Bug 850809

Summary: SELinux is preventing /sbin/setfiles from 'relabelto' accesses on the file /.config/Trolltech.conf.
Product: [Fedora] Fedora Reporter: Sona Pochybova <spochybova>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 16CC: dominick.grift, dwalsh, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard: abrt_hash:f92296f7b07467318bc974fc178b45a05dfcbb2a3220cd679b84099d4e019133
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-08-22 13:29:24 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Sona Pochybova 2012-08-22 13:14:20 UTC
libreport version: 2.0.10
executable:     /usr/bin/python2.7
hashmarkername: setroubleshoot
kernel:         3.4.9-1.fc16.x86_64
time:           Wed 22 Aug 2012 03:01:28 PM CEST

description:
:SELinux is preventing /sbin/setfiles from 'relabelto' accesses on the file /.config/Trolltech.conf.
:
:*****  Plugin catchall (100. confidence) suggests  ***************************
:
:If you believe that setfiles should be allowed relabelto access on the Trolltech.conf file by default.
:Then you should report this as a bug.
:You can generate a local policy module to allow this access.
:Do
:allow this access for now by executing:
:# grep restorecon /var/log/audit/audit.log | audit2allow -M mypol
:# semodule -i mypol.pp
:
:Additional Information:
:Source Context                unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c102
:                              3
:Target Context                system_u:object_r:chronyd_t:s0
:Target Objects                /.config/Trolltech.conf [ file ]
:Source                        restorecon
:Source Path                   /sbin/setfiles
:Port                          <Unknown>
:Host                          (removed)
:Source RPM Packages           policycoreutils-2.1.4-13.fc16.x86_64
:Target RPM Packages           
:Policy RPM                    selinux-policy-3.10.0-90.fc16.noarch
:Selinux Enabled               True
:Policy Type                   targeted
:Enforcing Mode                Enforcing
:Host Name                     (removed)
:Platform                      Linux (removed) 3.4.9-1.fc16.x86_64 #1 SMP
:                              Wed Aug 15 20:45:23 UTC 2012 x86_64 x86_64
:Alert Count                   3
:First Seen                    Wed 22 Aug 2012 02:58:29 PM CEST
:Last Seen                     Wed 22 Aug 2012 03:00:09 PM CEST
:Local ID                      a7733974-9a16-4509-8539-3301d4591930
:
:Raw Audit Messages
:type=AVC msg=audit(1345640409.776:143): avc:  denied  { relabelto } for  pid=4074 comm="restorecon" name="Trolltech.conf" dev="dm-1" ino=1572866 scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:chronyd_t:s0 tclass=file
:
:
:type=SYSCALL msg=audit(1345640409.776:143): arch=x86_64 syscall=lsetxattr success=no exit=EACCES a0=7f3339f353c0 a1=7f333850c46b a2=7f3339ef4010 a3=1f items=1 ppid=3967 pid=4074 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts4 ses=2 comm=restorecon exe=/sbin/setfiles subj=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 key=(null)
:
:type=CWD msg=audit(1345640409.776:143): cwd=/root
:
:type=PATH msg=audit(1345640409.776:143): item=0 name=/.config/Trolltech.conf inode=1572866 dev=fd:01 mode=0100666 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:default_t:s0
:
:Hash: restorecon,setfiles_t,chronyd_t,file,relabelto
:
:audit2allow
:
:#============= setfiles_t ==============
:allow setfiles_t chronyd_t:file relabelto;
:
:audit2allow -R
:
:#============= setfiles_t ==============
:allow setfiles_t chronyd_t:file relabelto;
:

Comment 1 Miroslav Grepl 2012-08-22 13:29:24 UTC
Are you trying to setup domain type for Trolltech.conf which is wrong?

Just use restorecon -Rv PATHO/Trolltech.conf to fix labeling.

Comment 2 Sona Pochybova 2012-08-22 13:42:39 UTC
(In reply to comment #1)
> Are you trying to setup domain type for Trolltech.conf which is wrong?
> 
> Just use restorecon -Rv PATHO/Trolltech.conf to fix labeling.

I tried that, but I got the following:


# restorecon -Rv /.config/Trolltech.conf
restorecon reset /.config/Trolltech.conf context system_u:object_r:default_t:s0->system_u:object_r:chronyd_t:s0
restorecon set context /.config/Trolltech.conf->system_u:object_r:chronyd_t:s0 failed:'Permission denied'

Comment 3 Miroslav Grepl 2012-08-22 19:30:54 UTC
Ok, what does

# semanage fcontext -l |grep chrony

Comment 4 Sona Pochybova 2012-08-22 21:05:46 UTC
(In reply to comment #3)
> Ok, what does
> 
> # semanage fcontext -l |grep chrony


/.config/Trolltech.conf                            all files          system_u:object_r:chronyd_t:s0 

/etc/chrony\.keys                                  regular file       system_u:object_r:chronyd_keys_t:s0 

/etc/rc\.d/init\.d/chronyd                         regular file       system_u:object_r:chronyd_initrc_exec_t:s0 

/lib/systemd/system/chronyd.*                      regular file       
system_u:object_r:chronyd_unit_file_t:s0 

/usr/sbin/chronyd                                  regular file       system_u:object_r:chronyd_exec_t:s0 

/var/lib/chrony(/.*)?                              all files          system_u:object_r:chronyd_var_lib_t:s0 

/var/log/chrony(/.*)?                              all files          system_u:object_r:chronyd_var_log_t:s0 

/var/run/chronyd(/.*)                              all files          system_u:object_r:chronyd_var_run_t:s0 

/var/run/chronyd\.pid                              regular file       system_u:object_r:chronyd_var_run_t:s0 

/var/run/chronyd\.sock                             all files          system_u:object_r:chronyd_var_run_t:s0

Comment 5 Miroslav Grepl 2012-08-23 05:26:37 UTC
OK, this is a problem

/.config/Trolltech.conf  

Execute

# semanage fcontext -d -t chronyd_t "/.config/Trolltech.conf"

Also

/.config

is KDE bug. Try to remove this directory.

Comment 6 Sona Pochybova 2012-08-23 19:56:32 UTC
(In reply to comment #5)
> OK, this is a problem
> 
> /.config/Trolltech.conf  
> 
> Execute
> 
> # semanage fcontext -d -t chronyd_t "/.config/Trolltech.conf"
> 
> Also
> 
> /.config
> 
> is KDE bug. Try to remove this directory.

Great, thank you, seems it is OK now :)