Bug 443282
Summary: | SELinux is preventing rm (hald_t) "rmdir" to ./storage (var_run_t). | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Matěj Cepl <mcepl> |
Component: | hal | Assignee: | David Zeuthen <davidz> |
Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | rawhide | CC: | dwalsh, mcepl, mclasen, pertusus |
Target Milestone: | --- | Keywords: | SELinux |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2008-04-20 11:00:30 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Matěj Cepl
2008-04-20 06:26:59 UTC
OK, so this is suspend/resume in the Permissive mode: Souhrn: SELinux is preventing rm (hald_t) "rmdir" to ./storage (var_run_t). Podrobný popis: [SELinux je v uvolněném režimu, operace by byla odmítnuta, ale byla povolena kvůli uvolněnému režimu.] SELinux denied access requested by rm. It is not expected that this access is required by rm and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Povolení přístupu: Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for ./storage, restorecon -v './storage' If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Další informace: Kontext zdroje system_u:system_r:hald_t Kontext cíle system_u:object_r:var_run_t Objekty cíle ./storage [ dir ] Zdroj rm Cesta zdroje /bin/rm Port <Neznámé> Počítač viklef RPM balíčky zdroje coreutils-6.10-18.fc9 RPM balíčky cíle RPM politiky selinux-policy-3.3.1-35.fc9 Selinux povolen True Typ politiky targeted MLS povoleno True Vynucovací režim Permissive Název zásuvného modulu catchall_file Název počítače viklef Platforma Linux viklef 2.6.25-1.fc9.i686 #1 SMP Thu Apr 17 01:47:10 EDT 2008 i686 i686 Počet uporoznění 1 Poprvé viděno Ne 20. duben 2008, 08:55:42 CEST Naposledy viděno Ne 20. duben 2008, 08:55:42 CEST Místní ID 8d4a088f-d50c-4b5e-a1cc-9937be01ee69 Čísla řádků Původní zprávy auditu host=viklef type=AVC msg=audit(1208674542.225:55): avc: denied { rmdir } for pid=12575 comm="rm" name="storage" dev=dm-0 ino=1275335 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir host=viklef type=SYSCALL msg=audit(1208674542.225:55): arch=40000003 syscall=301 success=yes exit=0 a0=ffffff9c a1=8540150 a2=200 a3=8540150 items=2 ppid=12084 pid=12575 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rm" exe="/bin/rm" subj=system_u:system_r:hald_t:s0 key=(null) host=viklef type=CWD msg=audit(1208674542.225:55): cwd="/usr/lib/hal/scripts" host=viklef type=PATH msg=audit(1208674542.225:55): item=0 name="/var/run/pm-utils/" inode=1275120 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:var_run_t:s0 host=viklef type=PATH msg=audit(1208674542.225:55): item=1 name="/var/run/pm-utils/storage" inode=1275335 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:var_run_t:s0 This is a labeling problem on /var/run/pm-utils restorecon -R -v /var/run/pm-utils Will fix it. If it comes back afterwards then some tool is creating this directory without labeling it correctly. Restorecon did actually nothing (see below) and if I am not greatly mistaken, the label is still the same as before (well, there is no /var/run/pm-utils/storage at all currently, it is probably created just during suspend): [root@viklef ~]# restorecon -R -v /var/run/pm-utils/ [root@viklef ~]# ls -lZ /var/run/pm-utils/ drwxr-xr-x root root system_u:object_r:var_run_t locks [root@viklef ~]# Will try another suspend. Which policy do you have installed. selinux-policy-3.3.1-35 has +/var/run/pm-utils(/.*)? gen_context(system_u:object_r:hald_var_run_t,s0) Which means these files should be labeled hald_var_run_t OK, then it is probably really NOTABUG. No idea. |