Bug 505851

Summary: SELinux is preventing access to files with the label, file_t.
Product: [Fedora] Fedora Reporter: Juergen Wieczorek <juergenw_>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: low    
Version: 11CC: dwalsh, identifiedcall02, jkubin, mgrepl, sabalevaishali222
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-06-15 19:11:24 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Juergen Wieczorek 2009-06-14 10:40:45 UTC 
Description of problem:


Zusammenfassung:

SELinux is preventing access to files with the label, file_t.

Detaillierte Beschreibung:

SELinux permission checks on files labeled file_t are being denied. file_t is
the context the SELinux kernel gives to files that do not have a label. This
indicates a serious labeling problem. No files on an SELinux box should ever be
labeled file_t. If you have just added a new disk drive to the system you can
relabel it using the restorecon command. Otherwise you should relabel the entire
files system.

Zugriff erlauben:

You can execute the following command as root to relabel your computer system:
"touch /.autorelabel; reboot"

Zusätzliche Informationen:

Quellkontext                  system_u:system_r:xdm_t:s0-s0:c0.c1023
Zielkontext                   system_u:object_r:file_t:s0
Zielobjekte                   jwi [ dir ]
Quelle                        kdm_greet
Quellen-Pfad                  /usr/libexec/kde4/kdm_greet
Port                          <Unbekannt>
Host                          marvin42.local
Quellen-RPM-Pakete            kdm-4.2.2-5.fc11
Ziel-RPM-Pakete               
RPM-Richtlinie                selinux-policy-3.6.12-39.fc11
SELinux aktiviert             True
Richtlinienversion            targeted
MLS aktiviert                 True
Enforcing-Modus               Enforcing
Plugin-Name                   file
Hostname                      marvin42.local
Plattform                     Linux marvin42.local 2.6.29.4-167.fc11.x86_64 #1
                              SMP Wed May 27 17:27:08 EDT 2009 x86_64 x86_64
Anzahl der Alarme             2
Zuerst gesehen                Sa 13 Jun 2009 12:36:29 CEST
Zuletzt gesehen               Sa 13 Jun 2009 12:36:29 CEST
Lokale ID                     7fa206e6-945a-41c3-9f12-9e85f568e20d
Zeilennummern                 

Raw-Audit-Meldungen           

node=marvin42.local type=AVC msg=audit(1244889389.339:13235): avc:  denied  { search } for  pid=2002 comm="kdm_greet" name="jwi" dev=sda8 ino=4767745 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=dir

node=marvin42.local type=SYSCALL msg=audit(1244889389.339:13235): arch=c000003e syscall=2 success=no exit=819625944 a0=1637f68 a1=800 a2=1637f68 a3=7fffd04aa620 items=0 ppid=1991 pid=2002 auid=4294967295 uid=0 gid=0 euid=99 suid=0 fsuid=99 egid=99 sgid=0 fsgid=99 tty=(none) ses=4294967295 comm="kdm_greet" exe="/usr/libexec/kde4/kdm_greet" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
Comment 1 Miroslav Grepl 2009-06-15 05:02:48 UTC 
Did you try what the setroubleshoot command told you to do?

touch /.autorelabel; reboot


This will fix the labeling problem. But question is how you got files without labels on to your system.
Comment 2 Miroslav Grepl 2009-06-15 05:06:43 UTC 
Did you add a disk created on a non SELinux system ?
Comment 3 Juergen Wieczorek 2009-06-15 08:10:30 UTC 
Ah, now I see.
The /home partition is shared with other systems on my machine.
Comment 4 Daniel Walsh 2009-06-15 19:11:24 UTC 
If you want the /home to remain unlabeled or be share with systems that do not support SELinux you can use a mount option on SELinux

mount -o context=system_u:object_r:user_home_t:s0 DEVICE /home

Or add this to /etc/fstab.

Then SELinux will treat the entire disk as being labeled as user_home_t,  If you have problems with this, you could try nfs_t, and make pretend the homedir is an NFS share,  Then everything will work.
Comment 5 Identified Call 2021-12-03 05:21:24 UTC Comment hidden (spam)
Comment 6 saba 2022-08-16 06:34:53 UTC Comment hidden (spam)
Comment 7 saba 2022-08-16 14:11:39 UTC Comment hidden (spam)