Description of problem: SELinux is preventing /usr/libexec/colord from 'read' accesses on the file . ***** Plugin catchall_labels (83.8 confidence) suggests ******************* If you want to allow colord to have read access on the file Then you need to change the label on $FIX_TARGET_PATH Do # semanage fcontext -a -t FILE_TYPE '$FIX_TARGET_PATH' where FILE_TYPE is one of the following: NetworkManager_tmp_t, abrt_helper_exec_t, abrt_tmp_t, abrt_upload_watch_tmp_t, abrt_var_cache_t, abrt_var_run_t, admin_crontab_tmp_t, afs_cache_t, alsa_home_t, alsa_tmp_t, amanda_tmp_t, antivirus_home_t, antivirus_tmp_t, apcupsd_tmp_t, apmd_tmp_t, arpwatch_tmp_t, asterisk_tmp_t, audio_home_t, auditadm_sudo_tmp_t, auth_home_t, autofs_t, automount_tmp_t, awstats_tmp_t, bin_t, bitlbee_tmp_t, bluetooth_helper_tmp_t, bluetooth_tmp_t, boinc_project_tmp_t, boinc_tmp_t, boot_t, bootloader_tmp_t, cache_home_t, cardmgr_dev_t, ccs_tmp_t, cdcc_tmp_t, cert_t, cgroup_t, chrome_sandbox_home_t, chrome_sandbox_tmp_t, cifs_t, cloud_init_tmp_t, cluster_conf_t, cluster_tmp_t, cluster_var_lib_t, cluster_var_run_t, cobbler_tmp_t, colord_exec_t, colord_tmp_t, colord_tmpfs_t, colord_var_lib_t, comsat_tmp_t, condor_master_tmp_t, condor_schedd_tmp_t, condor_startd_tmp_t, config_home_t, couchdb_tmp_t, cpu_online_t, crack_tmp_t, crond_tmp_t, crontab_tmp_t, ctdbd_tmp_t, cups_pdf_tmp_t, cupsd_etc_t, cupsd_lpd_tmp_t, cupsd_rw_etc_t, cupsd_tmp_t, cvs_home_t, cvs_tmp_t, cyphesis_tmp_t, cyrus_tmp_t, data_home_t, dbadm_sudo_tmp_t, dbskkd_tmp_t, dbus_home_t, dbusd_etc_t, dcc_client_tmp_t, dcc_dbclean_tmp_t, dccd_tmp_t, dccifd_tmp_t, dccm_tmp_t, ddclient_tmp_t, deltacloudd_tmp_t, devicekit_tmp_t, dhcpc_tmp_t, dhcpd_tmp_t, dirsrv_tmp_t, dirsrvadmin_tmp_t, disk_munin_plugin_tmp_t, dkim_milter_tmp_t, docker_tmp_t, dosfs_t, dovecot_auth_tmp_t, dovecot_deliver_tmp_t, dovecot_tmp_t, ecryptfs_t, efivarfs_t, etc_runtime_t, etc_t, exim_tmp_t, fail2ban_tmp_t, fail2ban_var_lib_t, fenced_tmp_t, fetchmail_home_t, file_context_t, firewalld_tmp_t, firewallgui_tmp_t, fsadm_tmp_t, fsdaemon_tmp_t, ftpd_tmp_t, ftpdctl_tmp_t, fusefs_t, games_tmp_t, gconf_home_t, gconf_tmp_t, getty_tmp_t, git_user_content_t, gkeyringd_gnome_home_t, gkeyringd_tmp_t, glance_registry_tmp_t, glance_tmp_t, glusterd_tmp_t, gnome_home_t, gpg_agent_tmp_t, gpg_pinentry_tmp_t, gpg_secret_t, gpm_tmp_t, gssd_tmp_t, gstreamer_home_t, home_bin_t, home_cert_t, hostname_etc_t, httpd_bugzilla_tmp_t, httpd_collectd_script_tmp_t, httpd_mojomojo_tmp_t, httpd_munin_script_tmp_t, httpd_php_tmp_t, httpd_suexec_tmp_t, httpd_tmp_t, httpd_user_content_t, httpd_user_htaccess_t, httpd_user_ra_content