Bug 118757

Summary: SELinux FAQ tracker bug
Product: [Fedora] Fedora Documentation Reporter: Karsten Wade <kwade>
Component: selinux-faqAssignee: Karsten Wade <kwade>
Status: CLOSED WONTFIX QA Contact: Tammy Fox <tammy.c.fox>
Severity: medium Docs Contact:
Priority: medium    
Version: develCC: eric, k.georgiou, thorpy2
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://people.redhat.com/kwade/fedora-docs/selinux-faq-en/
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-06-08 19:58:43 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 119323, 119417, 119461, 119472, 119572, 119573, 119649, 119719, 119757, 119787, 119851, 119852, 120075, 120204, 120211, 120222, 120236, 120424, 120551, 120957, 121225, 122794, 122849, 123451, 123561, 123562, 123563, 125148, 129240, 129917, 130714, 133403, 136258, 138465, 138762, 138764, 138767, 139433, 142182, 143490, 144696, 144697, 144918, 145876, 147915, 148030, 150500, 151957, 152352, 152370, 153702, 154273, 155300, 155302, 159572, 161034, 161035, 161678    
Bug Blocks:    
Attachments:
Description Flags
Why I cannot print none

Description Karsten Wade 2004-03-19 20:56:36 UTC 
This bug is the master tracker bug for all changes to the Fedora Docs
Project SELinux FAQ.  The purpose of this tracker is to assist in
project management when there is a high-volume of bug reports for the
FAQ, such as following a test release.  All new bugs against the FAQ
should block this bug.  This ensures the bug report does not slip
through the cracks.
Comment 1 mike keenor 2007-12-18 12:53:53 UTC 
Created attachment 289887 [details]
Why I cannot print 

Summary 
    SELinux is preventing access to files with the default label, default_t. 

Detailed Description 
    SELinux permission checks on files labeled default_t are being denied. 
    These files/directories have the default label on them.  This can indicate
a 
    labeling problem, especially if the files being referred to  are not top 
    level directories. Any files/directories under standard system directories,

    /usr, /var. /dev, /tmp, ..., should not be labeled with the default label. 

    The default label is for files/directories which do not have a label on a 
    parent directory. So if you create a new directory in / you might 
    legitimately get this label. 

Allowing Access 
    If you want a confined domain to use these files you will probably need to 

    relabel the file/directory with chcon. In some cases it is just easier to 
    relabel the system, to relabel execute: "touch /.autorelabel; reboot" 

Additional Information	      

Source Context		      system_u:system_r:procmail_t 
Target Context		      system_u:object_r:default_t 
Target Objects		      root [ dir ] 
Affected RPM Packages	      procmail-3.22-19.fc7 
			      [application]filesystem-2.4.6-1.fc7 [target] 
Policy RPM		      selinux-policy-2.6.4-8.fc7 
Selinux Enabled 	      True 
Policy Type		      targeted 
MLS Enabled		      True 
Enforcing Mode		      Enforcing 
Plugin Name		      plugins.default 
Host Name		      d58-108-21-9.dsl.vic.optusnet.com.au 
Platform		      Linux d58-108-21-9.dsl.vic.optusnet.com.au 
			      2.6.21-1.3194.fc7 #1 SMP Wed May 23 22:35:01 EDT 

			      2007 i686 i686 
Alert Count		      1 
First Seen		      Sat 25 Aug 2007 12:03:40 AM WST 
Last Seen		      Sat 25 Aug 2007 12:03:40 AM WST 
Local ID		      eef9b303-e05b-4bdb-a401-890c586e6c33 
Line Numbers		      

Raw Audit Messages	      

avc: denied { search } for comm="procmail" dev=dm-0 egid=0 euid=0 
exe="/usr/bin/procmail" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="root" 
pid=7508 scontext=system_u:system_r:procmail_t:s0 sgid=0 
subj=system_u:system_r:procmail_t:s0 suid=0 tclass=dir 
tcontext=system_u:object_r:default_t:s0 tty=(none) uid=0
Comment 2 Penelope Fudd 2008-02-18 07:03:12 UTC 
Additional FAQ:

I have an avc denial, I'm following "I have some avc denials that I would like
to allow, how do I do this?", and I've created a local.te file.

The problem is, I've done this before, and if I load my new local.te file, I'll
erase my previous changes, whatever they were (it's been a while; the local.te
file from back then is gone).

How do I merge my new changes with the existing local rules?

Two ideas come to mind:
  1. Decompiling the 'local' ruleset.
  2. Listing the existing rulesets, so I can rename my local.te to local2.te
without fear of collision (I may have generated a local2.te before).

Suggestions?

Thanks!
Comment 3 eric 2009-06-08 19:58:43 UTC 
This project has been moved to https://fedoraproject.org/wiki/SELinux_FAQ.  Please either make the necessary changes or use the "discussion" page for requests for changes.