Small SELinux issue with kdm and grub
Marko Vojinovic
vvmarko at panet.co.yu
Sun Mar 8 14:55:39 UTC 2009
Greetings everyone! :-)
This is not a big issue, but it annoys me every time I logout, so... Anyway,
setroubleshoot says the following:
###################################
Summary:
SELinux is preventing kdm (xdm_t) "execute" to ./grub (bootloader_exec_t).
Detailed Description:
SELinux denied access requested by kdm. It is not expected that this access is
required by kdm and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.
Allowing Access:
Sometimes labeling problems can cause SELinux denials. You could try to
restore
the default system file context for ./grub,
restorecon -v './grub'
If this does not work, there is currently no automatic way to allow this
access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not
recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context system_u:object_r:bootloader_exec_t:s0
Target Objects ./grub [ file ]
Source kdm
Source Path /usr/bin/kdm
Port <Unknown>
Host Yoda
Source RPM Packages kdebase-workspace-4.2.0-8.fc10
Target RPM Packages
Policy RPM selinux-policy-3.5.13-46.fc10
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall_file
Host Name Yoda
Platform Linux Yoda 2.6.27.19-170.2.35.fc10.x86_64 #1 SMP
Mon Feb 23 13:00:23 EST 2009 x86_64 x86_64
Alert Count 3
First Seen Sun 08 Mar 2009 02:49:39 PM CET
Last Seen Sun 08 Mar 2009 03:02:41 PM CET
Local ID 7b01f900-90de-434d-9587-f187d0fd0388
Line Numbers
Raw Audit Messages
node=Yoda type=AVC msg=audit(1236520961.646:18): avc: denied { execute } for
pid=2486 comm="kdm" name="grub" dev=sda1 ino=905977
scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r
:bootloader_exec_t:s0 tclass=file
node=Yoda type=SYSCALL msg=audit(1236520961.646:18): arch=c000003e syscall=21
success=no exit=-13 a0=7fff95858a76 a1=1 a2=0 a3=7efefefefefefeff items=0
ppid=1 pid=2486 auid=4294967295 uid=0 gid=0 euid=0 sui
d=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="kdm"
exe="/usr/bin/kdm" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
###################################
I have found ./grub to be /sbin/grub and tried to restorecon it, but the
context seems to be what it should be.
So, does anyone understand what is going on and why?
Best, :-)
Marko
More information about the fedora-list
mailing list