_t, httpd_user_rw_content_t, httpd_user_script_exec_t, httpd_w3c_validator_tmp_t, icc_data_home_t, iceauth_home_t, ifconfig_exec_t, inetd_child_tmp_t, inetd_tmp_t, init_tmp_t, initrc_tmp_t, ipsec_tmp_t, iptables_tmp_t, irc_home_t, irc_tmp_t, irssi_home_t, iscsi_tmp_t, iso9660_t, kadmind_tmp_t, kdumpctl_tmp_t, kdumpgui_tmp_t, keystone_tmp_t, kismet_home_t, kismet_tmp_t, kismet_tmpfs_t, klogd_tmp_t, krb5_conf_t, krb5_home_t, krb5_host_rcache_t, krb5kdc_tmp_t, ktalkd_tmp_t, l2tpd_tmp_t, ld_so_cache_t, ld_so_t, ldconfig_tmp_t, lib_t, livecd_tmp_t, local_login_home_t, locale_t, logrotate_mail_tmp_t, logrotate_tmp_t, logwatch_mail_tmp_t, logwatch_tmp_t, lpd_tmp_t, lpr_tmp_t, lsassd_tmp_t, lsmd_plugin_tmp_t, lvm_tmp_t, machineid_t, mail_home_rw_t, mail_home_t, mail_munin_plugin_tmp_t, mailman_cgi_tmp_t, mailman_mail_tmp_t, mailman_queue_tmp_t, man_cache_t, man_t, mandb_cache_t, mandb_home_t, mdadm_tmp_t, mock_tmp_t, mongod_tmp_t, mount_tmp_t, mozilla_home_t, mozilla_plugin_tmp_t, mozilla_tmp_t, mpd_home_t, mpd_tmp_t, mpd_user_data_t, mplayer_home_t, mscan_tmp_t, munin_tmp_t, mysqld_home_t, mysqld_tmp_t, nagios_eventhandler_plugin_tmp_t, nagios_openshift_plugin_tmp_t, nagios_system_plugin_tmp_t, nagios_tmp_t, named_tmp_t, net_conf_t, netutils_tmp_t, neutron_tmp_t, nfs_t, nova_ajax_tmp_t, nova_api_tmp_t, nova_cert_tmp_t, nova_compute_tmp_t, nova_console_tmp_t, nova_direct_tmp_t, nova_network_tmp_t, nova_objectstore_tmp_t, nova_scheduler_tmp_t, nova_vncproxy_tmp_t, nova_volume_tmp_t, ntop_tmp_t, ntpd_tmp_t, nx_server_tmp_t, openshift_cgroup_read_tmp_t, openshift_cron_tmp_t, openshift_initrc_tmp_t, openshift_tmp_t, openshift_var_lib_t, openvpn_tmp_t, openvswitch_tmp_t, pam_timestamp_tmp_t, passenger_tmp_t, passwd_file_t, pcp_tmp_t, pegasus_openlmi_storage_tmp_t, pegasus_tmp_t, piranha_web_tmp_t, pkcsslotd_tmp_t, pki_tomcat_tmp_t, podsleuth_tmp_t, policykit_auth_exec_t, policykit_reload_t, policykit_tmp_t, policykit_var_lib_t, polipo_cache_home_t, polipo_config_home_t, portmap_tmp_t, postfix_bounce_tmp_t, postfix_cleanup_tmp_t, postfix_local_tmp_t, postfix_map_tmp_t, postfix_pickup_tmp_t, postfix_pipe_tmp_t, postfix_qmgr_tmp_t, postfix_smtp_tmp_t, postfix_smtpd_tmp_t, postfix_virtual_tmp_t, postgresql_tmp_t, pppd_tmp_t, prelink_exec_t, prelink_tmp_t, prelude_lml_tmp_t, proc_t, procmail_home_t, procmail_tmp_t, psad_tmp_t, pulseaudio_home_t, puppet_tmp_t, puppetmaster_tmp_t, qpidd_tmp_t, racoon_tmp_t, realmd_tmp_t, removable_t, rhev_agentd_tmp_t, ricci_tmp_t, rlogind_home_t, rlogind_tmp_t, rpm_script_tmp_t, rpm_tmp_t, rssh_ro_t, rssh_rw_t, rsync_tmp_t, rtas_errd_tmp_t, samba_etc_t, samba_net