Description of problem: In FC6 you could edit the selinux policies. Why was this removed in FC7. Will another policy editor be available. With the one in FC6 I was able to get SUGARCRM to work(disable block on runing http script mocules. I was also able to fix the avhia problem(disable avhia module) Version-Release number of selected component (if applicable): SeLINUX (enable, disable, permissive) Need other. How reproducible: Every time. Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
Because these booleans were causing other errors, in domains that needed to communicate. So if a domain needed to communicate with avahi and you disabled trans. The other domain would be effected. It is better to just add the allow rules that are required to make the job run. For example you can add a loadable policy module using audit2allow # grep avahi /var/log/audit/audit.log | audit2allow -M myavahi # semodule -i myavahi.pp Would generate and rebuild all the policy rules needed to allow avahi to run. Then you should submit a bug report with your avc's so we can fix the problem. If you still want to disable trans you can always chcon -t bin_t PATHTOEXEC This will do the same thing as disable trans. Please submit the AVC messages that you want fixed for both avahi and SUGARCRM
Summary SELinux is preventing /usr/sbin/avahi-daemon (avahi_t) "fowner" to <Unknown> (avahi_t). Detailed Description SELinux denied access requested by /usr/sbin/avahi-daemon. It is not expected that this access is required by /usr/sbin/avahi-daemon and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access You can generate a local policy module to allow this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Additional Information Source Context system_u:system_r:avahi_t Target Context system_u:system_r:avahi_t Target Objects None [ capability ] Affected RPM Packages avahi-0.6.17-1.fc7 [application] Policy RPM selinux-policy-2.6.1-1.fc7 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.catchall Host Name grottingen.no-ip.org Platform Linux grottingen.no-ip.org 2.6.21-1.3142.fc7 #1 SMP Mon May 7 21:14:09 EDT 2007 i686 athlon Alert Count 11 First Seen Sun 06 May 2007 07:19:05 PM EDT Last Seen Mon 14 May 2007 04:50:25 PM EDT Local ID 46d3fe94-32bb-4018-b71f-e72540669e5a Line Numbers Raw Audit Messages avc: denied { fowner } for comm="avahi-daemon" egid=0 euid=0 exe="/usr/sbin /avahi-daemon" exit=-1 fsgid=0 fsuid=0 gid=0 items=0 pid=2958 scontext=system_u:system_r:avahi_t:s0 sgid=0 subj=system_u:system_r:avahi_t:s0 suid=0 tclass=capability tcontext=system_u:system_r:avahi_t:s0 tty=(none) uid=0
Summary SELinux is preventing /usr/bin/updatedb (locate_t) "getattr" to /var/run/pcscd.comm (pcscd_var_run_t). Detailed Description SELinux denied access requested by /usr/bin/updatedb. It is not expected that this access is required by /usr/bin/updatedb and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for /var/run/pcscd.comm, restorecon -v /var/run/pcscd.comm If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see http://fedora.redhat.com/docs /selinux-faq-fc5/#id2961385 Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Additional Information Source Context system_u:system_r:locate_t Target Context system_u:object_r:pcscd_var_run_t Target Objects /var/run/pcscd.comm [ sock_file ] Affected RPM Packages mlocate-0.16-1 [application] Policy RPM selinux-policy-2.6.1-1.fc7 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.catchall_file Host Name grottingen.no-ip.org Platform Linux grottingen.no-ip.org 2.6.21-1.3142.fc7 #1 SMP Mon May 7 21:14:09 EDT 2007 i686 athlon Alert Count 4 First Seen Tue 08 May 2007 06:35:15 PM EDT Last Seen Mon 14 May 2007 06:38:02 PM EDT Local ID 45686eef-dece-4a9c-a880-1733f6265af0 Line Numbers Raw Audit Messages avc: denied { getattr } for comm="updatedb" dev=dm-0 egid=0 euid=0 exe="/usr/bin/updatedb" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="pcscd.comm" path="/var/run/pcscd.comm" pid=4239 scontext=system_u:system_r:locate_t:s0 sgid=0 subj=system_u:system_r:locate_t:s0 suid=0 tclass=sock_file tcontext=system_u:object_r:pcscd_var_run_t:s0 tty=(none) uid=0
There are about 9 additional getattr's problems with updatedb.
