Bug 118757
Description
Karsten Wade
2004-03-19 20:56:36 UTC
Created attachment 289887 [details]
Why I cannot print
Summary
SELinux is preventing access to files with the default label, default_t.
Detailed Description
SELinux permission checks on files labeled default_t are being denied.
These files/directories have the default label on them. This can indicate
a
labeling problem, especially if the files being referred to are not top
level directories. Any files/directories under standard system directories,
/usr, /var. /dev, /tmp, ..., should not be labeled with the default label.
The default label is for files/directories which do not have a label on a
parent directory. So if you create a new directory in / you might
legitimately get this label.
Allowing Access
If you want a confined domain to use these files you will probably need to
relabel the file/directory with chcon. In some cases it is just easier to
relabel the system, to relabel execute: "touch /.autorelabel; reboot"
Additional Information
Source Context system_u:system_r:procmail_t
Target Context system_u:object_r:default_t
Target Objects root [ dir ]
Affected RPM Packages procmail-3.22-19.fc7
[application]filesystem-2.4.6-1.fc7 [target]
Policy RPM selinux-policy-2.6.4-8.fc7
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name plugins.default
Host Name d58-108-21-9.dsl.vic.optusnet.com.au
Platform Linux d58-108-21-9.dsl.vic.optusnet.com.au
2.6.21-1.3194.fc7 #1 SMP Wed May 23 22:35:01 EDT
2007 i686 i686
Alert Count 1
First Seen Sat 25 Aug 2007 12:03:40 AM WST
Last Seen Sat 25 Aug 2007 12:03:40 AM WST
Local ID eef9b303-e05b-4bdb-a401-890c586e6c33
Line Numbers
Raw Audit Messages
avc: denied { search } for comm="procmail" dev=dm-0 egid=0 euid=0
exe="/usr/bin/procmail" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="root"
pid=7508 scontext=system_u:system_r:procmail_t:s0 sgid=0
subj=system_u:system_r:procmail_t:s0 suid=0 tclass=dir
tcontext=system_u:object_r:default_t:s0 tty=(none) uid=0
Additional FAQ: I have an avc denial, I'm following "I have some avc denials that I would like to allow, how do I do this?", and I've created a local.te file. The problem is, I've done this before, and if I load my new local.te file, I'll erase my previous changes, whatever they were (it's been a while; the local.te file from back then is gone). How do I merge my new changes with the existing local rules? Two ideas come to mind: 1. Decompiling the 'local' ruleset. 2. Listing the existing rulesets, so I can rename my local.te to local2.te without fear of collision (I may have generated a local2.te before). Suggestions? Thanks! This project has been moved to https://fedoraproject.org/wiki/SELinux_FAQ. Please either make the necessary changes or use the "discussion" page for requests for changes. |