Every time logwatch runs, the following error appears in SELinux-Troubleshoot Using targetted (not strict) policy, new build in VMWare Workstation 6 hardware, fully updated as of 4/27/2007 Summary SELinux is preventing /bin/df (logwatch_t) "getattr" to / (unlabeled_t). Detailed Description SELinux denied access requested by /bin/df. It is not expected that this access is required by /bin/df and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access You can generate a local policy module to allow this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Additional Information Source Context system_u:system_r:logwatch_t:SystemLow-SystemHigh Target Context system_u:object_r:unlabeled_t Target Objects / [ filesystem ] Affected RPM Packages coreutils-5.97-12.1.el5 [application]filesystem-2.4.0-1 [target] Policy RPM selinux-policy-2.4.6-30.el5 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.catchall Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.18-8.1.1.el5 #1 SMP Mon Feb 26 20:38:02 EST 2007 i686 i686 Alert Count 5 Line Numbers Raw Audit Messages avc: denied { getattr } for comm="df" dev=vmblock egid=0 euid=0 exe="/bin/df" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="/" pid=13649 scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 sgid=0 subj=system_u:system_r:logwatch_t:s0-s0:c0.c1023 suid=0 tclass=filesystem tcontext=system_u:object_r:unlabeled_t:s0 tty=(none) uid=0
What file ssytem is it referring to as unlabeled? This should not happen. Do you have any unusual file systems mounted on this system?
/ filesystem is ext3. I haven't seen the error since reporting bug 238360 - the change of that that's of interest is that I switched from enforcing to permissive to relabel a file, then back to enforcing. Also, because the target system is a VM on a laptop, it sometimes is only running for 20-30 minutes a day. There is an unusual mountpoint /mnt/hgfs for VMWare workstation 6 to allow my VM to ready my host's $HOME, but that's failing to mount, as noted in bug 238360.
Could you update to the u1 preview policy and see if this is fixed. http://people.redhat.com/dwalsh/SELinux/RHEl5/u1
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux maintenance release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Update release for currently deployed products. This request is not yet committed for inclusion in an Update release.
Robert, could you try the new policy available at the link below and reply whether the new packages solve your problem. http://people.redhat.com/dwalsh/SELinux/RHEL5/noarch/
Robert, could you please try the new policy available at the link below and reply whether the new packages solve your problem? Thank you. http://people.redhat.com/dwalsh/SELinux/RHEL5/noarch/
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2007-0544.html
I am still seeing this error with selinux-policy-targeted-2.4.6-106.el5_1.3.noarch SummarySELinux is preventing /bin/df (logwatch_t) "getattr" to / (unlabeled_t).Detailed DescriptionSELinux denied access requested by /bin/df. It is not expected that this access is required by /bin/df and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access.Allowing AccessYou can generate a local policy module to allow this access - see FAQ Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report against this package.Additional InformationSource Context: system_u:system_r:logwatch_t:SystemLow-SystemHighTarget Context: system_u:object_r:unlabeled_tTarget Objects: / [ filesystem ]Affected RPM Packages: coreutils-5.97-12.1.el5 [application]filesystem-2.4.0-1 [target]Policy RPM: selinux-policy-2.4.6-106.el5_1.3Selinux Enabled: TruePolicy Type: targetedMLS Enabled: TrueEnforcing Mode: EnforcingPlugin Name: plugins.catchallHost Name: hp-nx9420.wdgPlatform: Linux hp-nx9420.wdg 2.6.18-53.1.4.el5 #1 SMP Wed Nov 14 10:37:27 EST 2007 x86_64 x86_64Alert Count: 1Line Numbers: Raw Audit Messages :avc: denied { getattr } for comm="df" dev=vmblock egid=0 euid=0 exe="/bin/df" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="/" pid=4988 scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 sgid=0 subj=system_u:system_r:logwatch_t:s0-s0:c0.c1023 suid=0 tclass=filesystem tcontext=system_u:object_r:unlabeled_t:s0 tty=(none) uid=0
Ok I defined this filesystem in selinux selinux-policy-2.4.6-107.el5.src.rpm
Karl, could you please try the new policy available at the link below and reply whether the new packages solve the problem? Thank you. The fix should be present in selinux-policy-2.4.6-107 available here: http://people.redhat.com/dwalsh/SELinux/RHEL5/noarch/
I've installed the new policy and will monitor for any alerts. Note that I haven't seen an alert sine 01/01/2008 (with the old policy)
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2008-0465.html