_tmp_t, samba_var_t, sandbox_file_t, sblim_tmp_t, screen_home_t, secadm_sudo_tmp_t, sectool_tmp_t, selinux_munin_plugin_tmp_t, semanage_tmp_t, sendmail_tmp_t, services_munin_plugin_tmp_t, session_dbusd_tmp_t, sge_tmp_t, shell_exec_t, shorewall_tmp_t, slapd_tmp_t, smbd_tmp_t, smoltclient_tmp_t, smsd_tmp_t, snapperd_home_t, snort_tmp_t, sosreport_tmp_t, soundd_tmp_t, spamc_home_t, spamc_tmp_t, spamd_tmp_t, speech-dispatcher_tmp_t, squid_tmp_t, squirrelmail_spool_t, src_t, ssh_agent_tmp_t, ssh_home_t, sssd_public_t, sssd_var_lib_t, staff_sudo_tmp_t, stapserver_tmp_t, stunnel_tmp_t, svirt_home_t, svirt_sandbox_file_t, svirt_tmp_t, svnserve_tmp_t, swat_tmp_t, swift_tmp_t, sysadm_passwd_tmp_t, sysadm_sudo_tmp_t, sysfs_t, syslogd_tmp_t, system_conf_t, system_cronjob_tmp_t, system_cronjob_var_lib_t, system_db_t, system_dbusd_tmp_t, system_dbusd_var_lib_t, system_mail_tmp_t, system_munin_plugin_tmp_t, systemd_home_t, systemd_logind_sessions_t, sysv_t, tcpd_tmp_t, telepathy_cache_home_t, telepathy_data_home_t, telepathy_gabble_cache_home_t, telepathy_gabble_tmp_t, telepathy_idle_tmp_t, telepathy_logger_cache_home_t, telepathy_logger_data_home_t, telepathy_logger_tmp_t, telepathy_mission_control_cache_home_t, telepathy_mission_control_data_home_t, telepathy_mission_control_home_t, telepathy_mission_control_tmp_t, telepathy_msn_tmp_t, telepathy_salut_tmp_t, telepathy_sofiasip_tmp_t, telepathy_stream_engine_tmp_t, telepathy_sunshine_home_t, telepathy_sunshine_tmp_t, telnetd_tmp_t, tetex_data_t, texlive_home_t, textrel_shlib_t, tgtd_tmp_t, thumb_home_t, thumb_tmp_t, tmp_t, tomcat_tmp_t, tuned_tmp_t, tvtime_home_t, tvtime_tmp_t, udev_tmp_t, udev_var_run_t, uml_ro_t, uml_rw_t, uml_tmp_t, unconfined_munin_plugin_tmp_t, update_modules_tmp_t, usbfs_t, user_cron_spool_t, user_fonts_cache_t, user_fonts_config_t, user_fonts_t, user_home_t, user_mail_tmp_t, user_tmp_t, user_tmpfs_t, usr_t, uucpd_tmp_t, var_spool_t, varnishd_tmp_t, virt_content_t, virt_home_t, virt_qemu_ga_tmp_t, virt_tmp_t, vmblock_t, vmtools_tmp_t, vmware_conf_t, vmware_file_t, vmware_host_tmp_t, vmware_tmp_t, vpnc_tmp_t, vxfs_t, webadm_tmp_t, webalizer_tmp_t, wine_home_t, wireshark_home_t, wireshark_tmp_t, xauth_home_t, xauth_tmp_t, xdm_home_t, xdm_tmp_t, xdm_var_lib_t, xdm_var_run_t, xend_tmp_t, xenfs_t, xenstored_tmp_t, ypbind_tmp_t, ypserv_tmp_t, zabbix_tmp_t, zarafa_deliver_tmp_t, zarafa_indexer_tmp_t, zarafa_server_tmp_t, zarafa_var_lib_t, zebra_tmp_t, zoneminder_tmpfs_t. Then execute: restorecon -v '$FIX_TARGET_PATH' ***** Plugin catchall (17.1 confidence) suggests ************************** If you believe that colord should