Please submit the entire audit.log
Avc's reported are fixed in selinux-policy-2.6.4-4.fc7
Upgraded to FC7 5/31 release. Got Following 5 policy errors. 1)Summary SELinux is preventing access to files with the default label, default_t. Detailed Description SELinux permission checks on files labeled default_t are being denied. These files/directories have the default label on them. This can indicate a labeling problem, especially if the files being referred to are not top level directories. Any files/directories under standard system directories, /usr, /var. /dev, /tmp, ..., should not be labeled with the default label. The default label is for files/directories which do not have a label on a parent directory. So if you create a new directory in / you might legitimately get this label. Allowing Access If you want a confined domain to use these files you will probably need to relabel the file/directory with chcon. In some cases it is just easier to relabel the system, to relabel execute: "touch /.autorelabel; reboot" Additional Information Source Context system_u:system_r:procmail_t Target Context system_u:object_r:default_t Target Objects root [ dir ] Affected RPM Packages procmail-3.22-19.fc7 [application]filesystem-2.4.6-1.fc7 [target] Policy RPM selinux-policy-2.6.4-8.fc7 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.default Host Name grottingen.no-ip.org Platform Linux grottingen.no-ip.org 2.6.21-1.3194.fc7 #1 SMP Wed May 23 22:35:01 EDT 2007 i686 athlon Alert Count 2 First Seen Thu 31 May 2007 11:00:18 PM EDT Last Seen Fri 01 Jun 2007 01:25:07 PM EDT Local ID 54e1aa05-fdc3-40ce-b00d-09811a2ed5b3 Line Numbers Raw Audit Messages avc: denied { search } for comm="procmail" dev=dm-0 egid=0 euid=0 exe="/usr/bin/procmail" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="root" pid=4056 scontext=system_u:system_r:procmail_t:s0 sgid=0 subj=system_u:system_r:procmail_t:s0 suid=0 tclass=dir tcontext=system_u:object_r:default_t:s0 tty=(none) uid=0 2)Summary SELinux is preventing /usr/bin/updatedb (locate_t) "getattr" to /var/named/chroot/dev/random (named_conf_t). Detailed Description SELinux denied access requested by /usr/bin/updatedb. It is not expected that this access is required by /usr/bin/updatedb and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for /var/named/chroot/dev/random, restorecon -v /var/named/chroot/dev/random If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Additional Information Source Context system_u:system_r:locate_t Target Context system_u:object_r:named_conf_t Target Objects /var/named/chroot/dev/random [ chr_file ] Affected RPM Packages mlocate-0.16-1 [application]bind- chroot-9.4.0-6.fc7 [target] Policy RPM selinux-policy-2.6.4-8.fc7 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.catchall_file Host Name grottingen.no-ip.org Platform Linux grottingen.no-ip.org 2.6.21-1.3194.fc7 #1 SMP Wed May 23 22:35:01 EDT 2007 i686 athlon Alert Count 1 First Seen Thu 31 May 2007 10:44:25 PM EDT Last Seen Thu 31 May 2007 10:44:25 PM EDT Local ID 5c838255-5048-4971-9ccf-b10b8394f5cd Line Numbers Raw Audit Messages avc: denied { getattr } for comm="updatedb" dev=dm-0 egid=0 euid=0 exe="/usr/bin/updatedb" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="random" path="/var/named/chroot/dev/random" pid=32532 scontext=system_u:system_r:locate_t:s0 sgid=0 subj=system_u:system_r:locate_t:s0 suid=0 tclass=chr_file tcontext=system_u:object_r:named_conf_t:s0 tty=(none) uid=0 3)Summary SELinux is preventing /usr/bin/updatedb (locate_t) "getattr" to /var/named/chroot/dev/null (named_conf_t). Detailed Description SELinux denied access requested by /usr/bin/updatedb. It is not expected that this access is required by /usr/bin/updatedb and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for /var/named/chroot/dev/null, restorecon -v /var/named/chroot/dev/null If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Additional Information