Selinux is denying access to files with the default label, default_t and preventing ck-get-x11-serv (consolekit_t) "search" xdm_var_run_t.

Antonio Olivares olivares14031 at yahoo.com
Mon Apr 27 22:10:01 UTC 2009


I'll copy/paste alerts one by one :


Summary:

SELinux is preventing access to files with the default label, default_t.

Detailed Description:

SELinux permission checks on files labeled default_t are being denied. These
files/directories have the default label on them. This can indicate a labeling
problem, especially if the files being referred to are not top level
directories. Any files/directories under standard system directories, /usr,
/var. /dev, /tmp, ..., should not be labeled with the default label. The default
label is for files/directories which do not have a label on a parent directory.
So if you create a new directory in / you might legitimately get this label.

Allowing Access:

If you want a confined domain to use these files you will probably need to
relabel the file/directory with chcon. In some cases it is just easier to
relabel the system, to relabel execute: "touch /.autorelabel; reboot"

Additional Information:

Source Context                system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context                system_u:object_r:default_t:s0
Target Objects                .kde [ dir ]
Source                        kde4-config
Source Path                   /usr/bin/kde4-config
Port                          <Unknown>
Host                          gray
Source RPM Packages           kdelibs-4.2.2-9.fc11
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.12-9.fc11
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   default
Host Name                     gray
Platform                      Linux gray 2.6.29.1-102.fc11.x86_64 #1 SMP Mon Apr
                              20 15:33:38 EDT 2009 x86_64 x86_64
Alert Count                   92
First Seen                    Thu 23 Apr 2009 08:34:03 PM CDT
Last Seen                     Tue 28 Apr 2009 04:52:40 PM CDT
Local ID                      bfed3a21-1e6d-40ce-bd73-53aaabd164a7
Line Numbers                  

Raw Audit Messages            

node=gray type=AVC msg=audit(1240955560.271:36): avc:  denied  { search } for  pid=1767 comm="kde4-config" name=".kde" dev=dm-0 ino=262 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir

node=gray type=SYSCALL msg=audit(1240955560.271:36): arch=c000003e syscall=6 success=no exit=-13 a0=6e5e58 a1=7fff38fa1be0 a2=7fff38fa1be0 a3=21 items=0 ppid=1766 pid=1767 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="kde4-config" exe="/usr/bin/kde4-config" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)



Summary:

SELinux is preventing access to files with the default label, default_t.

Detailed Description:

SELinux permission checks on files labeled default_t are being denied. These
files/directories have the default label on them. This can indicate a labeling
problem, especially if the files being referred to are not top level
directories. Any files/directories under standard system directories, /usr,
/var. /dev, /tmp, ..., should not be labeled with the default label. The default
label is for files/directories which do not have a label on a parent directory.
So if you create a new directory in / you might legitimately get this label.

Allowing Access:

If you want a confined domain to use these files you will probably need to
relabel the file/directory with chcon. In some cases it is just easier to
relabel the system, to relabel execute: "touch /.autorelabel; reboot"

Additional Information:

Source Context                system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context                system_u:object_r:default_t:s0
Target Objects                /.kde [ dir ]
Source                        kde4-config
Source Path                   /usr/bin/kde4-config
Port                          <Unknown>
Host                          gray
Source RPM Packages           kdelibs-4.2.2-9.fc11
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.12-9.fc11
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   default
Host Name                     gray
Platform                      Linux gray 2.6.29.1-102.fc11.x86_64 #1 SMP Mon Apr
                              20 15:33:38 EDT 2009 x86_64 x86_64
Alert Count                   28
First Seen                    Thu 23 Apr 2009 08:34:03 PM CDT
Last Seen                     Tue 28 Apr 2009 04:52:40 PM CDT
Local ID                      6da3a105-c4c8-4352-bd0e-3f438b1634a8
Line Numbers                  

Raw Audit Messages            

node=gray type=AVC msg=audit(1240955560.107:34): avc:  denied  { getattr } for  pid=1767 comm="kde4-config" path="/.kde" dev=dm-0 ino=262 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir

node=gray type=SYSCALL msg=audit(1240955560.107:34): arch=c000003e syscall=6 success=no exit=-13 a0=7fff38fa1c80 a1=7fff38fa1b80 a2=7fff38fa1b80 a3=6d3b20 items=0 ppid=1766 pid=1767 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="kde4-config" exe="/usr/bin/kde4-config" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)



Summary:

SELinux is preventing ck-get-x11-serv (consolekit_t) "search" xdm_var_run_t.

Detailed Description:

SELinux denied access requested by ck-get-x11-serv. It is not expected that this
access is required by ck-get-x11-serv and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:consolekit_t:s0-s0:c0.c1023
Target Context                system_u:object_r:xdm_var_run_t:s0
Target Objects                gdm [ dir ]
Source                        ck-get-x11-serv
Source Path                   /usr/libexec/ck-get-x11-server-pid
Port                          <Unknown>
Host                          gray
Source RPM Packages           ConsoleKit-x11-0.3.0-8.fc11
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.12-9.fc11
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     gray
Platform                      Linux gray 2.6.29.1-102.fc11.x86_64 #1 SMP Mon Apr
                              20 15:33:38 EDT 2009 x86_64 x86_64
Alert Count                   9
First Seen                    Thu 23 Apr 2009 03:55:23 PM CDT
Last Seen                     Tue 28 Apr 2009 04:52:47 PM CDT
Local ID                      93d6261d-88da-4ca0-9328-743e29739a13
Line Numbers                  

Raw Audit Messages            

node=gray type=AVC msg=audit(1240955567.631:44): avc:  denied  { search } for  pid=1938 comm="ck-get-x11-serv" name="gdm" dev=dm-0 ino=263869 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_var_run_t:s0 tclass=dir

node=gray type=SYSCALL msg=audit(1240955567.631:44): arch=c000003e syscall=21 success=no exit=-13 a0=7fff62086fab a1=4 a2=0 a3=7fff62083710 items=0 ppid=1937 pid=1938 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ck-get-x11-serv" exe="/usr/libexec/ck-get-x11-server-pid" subj=system_u:system_r:consolekit_t:s0-s0:c0.c1023 key=(null)



I have tried the fixes.  I still see the same sealerts :(

touch, reboot autorelabel.

I have booted in permissive mode and still see the alters :(

Should I file a bug here?

Thanks,

Antonio 





      




More information about the fedora-selinux-list mailing list