Bug 216807 - can't chcon files as root
Summary: can't chcon files as root
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
(Show other bugs)
Version: 6
Hardware: All Linux
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Ben Levenson
Depends On:
TreeView+ depends on / blocked
Reported: 2006-11-22 01:39 UTC by Evan Klitzke
Modified: 2007-11-30 22:11 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2006-12-13 21:09:29 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description Evan Klitzke 2006-11-22 01:39:00 UTC
I am trying to change the security context of a package I manually installed. I
cannot become adm_r by using newrole, but I assume that this is not necessary
because that package is in Extras and I log into root with su -. I cannot find
any information in the Fedora documentation to suggest that I need to change
roles to chcon files as root, so I assume this behavior is a bug.

Here is the problem I have:
[root@localhost ~]# chcon -t procmail_t /usr/local/var/dspam/data/evan/evan.lock
chcon: failed to change context of /usr/local/var/dspam/data/evan/evan.lock to
user_u:object_r:procmail_t: Permission denied

And the AVC message is:

avc: denied { relabelto } for comm='"chcon"' dev='hda1' egid='0' euid='0'
exe='"/usr/bin/chcon"' exit='-13' fsgid='0' fsuid='0' gid='0' items='0'
name='"evan.lock"' pid='11151' scontext=user_u:system_r:unconfined_t:s0 sgid='0'
subj='user_u:system_r:unconfined_t:s0' suid='0' tclass='file'
tcontext=user_u:object_r:procmail_t:s0 tty='pts0' uid='0'

Comment 1 Tim Waugh 2006-12-13 11:51:13 UTC


touch /tmp/foo
chcon -t procmail_t /tmp/foo

Comment 2 Daniel Walsh 2006-12-13 21:09:29 UTC
procmail_t is a domain context not a file_context.  You can only chcon file

Please ask questions on fedora-selinux-list

Note You need to log in before you can comment on or make changes to this bug.