Bug 524167
| Summary: | setroubleshoot: SELinux is preventing the /usr/sbin/abrtd from using potentially mislabeled files (.abrt). | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Andy Burns <fedora> |
| Component: | selinux-policy | Assignee: | Daniel Walsh <dwalsh> |
| Status: | CLOSED DUPLICATE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | low | ||
| Version: | rawhide | CC: | dwalsh, jkubin, mgrepl |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | i386 | ||
| OS: | Linux | ||
| Whiteboard: | setroubleshoot_trace_hash:84ac4e7a310e564d65271bfaa40102620fe3401d894ca3a6a840d48ffbb70b78 | ||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2009-09-18 11:59:08 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
*** This bug has been marked as a duplicate of bug 524165 *** |
The following was filed automatically by setroubleshoot: Summary: SELinux is preventing the /usr/sbin/abrtd from using potentially mislabeled files (.abrt). Detailed Description: [abrtd has a permissive type (abrt_t). This access was not denied.] SELinux has denied abrtd access to potentially mislabeled file(s) (.abrt). This means that SELinux will not allow abrtd to use these files. It is common for users to edit files in their home directory or tmp directories and then move (mv) them to system directories. The problem is that the files end up with the wrong file context which confined applications are not allowed to access. Allowing Access: If you want abrtd to access this files, you need to relabel them using restorecon -v '.abrt'. You might want to relabel the entire directory using restorecon -R -v '.abrt'. Additional Information: Source Context system_u:system_r:abrt_t:s0 Target Context unconfined_u:object_r:user_home_t:s0 Target Objects .abrt [ dir ] Source abrtd Source Path /usr/sbin/abrtd Port <Unknown> Host (removed) Source RPM Packages abrt-0.0.8.5-1.fc12 Target RPM Packages Policy RPM selinux-policy-3.6.31-2.fc12 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name home_tmp_bad_labels Host Name (removed) Platform Linux (removed) 2.6.31-14.fc12.i686 #1 SMP Tue Sep 15 04:04:35 EDT 2009 i686 i686 Alert Count 4 First Seen Thu 17 Sep 2009 21:36:27 BST Last Seen Thu 17 Sep 2009 21:36:27 BST Local ID 40c4d990-2fa0-4e1b-a41b-61f2093ab05c Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1253219787.983:36): avc: denied { write } for pid=1346 comm="abrtd" name=".abrt" dev=dm-2 ino=82065 scontext=system_u:system_r:abrt_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir node=(removed) type=AVC msg=audit(1253219787.983:36): avc: denied { add_name } for pid=1346 comm="abrtd" name="KerneloopsReporter.conf" scontext=system_u:system_r:abrt_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir node=(removed) type=AVC msg=audit(1253219787.983:36): avc: denied { create } for pid=1346 comm="abrtd" name="KerneloopsReporter.conf" scontext=system_u:system_r:abrt_t:s0 tcontext=system_u:object_r:user_home_t:s0 tclass=file node=(removed) type=AVC msg=audit(1253219787.983:36): avc: denied { write } for pid=1346 comm="abrtd" name="KerneloopsReporter.conf" dev=dm-2 ino=15572 scontext=system_u:system_r:abrt_t:s0 tcontext=system_u:object_r:user_home_t:s0 tclass=file node=(removed) type=SYSCALL msg=audit(1253219787.983:36): arch=40000003 syscall=5 success=yes exit=7 a0=969cd04 a1=8241 a2=1b6 a3=4819fe9 items=0 ppid=1 pid=1346 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="abrtd" exe="/usr/sbin/abrtd" subj=system_u:system_r:abrt_t:s0 key=(null) audit2allow suggests: #============= abrt_t ============== allow abrt_t user_home_t:dir { write add_name }; allow abrt_t user_home_t:file { write create };