This bug is the master tracker bug for all changes to the Fedora Docs Project SELinux FAQ. The purpose of this tracker is to assist in project management when there is a high-volume of bug reports for the FAQ, such as following a test release. All new bugs against the FAQ should block this bug. This ensures the bug report does not slip through the cracks.
Created attachment 289887 [details] Why I cannot print Summary SELinux is preventing access to files with the default label, default_t. Detailed Description SELinux permission checks on files labeled default_t are being denied. These files/directories have the default label on them. This can indicate a labeling problem, especially if the files being referred to are not top level directories. Any files/directories under standard system directories, /usr, /var. /dev, /tmp, ..., should not be labeled with the default label. The default label is for files/directories which do not have a label on a parent directory. So if you create a new directory in / you might legitimately get this label. Allowing Access If you want a confined domain to use these files you will probably need to relabel the file/directory with chcon. In some cases it is just easier to relabel the system, to relabel execute: "touch /.autorelabel; reboot" Additional Information Source Context system_u:system_r:procmail_t Target Context system_u:object_r:default_t Target Objects root [ dir ] Affected RPM Packages procmail-3.22-19.fc7 [application]filesystem-2.4.6-1.fc7 [target] Policy RPM selinux-policy-2.6.4-8.fc7 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.default Host Name d58-108-21-9.dsl.vic.optusnet.com.au Platform Linux d58-108-21-9.dsl.vic.optusnet.com.au 2.6.21-1.3194.fc7 #1 SMP Wed May 23 22:35:01 EDT 2007 i686 i686 Alert Count 1 First Seen Sat 25 Aug 2007 12:03:40 AM WST Last Seen Sat 25 Aug 2007 12:03:40 AM WST Local ID eef9b303-e05b-4bdb-a401-890c586e6c33 Line Numbers Raw Audit Messages avc: denied { search } for comm="procmail" dev=dm-0 egid=0 euid=0 exe="/usr/bin/procmail" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="root" pid=7508 scontext=system_u:system_r:procmail_t:s0 sgid=0 subj=system_u:system_r:procmail_t:s0 suid=0 tclass=dir tcontext=system_u:object_r:default_t:s0 tty=(none) uid=0
Additional FAQ: I have an avc denial, I'm following "I have some avc denials that I would like to allow, how do I do this?", and I've created a local.te file. The problem is, I've done this before, and if I load my new local.te file, I'll erase my previous changes, whatever they were (it's been a while; the local.te file from back then is gone). How do I merge my new changes with the existing local rules? Two ideas come to mind: 1. Decompiling the 'local' ruleset. 2. Listing the existing rulesets, so I can rename my local.te to local2.te without fear of collision (I may have generated a local2.te before). Suggestions? Thanks!
This project has been moved to https://fedoraproject.org/wiki/SELinux_FAQ. Please either make the necessary changes or use the "discussion" page for requests for changes.