| Summary: | SELinux is preventing /usr/bin/gnome-power-manager from read access on the file /usr/share/icons/hicolor/icon-theme.cache. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Michael Milverton <m.milverton> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | low | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 15 | CC: | dominick.grift, dwalsh, eparis, mgrepl, sdsmall |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | i386 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-06-23 20:40:17 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
restorecon -FR -v /usr/share/ Should fix the problem. Steve any suggestions on how we can avoid this constraint if we don't have ubac enabled? That looks like a MCS/MLS constraint violation to me. Why was the file labeled system high? Oh I missed that I thought it was a violation on reading because of the user_u versus staff_u. Were you playing with chcon? Okay, sorry guys, I should have used restorecon first (still learning). I used semanage to change from the default unconfined to user_u, logged in once and then decided to change to staff_u, logged in once and then changed back to user_u. Each time I used restorecon on the home directory as that is all I thought needed to be relabeled. Michael, any idea how the MCS Level changed though? No, not really, here is a brief summary of my .bash_history file, I can send you the whole file if you like but I was really just following your article on setting up staff_u and sudo as well as changing __default__ to user_u. I used the GUI to change naomi from user_u to staff_u and back once, so thats missing here. The only other thing is that I switched (Switch User) from my account (staff_u) to my wifes account (user_u/staff_u) and switched back and forth a few times without ever doing a complete logout/login of her account. adduser naomi passwd naomi semanage man semanage semanage login --help semanage login naomi -R user_u -M semanage login -m naomi -R user_u semanage login -a -s user_u naomi semanage login -l sesearch -T -s unconfined_t -t initrc_exec_t seinfo -aunconfined_domain_type -x semanage user -m -R"staff_r unconfined_r system_r" staff_u semanage login -m -s user_u __default__ semanage login -m -s staff_u semanage login -a -s staff_u -r s0:c0.c1023 michael setsebool -P samba_enable_home_dirs on mkdir /storage/foo restorecon -rv /storage chcon -t samba_share_t /storage chcon -t samba_share_t Public/ chcon -d samba_share_t Public/ chcon --help chcon -t samba_share_t /var/shared fcontext -a -t public_content_rw_t ’/storage(/.*)?’ fcontext -a -t public_content_rw_t '/storage(/.*)?' fcontext semanage fcontext -a -t public_content_rw_t '/storage(/.*)?' semanage fcontext -a -t public_content_rw_t '/storage(/.*)?' semanage fcontext -a -t samba_share_t '/storage(/.*)?' semanage login -a -s staff_u -r s0:c0.c1023 michael should have been semanage login -a -s staff_u -r s0-s0:c0.c1023 michael Thanks Daniel, should help fix other AVC messages. Michael -r means range. What you had done was set the range to the michael process to be s0:c0.c1023. This is usually referred to as SystemHigh. When you run with that label, every file you create will be labeled s0:c0.c1023. And confined applications will not be allowed to read the file. When you run with a range like s0-s0:c0.c1023 that means your files will be created with the base of the range, s0, which is what is expected, then almost everything will be allowed to use the content. Thats a good explanation, it makes sense now. I changed it, relabeled home dir and couldn't log back in because obviously it had affected more than just my home dir. Fixfiles to the rescue and it's all good, in fact a bit snappier and I can eject using my macbook's eject button :). Thanks for you time, it's appreciated. Thanks for trying out confined users... |
Additional Information: Source Context user_u:user_r:user_t:s0 Target Context staff_u:object_r:usr_t:s0:c0.c1023 Target Objects /usr/share/icons/hicolor/icon-theme.cache [ file ] Source gnome-power-man Source Path /usr/bin/gnome-power-manager Port <Unknown> Host l.h Source RPM Packages gnome-shell-3.0.2-1.fc15 Target RPM Packages hicolor-icon-theme-0.12-3.fc15 Policy RPM selinux-policy-3.9.16-26.fc15 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name l.h Platform Linux l.h 2.6.38.8-32.fc15.i686 #1 SMP Mon Jun 13 20:01:50 UTC 2011 i686 i686 Alert Count 124 First Seen Thu 23 Jun 2011 09:48:41 AM WST Last Seen Thu 23 Jun 2011 02:30:12 PM WST Local ID a72d6e32-5afb-4d78-a5b0-21946c9ca6a2 Raw Audit Messages type=AVC msg=audit(1308810612.991:2535): avc: denied { read } for pid=1646 comm="gnome-shell" name="icon-theme.cache" dev=sda3 ino=154681 scontext=user_u:user_r:user_t:s0 tcontext=staff_u:object_r:usr_t:s0:c0.c1023 tclass=file type=SYSCALL msg=audit(1308810612.991:2535): arch=i386 syscall=open success=no exit=EACCES a0=9f56ed0 a1=8000 a2=0 a3=0 items=0 ppid=1 pid=1646 auid=502 uid=502 gid=502 euid=502 suid=502 fsuid=502 egid=502 sgid=502 fsgid=502 tty=(none) ses=1 comm=gnome-shell exe=/usr/bin/gnome-shell subj=user_u:user_r:user_t:s0 key=(null) Hash: gnome-power-man,user_t,usr_t,file,read