Bug 118757 - SELinux FAQ tracker bug
SELinux FAQ tracker bug
Status: CLOSED WONTFIX
Product: Fedora Documentation
Classification: Fedora
Component: selinux-faq (Show other bugs)
devel
All Linux
medium Severity medium
: ---
: ---
Assigned To: Karsten Wade
Tammy Fox
http://people.redhat.com/kwade/fedora...
:
Depends On: 119323 119417 119461 119472 119572 119573 119649 119719 119757 119787 119851 119852 120075 120204 120211 120222 120236 120424 120551 120957 121225 122794 122849 123451 123561 123562 123563 125148 129240 129917 130714 133403 136258 138465 138762 138764 138767 139433 142182 143490 144696 144697 144918 145876 147915 148030 150500 151957 152352 152370 153702 154273 155300 155302 159572 161034 161035 161678
Blocks:
  Show dependency treegraph
 
Reported: 2004-03-19 15:56 EST by Karsten Wade
Modified: 2009-06-08 15:58 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-06-08 15:58:43 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Why I cannot print (12.03 KB, application/vnd.oasis.opendocument.text)
2007-12-18 07:53 EST, mike keenor
no flags Details

  None (edit)
Description Karsten Wade 2004-03-19 15:56:36 EST
This bug is the master tracker bug for all changes to the Fedora Docs
Project SELinux FAQ.  The purpose of this tracker is to assist in
project management when there is a high-volume of bug reports for the
FAQ, such as following a test release.  All new bugs against the FAQ
should block this bug.  This ensures the bug report does not slip
through the cracks.
Comment 1 mike keenor 2007-12-18 07:53:53 EST
Created attachment 289887 [details]
Why I cannot print 

Summary 
    SELinux is preventing access to files with the default label, default_t. 

Detailed Description 
    SELinux permission checks on files labeled default_t are being denied. 
    These files/directories have the default label on them.  This can indicate
a 
    labeling problem, especially if the files being referred to  are not top 
    level directories. Any files/directories under standard system directories,

    /usr, /var. /dev, /tmp, ..., should not be labeled with the default label. 

    The default label is for files/directories which do not have a label on a 
    parent directory. So if you create a new directory in / you might 
    legitimately get this label. 

Allowing Access 
    If you want a confined domain to use these files you will probably need to 

    relabel the file/directory with chcon. In some cases it is just easier to 
    relabel the system, to relabel execute: "touch /.autorelabel; reboot" 

Additional Information	      

Source Context		      system_u:system_r:procmail_t 
Target Context		      system_u:object_r:default_t 
Target Objects		      root [ dir ] 
Affected RPM Packages	      procmail-3.22-19.fc7 
			      [application]filesystem-2.4.6-1.fc7 [target] 
Policy RPM		      selinux-policy-2.6.4-8.fc7 
Selinux Enabled 	      True 
Policy Type		      targeted 
MLS Enabled		      True 
Enforcing Mode		      Enforcing 
Plugin Name		      plugins.default 
Host Name		      d58-108-21-9.dsl.vic.optusnet.com.au 
Platform		      Linux d58-108-21-9.dsl.vic.optusnet.com.au 
			      2.6.21-1.3194.fc7 #1 SMP Wed May 23 22:35:01 EDT 

			      2007 i686 i686 
Alert Count		      1 
First Seen		      Sat 25 Aug 2007 12:03:40 AM WST 
Last Seen		      Sat 25 Aug 2007 12:03:40 AM WST 
Local ID		      eef9b303-e05b-4bdb-a401-890c586e6c33 
Line Numbers		      

Raw Audit Messages	      

avc: denied { search } for comm="procmail" dev=dm-0 egid=0 euid=0 
exe="/usr/bin/procmail" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="root" 
pid=7508 scontext=system_u:system_r:procmail_t:s0 sgid=0 
subj=system_u:system_r:procmail_t:s0 suid=0 tclass=dir 
tcontext=system_u:object_r:default_t:s0 tty=(none) uid=0
Comment 2 Penelope Fudd 2008-02-18 02:03:12 EST
Additional FAQ:

I have an avc denial, I'm following "I have some avc denials that I would like
to allow, how do I do this?", and I've created a local.te file.

The problem is, I've done this before, and if I load my new local.te file, I'll
erase my previous changes, whatever they were (it's been a while; the local.te
file from back then is gone).

How do I merge my new changes with the existing local rules?

Two ideas come to mind:
  1. Decompiling the 'local' ruleset.
  2. Listing the existing rulesets, so I can rename my local.te to local2.te
without fear of collision (I may have generated a local2.te before).

Suggestions?

Thanks!
Comment 3 eric@christensenplace.us 2009-06-08 15:58:43 EDT
This project has been moved to https://fedoraproject.org/wiki/SELinux_FAQ.  Please either make the necessary changes or use the "discussion" page for requests for changes.

Note You need to log in before you can comment on or make changes to this bug.