scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r
:bootloader_exec_t:s0 tclass=file

node=Yoda type=SYSCALL msg=audit(1236520961.646:18): arch=c000003e syscall=21 
success=no exit=-13 a0=7fff95858a76 a1=1 a2=0 a3=7efefefefefefeff items=0 
ppid=1 pid=2486 auid=4294967295 uid=0 gid=0 euid=0 sui
d=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="kdm" 
exe="/usr/bin/kdm" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
###################################

I have found ./grub to be /sbin/grub and tried to restorecon it, but the 
context seems to be what it should be.

So, does anyone understand what is going on and why?

Best, :-)
Marko

More information about the fedora-list mailing list