be allowed read access on the file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep gdbus /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:colord_t:s0 Target Context unconfined_u:object_r:var_t:s0 Target Objects [ file ] Source gdbus Source Path /usr/libexec/colord Port <Unknown> Host (removed) Source RPM Packages colord-1.2.0-1.fc20.x86_64 Target RPM Packages Policy RPM selinux-policy-3.12.1-158.fc20.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 3.14.4-200.fc20.x86_64 #1 SMP Tue May 13 13:51:08 UTC 2014 x86_64 x86_64 Alert Count 2 First Seen 2014-05-20 20:57:36 CDT Last Seen 2014-05-20 20:57:36 CDT Local ID d04b9180-d121-47c8-9556-cfdd4f36b76b Raw Audit Messages type=AVC msg=audit(1400637456.855:509): avc: denied { read } for pid=1678 comm="gdbus" path="/home/net/dean/.local/share/icc/edid-b6c33574ee9f79890208c5c599c274b4.icc" dev="dm-3" ino=2360683 scontext=system_u:system_r:colord_t:s0 tcontext=unconfined_u:object_r:var_t:s0 tclass=file type=SYSCALL msg=audit(1400637456.855:509): arch=x86_64 syscall=recvmsg success=yes exit=EBUSY a0=9 a1=7fcf8a2f6a20 a2=40000000 a3=0 items=0 ppid=1 pid=1678 auid=4294967295 uid=998 gid=998 euid=998 suid=998 fsuid=998 egid=998 sgid=998 fsgid=998 tty=(none) ses=4294967295 comm=gdbus exe=/usr/libexec/colord subj=system_u:system_r:colord_t:s0 key=(null) Hash: gdbus,colord_t,var_t,file,read Additional info: reporter: libreport-2.2.2 hashmarkername: setroubleshoot kernel: 3.14.4-200.fc20.x86_64 type: libreport
I had not received an error like this for many months until I applied updates three or four weeks ago. The home directory, which includes the file "/home/net/dean/.local/share/icc/edid-b6c33574ee9f79890208c5c599c274b4.icc", is located on an automounted NFS share and will never have an SELinux context other than: [dean@host ~]$ ls -lZ .local/share/icc -rw-rw-r--. dean dean unconfined_u:object_r:var_t:s0 edid-099cf85ae5946d84576b73ac889f6923.icc -rw-rw-r--. dean dean unconfined_u:object_r:var_t:s0 edid-8a3bcc6bbb8678dda91e821d20cc73e5.icc -rw-rw-r--. dean dean unconfined_u:object_r:var_t:s0 edid-a99d98c760ecb11e07592f0536164edc.icc -rw-rw-r--. dean dean unconfined_u:object_r:var_t:s0 edid-b6c33574ee9f79890208c5c599c274b4.icc [dean@host ~]$ Or at least not until NFS is updated to support SELinux file contexts. Whatever happened to that project? I thought I saw once that it was targeted for Fedora 20, but now I can find nothing about it.
It is in Fedora 20. You should be able to setup an NFS server and Client with labeled services. What does restorecon -R -v ~/.local Do? Which is this labeled like it was in the /var directory?
