Bug 426711
| Summary: | selinux when updatedb runs on file with type unlabeled_t (?) | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Need Real Name <bugzilla> |
| Component: | selinux-policy-targeted | Assignee: | Daniel Walsh <dwalsh> |
| Status: | CLOSED NOTABUG | QA Contact: | Ben Levenson <benl> |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | 8 | ||
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2007-12-31 12:31:57 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Note this same file also gives selinux problems when setroubleshootd runs:
type=AVC msg=audit(1198394047.881:284): avc: denied { getattr } for pid=2868
comm="setroubleshootd" name="myfile" dev=sdc5 ino=15908870
scontext=system_u:system_r:setroubleshootd_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir
How did you get an unlabeled_t file? You should not have these on your system. This should only happen if you install a policy module, and label a file based on that module, then remove the policy module. restorecon -R -v /mnt/drive/myfile should fix this. One other way this could happen is if you had labeled this file system on a different SELinux machine and have now mounted it on a different machine with a different selinux policy. unlabeled_t means the file has a label on it that the kernel/policy does not understand. Thanks - the unlabeled files came from an older drive that I had mounted and probably was pre-selinux labeling. I guess I am still not sure why it should be an error for updatedb or setroubleshootd to read these files. In fact it is a bit ironic that the selinux error when updatedb reads the unlabeled files triggers setroubleshootd which then generates its own selinux error. If that is the desired behavior, it is fine with me since it is easy to label/relable so the selinux errors aren't troublesome. Just curious whether this is the right behavior. Thanks |
Description of problem: I seem to get selinux error messages whenever updatedb runs on a file with type unlabeled_t type=AVC msg=audit(1197455827.650:482): avc: denied { getattr } for pid=10076 comm="updatedb" path="/mnt/drive/myfile" dev=sdc5 ino=15908866 scontext=system_u:system_r:locate_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir type=AVC msg=audit(1197455827.693:483): avc: denied { search } for pid=10076 comm="updatedb" name="myfile" dev=sdc5 ino=15908866 scontext=system_u:system_r:locate_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir type=AVC msg=audit(1197455827.695:484): avc: denied { read } for pid=10076 comm="updatedb" name="myfile" dev=sdc5 ino=15908866 scontext=system_u:system_r:locate_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir