Bug 440012
| Summary: | SELinux is preventing access to files with the label, file_t. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Matěj Cepl <mcepl> |
| Component: | pulseaudio | Assignee: | Lennart Poettering <lpoetter> |
| Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | rawhide | CC: | dwalsh, lkundrak, mcepl, pierre-bugzilla |
| Target Milestone: | --- | Keywords: | SELinux |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2008-04-04 20:15:51 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
And one more:
Souhrn:
SELinux is preventing access to files with the label, file_t.
Podrobný popis:
SELinux permission checks on files labeled file_t are being denied. file_t is
the context the SELinux kernel gives to files that do not have a label. This
indicates a serious labeling problem. No files on an SELinux box should ever be
labeled file_t. If you have just added a new disk drive to the system you can
relabel it using the restorecon command. Otherwise you should relabel the entire
files system.
Povolení přístupu:
You can execute the following command as root to relabel your computer system:
"touch /.autorelabel; reboot"
Další informace:
Kontext zdroje system_u:system_r:xdm_t:SystemLow-SystemHigh
Kontext cíle system_u:object_r:file_t
Objekty cíle ./pid [ file ]
Zdroj pulseaudio
Cesta zdroje /usr/bin/pulseaudio
Port <Neznámé>
Počítač viklef.ceplovi.cz
RPM balíčky zdroje pulseaudio-0.9.10-1.fc9
RPM balíčky cíle
RPM politiky selinux-policy-3.3.1-26.fc9
Selinux povolen True
Typ politiky targeted
MLS povoleno True
Vynucovací režim Enforcing
Název zásuvného modulu file
Název počítače viklef.ceplovi.cz
Platforma Linux viklef.ceplovi.cz
2.6.25-0.163.rc7.git1.fc9.i686 #1 SMP Thu Mar 27
09:56:04 EDT 2008 i686 i686
Počet uporoznění 1
Poprvé viděno Út 1. duben 2008, 11:13:19 CEST
Naposledy viděno Út 1. duben 2008, 11:13:19 CEST
Místní ID 1ac32fac-fc6b-44af-9ed7-b23d25d3964c
Čísla řádků
Původní zprávy auditu
host=viklef.ceplovi.cz type=AVC msg=audit(1207041199.679:4349): avc: denied {
read write } for pid=12266 comm="pulseaudio" name="pid" dev=dm-0 ino=6733720
scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
tcontext=system_u:object_r:file_t:s0 tclass=file
host=viklef.ceplovi.cz type=SYSCALL msg=audit(1207041199.679:4349):
arch=40000003 syscall=5 success=no exit=-13 a0=bf84c324 a1=28142 a2=180 a3=28142
items=0 ppid=12259 pid=12266 auid=4294967295 uid=42 gid=42 euid=42 suid=42
fsuid=42 egid=42 sgid=42 fsgid=42 tty=(none) ses=4294967295 comm="pulseaudio"
exe="/usr/bin/pulseaudio" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
I am not sure what the first dump has to do with PA? Also, this sounds like a SELinux policy error to me? This is a labeling problem, not sure how it was created. It has nothing to do with pulseaudio. A relabel of the file system and a clearing out of /tmp should fix. |
Description of problem: Souhrn: SELinux is preventing access to files with the label, file_t. Podrobný popis: SELinux permission checks on files labeled file_t are being denied. file_t is the context the SELinux kernel gives to files that do not have a label. This indicates a serious labeling problem. No files on an SELinux box should ever be labeled file_t. If you have just added a new disk drive to the system you can relabel it using the restorecon command. Otherwise you should relabel the entire files system. Povolení přístupu: You can execute the following command as root to relabel your computer system: "touch /.autorelabel; reboot" Další informace: Kontext zdroje system_u:system_r:tmpreaper_t Kontext cíle system_u:object_r:file_t Objekty cíle ./.esd-500 [ dir ] Zdroj tmpwatch Cesta zdroje /usr/sbin/tmpwatch Port <Neznámé> Počítač viklef.ceplovi.cz RPM balíčky zdroje tmpwatch-2.9.13-2 RPM balíčky cíle RPM politiky selinux-policy-3.3.1-26.fc9 Selinux povolen True Typ politiky targeted MLS povoleno True Vynucovací režim Enforcing Název zásuvného modulu file Název počítače viklef.ceplovi.cz Platforma Linux viklef.ceplovi.cz 2.6.25-0.172.rc7.git4.fc9.i686 #1 SMP Fri Mar 28 21:46:59 EDT 2008 i686 i686 Počet uporoznění 1 Poprvé viděno Út 1. duben 2008, 12:41:24 CEST Naposledy viděno Út 1. duben 2008, 12:41:24 CEST Místní ID d0a1d6b3-08ff-40b0-9fad-f4bf298ee6c5 Čísla řádků Původní zprávy auditu host=viklef.ceplovi.cz type=AVC msg=audit(1207046484.23:50): avc: denied { read } for pid=8753 comm="tmpwatch" name=".esd-500" dev=dm-0 ino=6044453 scontext=system_u:system_r:tmpreaper_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir host=viklef.ceplovi.cz type=SYSCALL msg=audit(1207046484.23:50): arch=40000003 syscall=5 success=no exit=-13 a0=804ac62 a1=98800 a2=0 a3=0 items=0 ppid=8751 pid=8753 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="tmpwatch" exe="/usr/sbin/tmpwatch" subj=system_u:system_r:tmpreaper_t:s0 key=(null) Version-Release number of selected component (if applicable): pulseaudio-0.9.10-1.fc9.i386 selinux-policy-targeted-3.3.1-26.fc9.noarch