Source Context system_u:system_r:locate_t Target Context system_u:object_r:named_conf_t Target Objects /var/named/chroot/dev/null [ chr_file ] Affected RPM Packages mlocate-0.16-1 [application]bind- chroot-9.4.0-6.fc7 [target] Policy RPM selinux-policy-2.6.4-8.fc7 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.catchall_file Host Name grottingen.no-ip.org Platform Linux grottingen.no-ip.org 2.6.21-1.3194.fc7 #1 SMP Wed May 23 22:35:01 EDT 2007 i686 athlon Alert Count 1 First Seen Thu 31 May 2007 10:44:25 PM EDT Last Seen Thu 31 May 2007 10:44:25 PM EDT Local ID c5fbf596-03e5-4786-874e-79618837c102 Line Numbers Raw Audit Messages avc: denied { getattr } for comm="updatedb" dev=dm-0 egid=0 euid=0 exe="/usr/bin/updatedb" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="null" path="/var/named/chroot/dev/null" pid=32532 scontext=system_u:system_r:locate_t:s0 sgid=0 subj=system_u:system_r:locate_t:s0 suid=0 tclass=chr_file tcontext=system_u:object_r:named_conf_t:s0 tty=(none) uid=0 4) Summary SELinux is preventing /usr/bin/updatedb (locate_t) "getattr" to /var/gdm/.gdmfifo (xserver_log_t). Detailed Description SELinux denied access requested by /usr/bin/updatedb. It is not expected that this access is required by /usr/bin/updatedb and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access You can generate a local policy module to allow this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Additional Information Source Context system_u:system_r:locate_t Target Context system_u:object_r:xserver_log_t Target Objects /var/gdm/.gdmfifo [ fifo_file ] Affected RPM Packages mlocate-0.16-1 [application] Policy RPM selinux-policy-2.6.4-8.fc7 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.catchall Host Name grottingen.no-ip.org Platform Linux grottingen.no-ip.org 2.6.21-1.3194.fc7 #1 SMP Wed May 23 22:35:01 EDT 2007 i686 athlon Alert Count 1 First Seen Thu 31 May 2007 10:44:25 PM EDT Last Seen Fri 01 Jun 2007 01:30:11 PM EDT Local ID a599faed-3429-4840-9123-78892b5bdfb9 Line Numbers Raw Audit Messages avc: denied { getattr } for comm="updatedb" dev=dm-0 egid=0 euid=0 exe="/usr/bin/updatedb" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name=".gdmfifo" path="/var/gdm/.gdmfifo" pid=30830 scontext=system_u:system_r:locate_t:s0 sgid=0 subj=system_u:system_r:locate_t:s0 suid=0 tclass=fifo_file tcontext=system_u:object_r:xserver_log_t:s0 tty=(none) uid=0 5) Summary SELinux is preventing /usr/bin/updatedb (locate_t) "getattr" to /var/named/chroot/dev/zero (named_conf_t). Detailed Description SELinux denied access requested by /usr/bin/updatedb. It is not expected that this access is required by /usr/bin/updatedb and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for /var/named/chroot/dev/zero, restorecon -v /var/named/chroot/dev/zero If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Additional Information Source Context system_u:system_r:locate_t Target Context system_u:object_r:named_conf_t Target Objects /var/named/chroot/dev/zero [ chr_file ] Affected RPM Packages mlocate-0.16-1 [application]bind- chroot-9.4.0-6.fc7 [target] Policy RPM selinux-policy-2.6.4-8.fc7 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.catchall_file Host Name grottingen.no-ip.org Platform Linux grottingen.no-ip.org 2.6.21-1.3194.fc7 #1 SMP Wed May 23 22:35:01 EDT 2007 i686 athlon Alert Count 1 First Seen Thu 31 May 2007 10:44:25 PM EDT Last Seen Thu 31 May 2007 10:44:25 PM EDT Local ID b9b4a941-7fab-441b-948c-1196afbb9e11 Line Numbers Raw Audit Messages avc: denied { getattr } for comm="updatedb" dev=dm-0 egid=0 euid=0 exe="/usr/bin/updatedb" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="zero" path="/var/named/chroot/dev/zero" pid=32532 scontext=system_u:system_r:locate_t:s0 sgid=0 subj=system_u:system_r:locate_t:s0 suid=0 tclass=chr_file tcontext=system_u:object_r:named_conf_t:s0 tty=(none) uid=0
restorecon -R -v /root
Should be fixed in the current release