(In reply to Daniel Walsh from comment #2) > It is in Fedora 20. You should be able to setup an NFS server and Client > with labeled services. > With your reminder of search keywords, I found the SELinux Users and Administrators Guide for RHEL 7 Beta. It suggests adding: RPCNFSDARGS="-V 4.2" to /etc/sysconfig/nfs and restarting NFS. Is this correct? > What does restorecon -R -v ~/.local > Do? > [dean@host ~]$ restorecon -R -v ~/.local [dean@host ~]$ ls -lZ .local/share/icc -rw-rw-r--. dean dean unconfined_u:object_r:var_t:s0 edid-099cf85ae5946d84576b73ac889f6923.icc -rw-rw-r--. dean dean unconfined_u:object_r:var_t:s0 edid-8a3bcc6bbb8678dda91e821d20cc73e5.icc -rw-rw-r--. dean dean unconfined_u:object_r:var_t:s0 edid-a99d98c760ecb11e07592f0536164edc.icc -rw-rw-r--. dean dean unconfined_u:object_r:var_t:s0 edid-b6c33574ee9f79890208c5c599c274b4.icc [dean@host ~]$ > Which is this labeled like it was in the /var directory? I am sorry, but I do not understand your question.
> > Which is this labeled like it was in the /var directory? > > I am sorry, but I do not understand your question. Why is the label on automounted NFS share var_t? This should check the context of a file path and compares it to the default label for that path. $ matchpathcon -V home/net/dean/.local/share/icc/edid-b6c33574ee9f79890208c5c599c274b4.icc
(In reply to Simon Sekidde from comment #4) > Why is the label on automounted NFS share var_t? > > This should check the context of a file path and compares it to the default > label for that path. > > $ matchpathcon -V > home/net/dean/.local/share/icc/edid-b6c33574ee9f79890208c5c599c274b4.icc var_t is the label I have seen assigned to everything read from an NFS share. [dean@host ~]$ matchpathcon -V /home/net/dean/.local/share/icc/edid-b6c33574ee9f79890208c5c599c274b4.icc /home/net/dean/.local/share/icc/edid-b6c33574ee9f79890208c5c599c274b4.icc has context unconfined_u:object_r:var_t:s0, should be unconfined_u:object_r:user_home_t:s0 [dean@host ~]$
Does running restorecon -R -v /home fix the labels? Where is the NFS directory mounted?
The way you asked the question generated several thoughts. After checking, here are some additional observations: 1) The SELinux alert for ~/.local/share/icc/ebid-*.icc is only occuring on the NFS server (named "host") when I login as an IPA user ("dean") with an automounted home directory. The alert does not occur when I login as an IPA user ("dean") with an automounted home directory on an NFS client. 2) The label I observe as an IPA user on the NFS host is var_t. The label I observe as an IPA user on an NFS client is nfs_t. 3) On the NFS server, matchpathcon will report differences in file labels using the home directory path, but restorecon will NOT correct the difference: [dean@host ~]$ matchpathcon -V ~/.local /home/net/dean/.local has context unconfined_u:object_r:var_t:s0, should be unconfined_u:object_r:user_home_t:s0 [dean@host ~]$ restorecon -v ~/.local [dean@host ~]$ matchpathcon -V ~/.local /home/net/dean/.local has context unconfined_u:object_r:var_t:s0, should be unconfined_u:object_r:user_home_t:s0 [dean@host ~]$ The results are the same when performed as "root". 4) I have not changed the default Fedora 20 configuration of the NFS server, which appears to not enable v4.2: [dean@host ~]$ grep RPCNFSDARGS /etc/sysconfig/nfs RPCNFSDARGS="" [dean@host ~]$ 5) From http://fedoraproject.org/wiki/Changes/LabeledNFS and https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/7-Beta/html/SELinux_Users_and_Administrators_Guide/sect-Managing_Confined_Services-NFS-Configuration_Examples.html it appears that the following changes are required to enable SELinux Labeled NFS support: For the server: sed -i '/RPCNFSDARGS/ s/""/"-V 4.2"/' /etc/sysconfig/nfs systemctl restart nfs.server For the clients: ipa automountkey-mod desktops auto.home --key "*" \ --info "-fstype=nfs4,sec=krb5p,v4.2 host.hunter.org:/srv/nfs/home/&" ipa automountkey-mod servers auto.home --key "*" \ --info "-fstype=nfs4,sec=krb5p,v4.2 host.hunter.org:/srv/nfs/home/&" Is this correct?
