Bug 444307

Summary: system-config-selinux stopped by AVC
Product: [Fedora] Fedora Reporter: John Poelstra <poelstra>
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED RAWHIDE QA Contact: Ben Levenson <benl>
Severity: low Docs Contact:
Priority: low    
Version: rawhide   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-04-28 09:07:19 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On:    
Bug Blocks: 235706    

Description John Poelstra 2008-04-26 18:08:05 EDT
Description of problem:
starting up system-config-selinux return an AVC error saying that SELinux has
denied semodule access to potentially mislabeled file(s)
(/home/jonu/.xsession-errors.

ran restorecon -v '/home/jonu/.xsession-errors' and problem still persists

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.3.1-35.fc9.noarch

How reproducible:
100% 


Summary:

SELinux is preventing the semodule from using potentially mislabeled files
(/home/jonu/.xsession-errors).

Detailed Description:

[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]

SELinux has denied semodule access to potentially mislabeled file(s)
(/home/jonu/.xsession-errors). This means that SELinux will not allow semodule
to use these files. It is common for users to edit files in their home directory
or tmp directories and then move (mv) them to system directories. The problem is
that the files end up with the wrong file context which confined applications
are not allowed to access.

Allowing Access:

If you want semodule to access this files, you need to relabel them using
restorecon -v '/home/jonu/.xsession-errors'. You might want to relabel the
entire directory using restorecon -R -v '/home/jonu'.

Additional Information:

Source Context                unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c102
                              3
Target Context                system_u:object_r:user_home_t:s0
Target Objects                /home/jonu/.xsession-errors [ file ]
Source                        semodule
Source Path                   /usr/sbin/semodule
Port                          <Unknown>
Host                          yardsale
Source RPM Packages           policycoreutils-2.0.46-5.fc9
Target RPM Packages           
Policy RPM                    selinux-policy-3.3.1-35.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   home_tmp_bad_labels
Host Name                     yardsale
Platform                      Linux yardsale 2.6.25-1.fc9.x86_64 #1 SMP Thu Apr
                              17 01:11:31 EDT 2008 x86_64 x86_64
Alert Count                   2
First Seen                    Sat 26 Apr 2008 03:02:49 PM PDT
Last Seen                     Sat 26 Apr 2008 03:04:13 PM PDT
Local ID                      44bec79b-c411-4900-9079-8f6aae54215c
Line Numbers                  

Raw Audit Messages            

host=yardsale type=AVC msg=audit(1209247453.573:71): avc:  denied  { append }
for  pid=8371 comm="semodule" path="/home/jonu/.xsession-errors" dev=sdb1
ino=31883266 scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023
tcontext=system_u:object_r:user_home_t:s0 tclass=file

host=yardsale type=SYSCALL msg=audit(1209247453.573:71): arch=c000003e
syscall=59 success=yes exit=0 a0=174d5f0 a1=174d990 a2=174c770 a3=340dd67a70
items=0 ppid=8370 pid=8371 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) ses=1 comm="semodule" exe="/usr/sbin/semodule"
subj=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023 key=(null)
Comment 1 Daniel Walsh 2008-04-28 09:07:19 EDT
You can allow this for now.

# audit2allow -M mypol -l -i /var/log/audit/audit.log
# semodule -i mypol.pp

It will be dontaudted in the future

Fixed in selinux-policy-3.3.1-43.fc9.noarch