Bug 548748
| Summary: | SELinux is preventing access to files with the label, file_t. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Buzugenn <metayerclaire> |
| Component: | selinux-policy | Assignee: | Daniel Walsh <dwalsh> |
| Status: | CLOSED DUPLICATE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | low | ||
| Version: | 12 | CC: | dwalsh, mgrepl |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | setroubleshoot_trace_hash:7b56175fe1ec1ea45239b8813e20ca2f44fc00e44e4f915922e4e2daed31433f | ||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2009-12-18 13:59:33 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
*** This bug has been marked as a duplicate of bug 537613 *** |
Résumé: SELinux is preventing access to files with the label, file_t. Description détaillée: [gdm-session-wor a un type permissif (xdm_t). Cet accès n'a pas été refusé.] SELinux permission checks on files labeled file_t are being denied. file_t is the context the SELinux kernel gives to files that do not have a label. This indicates a serious labeling problem. No files on an SELinux box should ever be labeled file_t. If you have just added a disk drive to the system you can relabel it using the restorecon command. For example if you saved the home directory from a previous installation that did not use SELinux, 'restorecon -R -v /home' will fix the labels. Otherwise you should relabel the entire file system. Autoriser l'accès: You can execute the following command as root to relabel your computer system: "touch /.autorelabel; reboot" Informations complémentaires: Contexte source system_u:system_r:xdm_t:s0-s0:c0.c1023 Contexte cible system_u:object_r:file_t:s0 Objets du contexte /home/loreley [ dir ] source gdm-session-wor Chemin de la source /usr/libexec/gdm-session-worker Port <Inconnu> Hôte (removed) Paquetages RPM source gdm-2.28.1-25.fc12 Paquetages RPM cible Politique RPM selinux-policy-3.6.32-55.fc12 Selinux activé True Type de politique targeted Mode strict Enforcing Nom du plugin file Nom de l'hôte (removed) Plateforme Linux (removed) 2.6.31.6-166.fc12.x86_64 #1 SMP Wed Dec 9 10:46:22 EST 2009 x86_64 x86_64 Compteur d'alertes 49 Première alerte dim. 29 nov. 2009 17:43:50 CET Dernière alerte ven. 18 déc. 2009 13:03:30 CET ID local b0054b1e-c505-4541-b355-4db271e63b10 Numéros des lignes Messages d'audit bruts node=(removed) type=AVC msg=audit(1261137810.239:20): avc: denied { read write search } for pid=2188 comm="gdm-session-wor" name="loreley" dev=sda5 ino=8193 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=dir node=(removed) type=SYSCALL msg=audit(1261137810.239:20): arch=c000003e syscall=21 success=yes exit=4294967424 a0=202dfb0 a1=7 a2=20 a3=a0 items=0 ppid=2110 pid=2188 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="gdm-session-wor" exe="/usr/libexec/gdm-session-worker" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) Hash String generated from selinux-policy-3.6.32-55.fc12,file,gdm-session-wor,xdm_t,file_t,dir,read,write,search audit2allow suggests: #============= xdm_t ============== allow xdm_t file_t:dir { read write search };