After further consideration, I have remembered that the /srv/nfs file system was relocated during a rebuild of host for Fedora 20. Because I wanted to change the size of the logical volume and file system and to reposition several other logical volumes and file systems I used cp to copy the files off; rebuilt the physical volume, volume group, and logical volumes; and copied the files back. It is possible that the SELinux labels were lost in this process.
So I went back to https://bugzilla.redhat.com/show_bug.cgi?id=963318, the last time I had this particular SELinux alert. I relabeld the entire system and implemented the solution: [dean@host ~]$ sudo touch /.autorelabel [dean@host ~]$ sudo reboot ... [dean@host ~]$ sudo semanage fcontext --add -e /home /home/net [dean@host ~]$ sudo restorecon -Rv /home/net [dean@host ~]$ sudo semanage fcontext --list -C SELinux fcontext type Context /srv/http(/.*)? all files system_u:object_r:httpd_sys_content_t:s0 /srv/vm/Guests(/.*)? all files system_u:object_r:virt_image_t:s0 SELinux Local fcontext Equivalence /home/net = /home [dean@host ~]$ matchpathcon reports a different desired context, but restorecon will not correct the context: [dean@host ~]$ matchpathcon -V ~/.local /home/net/dean/.local has context unconfined_u:object_r:var_t:s0, should be unconfined_u:object_r:gconf_home_t:s0 [dean@host ~]$ restorecon -Rv ~/.local [dean@host ~]$ matchpathcon -V ~/.local /home/net/dean/.local has context unconfined_u:object_r:var_t:s0, should be unconfined_u:object_r:gconf_home_t:s0 [dean@host ~]$
I apologize for being so disjointed. I checked the script I use to build my test environment and remembered that August bug report solution was in error. Here is the correct solution: [dean@host ~]$ sudo semanage fcontext --delete /home/net [dean@host ~]$ sudo semanage fcontext --list -C SELinux fcontext type Context /srv/http(/.*)? all files system_u:object_r:httpd_sys_content_t:s0 /srv/vm/Guests(/.*)? all files system_u:object_r:virt_image_t:s0 [dean@host ~]$ sudo semanage fcontext --add -e /home /srv/nfs/home [dean@host ~]$ sudo restorecon -Rv /srv/nfs/home ... a large number of files were shown as having their context updated ... [dean@host ~]$
Now there are no SELinux alerts, so I guess the root cause of my problem was operator error while rebuilding the file system and the ticket may be closed. However, and just for your information, matchpathcon is still reporting discrepencies in the labels: [dean@host ~]$ matchpathcon -V ~ /home/net/dean has context unconfined_u:object_r:user_home_dir_t:s0, should be unconfined_u:object_r:user_home_t:s0 [dean@host ~]$ matchpathcon -V ~/.local /home/net/dean/.local has context unconfined_u:object_r:gconf_home_t:s0, should be unconfined_u:object_r:user_home_t:s0 [dean@host ~]$ matchpathcon -V ~/.local/share/icc/* /home/net/dean/.local/share/icc/edid-099cf85ae5946d84576b73ac889f6923.icc has context unconfined_u:object_r:icc_data_home_t:s0, should be unconfined_u:object_r:user_home_t:s0 /home/net/dean/.local/share/icc/edid-8a3bcc6bbb8678dda91e821d20cc73e5.icc has context unconfined_u:object_r:icc_data_home_t:s0, should be unconfined_u:object_r:user_home_t:s0 /home/net/dean/.local/share/icc/edid-a99d98c760ecb11e07592f0536164edc.icc has context unconfined_u:object_r:icc_data_home_t:s0, should be unconfined_u:object_r:user_home_t:s0 /home/net/dean/.local/share/icc/edid-b6c33574ee9f79890208c5c599c274b4.icc has context unconfined_u:object_r:icc_data_home_t:s0, should be unconfined_u:object_r:user_home_t:s0 [dean@host ~]$ Please advise whether item #5 from Comment #7 is correct.
*** This bug has been marked as a duplicate of bug 963318 ***