Bug 457049

Summary: SELinux is preventing the semodule from using potentially mislabeled ~/.xsession-errors
Product: [Fedora] Fedora Reporter: Charlie Brady <charlieb-fedora-bugzilla>
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CURRENTRELEASE QA Contact: Ben Levenson <benl>
Severity: medium Docs Contact:
Priority: low    
Version: 9   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-11-17 22:05:19 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Charlie Brady 2008-07-29 13:34:39 UTC
selinux enabled, in permission mode.

Summary:

SELinux is preventing the semodule from using potentially mislabeled files
(/home/charlieb/.xsession-errors).

Detailed Description:

[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]

SELinux has denied semodule access to potentially mislabeled file(s)
(/home/charlieb/.xsession-errors). This means that SELinux will not allow
semodule to use these files. It is common for users to edit files in their home
directory or tmp directories and then move (mv) them to system directories. The
problem is that the files end up with the wrong file context which confined
applications are not allowed to access.

Allowing Access:

If you want semodule to access this files, you need to relabel them using
restorecon -v '/home/charlieb/.xsession-errors'. You might want to relabel the
entire directory using restorecon -R -v '/home/charlieb'.

Additional Information:

Source Context                unconfined_u:unconfined_r:semanage_t:s0
Target Context                unconfined_u:object_r:unconfined_home_t:s0
Target Objects                /home/charlieb/.xsession-errors [ file ]
Source                        semodule
Source Path                   /usr/sbin/semodule
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           policycoreutils-2.0.52-5.fc9
Target RPM Packages           
Policy RPM                    selinux-policy-3.3.1-79.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   home_tmp_bad_labels
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain
                              2.6.25.11-97.fc9.x86_64 #1 SMP Mon Jul 21 01:09:10
                              EDT 2008 x86_64 x86_64
Alert Count                   5
First Seen                    Mon May  5 07:53:00 2008
Last Seen                     Tue Jul 29 09:14:35 2008
Local ID                      89d71620-05e0-4bdc-89f5-39b2d2beba9e
Line Numbers                  

Raw Audit Messages            

host=localhost.localdomain type=AVC msg=audit(1217337275.29:189): avc:  denied 
{ write } for  pid=3342 comm="semodule" path="/home/charlieb/.xsession-errors"
dev=dm-0 ino=328059 scontext=unconfined_u:unconfined_r:semanage_t:s0
tcontext=unconfined_u:object_r:unconfined_home_t:s0 tclass=file

host=localhost.localdomain type=SYSCALL msg=audit(1217337275.29:189):
arch=c000003e syscall=59 success=yes exit=0 a0=1f06490 a1=1f06830 a2=1f05660
a3=3b56967a70 items=0 ppid=3244 pid=3342 auid=500 uid=0 gid=0 euid=0 suid=0
fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="semodule"
exe="/usr/sbin/semodule" subj=unconfined_u:unconfined_r:semanage_t:s0 key=(null)

Comment 1 Charlie Brady 2008-07-29 13:36:56 UTC
[charlieb@localhost ~]$ ls --lcontext .xsession-errors
-rw------- 1 unconfined_u:object_r:unconfined_home_t:s0 charlieb charlieb 2805
2008-07-29 09:28 .xsession-errors
[charlieb@localhost ~]$ 
[charlieb@localhost ~]$ sudo /sbin/restorecon -v '/home/charlieb/.xsession-errors'
[charlieb@localhost ~]$ ls --lcontext .xsession-errors
-rw------- 1 unconfined_u:object_r:unconfined_home_t:s0 charlieb charlieb 2805
2008-07-29 09:28 .xsession-errors
[charlieb@localhost ~]$ 

Comment 2 Daniel Walsh 2008-07-29 15:35:15 UTC
You can safely ignore this avc, this is a simple redirection of stdout to the
file and SELinux will no0t allow semanage to write to the file.

You probably read packagekit or system-config tool to generate this avc.



Comment 3 Charlie Brady 2008-07-29 15:44:57 UTC
(In reply to comment #2)
> You can safely ignore this avc, this is a simple redirection of stdout to the
> file and SELinux will no0t allow semanage to write to the file.

But what if my system was in enforcing mode? If semanage needs to run, then we
need to deal with this issue. 

> You probably read packagekit or system-config tool to generate this avc.

Sorry, I don't understand the comment. How would I "read packagekit" or "read
system-config tool"? I ran "System->Administration->SELinux Management", which I
presume is "semanage".




Comment 4 Daniel Walsh 2008-08-01 15:00:38 UTC
If this was in enforcing mode SELinux would have closed the open file descriptor
and replaced it with an open file descriptor to /dev/null. 
system-config-selinux(semanage) would have completed successfully.

If you run a configuration tool from the taskbar, you can generate these AVC's.
 packagekit, SELinux Managerment, Service Manager etc can all cause these.

Dontaudited in selinux-policy-3.3.1-81.fc9.src.rpm


Comment 5 Daniel Walsh 2008-11-17 22:05:19 UTC
Closing all bugs that have been in modified for over a month.  Please reopen if the bug is not actually fixed.