Bug 239499 - Cannot change SELINUX Policy. (enable, disable, permissive) Need OTHER editor.
Cannot change SELINUX Policy. (enable, disable, permissive) Need OTHER editor.
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
rawhide
All Linux
medium Severity urgent
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-05-08 18:55 EDT by Glenn Rottingen
Modified: 2007-11-30 17:12 EST (History)
1 user (show)

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-08-22 10:16:50 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Glenn Rottingen 2007-05-08 18:55:25 EDT
Description of problem:
In FC6 you could edit the selinux policies.

Why was this removed in FC7. Will another policy editor be available.  With the
one in FC6 I was able to get SUGARCRM to work(disable block on runing http
script mocules.  I was also able to fix the avhia problem(disable avhia module) 

Version-Release number of selected component (if applicable):
SeLINUX (enable, disable, permissive)  Need other.

How reproducible:
Every time.

Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Daniel Walsh 2007-05-14 14:30:48 EDT
Because these booleans were causing other errors, in domains that needed to
communicate.  So if a domain needed to communicate with avahi and you disabled
trans.  The other domain would be effected.  

It is better to just add the allow rules that are required to make the job run.

For example you can add a loadable policy module using audit2allow

# grep avahi /var/log/audit/audit.log | audit2allow -M myavahi
# semodule -i myavahi.pp

Would generate and rebuild all the policy rules needed to allow avahi to run. 
Then you should submit a bug report with your avc's so we can fix the problem.

If you still want to disable trans you can always

chcon -t bin_t PATHTOEXEC

This will do the same thing as disable trans.

Please submit the AVC messages that you want fixed for both avahi and SUGARCRM
Comment 2 Glenn Rottingen 2007-05-14 18:40:18 EDT
Summary
    SELinux is preventing /usr/sbin/avahi-daemon (avahi_t) "fowner" to <Unknown>
    (avahi_t).

Detailed Description
    SELinux denied access requested by /usr/sbin/avahi-daemon. It is not
    expected that this access is required by /usr/sbin/avahi-daemon and this
    access may signal an intrusion attempt. It is also possible that the
    specific version or configuration of the application is causing it to
    require additional access.

Allowing Access
    You can generate a local policy module to allow this access - see
    http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable
    SELinux protection altogether. Disabling SELinux protection is not
    recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
    against this package.

Additional Information        

Source Context                system_u:system_r:avahi_t
Target Context                system_u:system_r:avahi_t
Target Objects                None [ capability ]
Affected RPM Packages         avahi-0.6.17-1.fc7 [application]
Policy RPM                    selinux-policy-2.6.1-1.fc7
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.catchall
Host Name                     grottingen.no-ip.org
Platform                      Linux grottingen.no-ip.org 2.6.21-1.3142.fc7 #1
                              SMP Mon May 7 21:14:09 EDT 2007 i686 athlon
Alert Count                   11
First Seen                    Sun 06 May 2007 07:19:05 PM EDT
Last Seen                     Mon 14 May 2007 04:50:25 PM EDT
Local ID                      46d3fe94-32bb-4018-b71f-e72540669e5a
Line Numbers                  

Raw Audit Messages            

avc: denied { fowner } for comm="avahi-daemon" egid=0 euid=0 exe="/usr/sbin
/avahi-daemon" exit=-1 fsgid=0 fsuid=0 gid=0 items=0 pid=2958
scontext=system_u:system_r:avahi_t:s0 sgid=0 subj=system_u:system_r:avahi_t:s0
suid=0 tclass=capability tcontext=system_u:system_r:avahi_t:s0 tty=(none) uid=0

Comment 3 Glenn Rottingen 2007-05-14 18:46:42 EDT
Summary
    SELinux is preventing /usr/bin/updatedb (locate_t) "getattr" to
    /var/run/pcscd.comm (pcscd_var_run_t).

Detailed Description
    SELinux denied access requested by /usr/bin/updatedb. It is not expected
    that this access is required by /usr/bin/updatedb and this access may signal
    an intrusion attempt. It is also possible that the specific version or
    configuration of the application is causing it to require additional access.

Allowing Access
    Sometimes labeling problems can cause SELinux denials.  You could try to
    restore the default system file context for /var/run/pcscd.comm, restorecon
    -v /var/run/pcscd.comm If this does not work, there is currently no
    automatic way to allow this access. Instead,  you can generate a local
    policy module to allow this access - see http://fedora.redhat.com/docs
    /selinux-faq-fc5/#id2961385 Or you can disable SELinux protection
    altogether. Disabling SELinux protection is not recommended. Please file a
    http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.

Additional Information        

Source Context                system_u:system_r:locate_t
Target Context                system_u:object_r:pcscd_var_run_t
Target Objects                /var/run/pcscd.comm [ sock_file ]
Affected RPM Packages         mlocate-0.16-1 [application]
Policy RPM                    selinux-policy-2.6.1-1.fc7
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.catchall_file
Host Name                     grottingen.no-ip.org
Platform                      Linux grottingen.no-ip.org 2.6.21-1.3142.fc7 #1
                              SMP Mon May 7 21:14:09 EDT 2007 i686 athlon
Alert Count                   4
First Seen                    Tue 08 May 2007 06:35:15 PM EDT
Last Seen                     Mon 14 May 2007 06:38:02 PM EDT
Local ID                      45686eef-dece-4a9c-a880-1733f6265af0
Line Numbers                  

Raw Audit Messages            

avc: denied { getattr } for comm="updatedb" dev=dm-0 egid=0 euid=0
exe="/usr/bin/updatedb" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="pcscd.comm"
path="/var/run/pcscd.comm" pid=4239 scontext=system_u:system_r:locate_t:s0
sgid=0 subj=system_u:system_r:locate_t:s0 suid=0 tclass=sock_file
tcontext=system_u:object_r:pcscd_var_run_t:s0 tty=(none) uid=0

Comment 4 Glenn Rottingen 2007-05-14 18:49:47 EDT
There are about 9 additional getattr's problems with updatedb.
Comment 5 Daniel Walsh 2007-05-15 11:04:00 EDT
Please submit the entire audit.log
Comment 6 Daniel Walsh 2007-05-17 11:48:00 EDT
Avc's reported are fixed in selinux-policy-2.6.4-4.fc7
Comment 7 Glenn Rottingen 2007-06-01 13:38:53 EDT
Upgraded to FC7 5/31 release.  Got Following 5 policy errors.

1)Summary
    SELinux is preventing access to files with the default label, default_t.

Detailed Description
    SELinux permission checks on files labeled default_t are being denied.
    These files/directories have the default label on them.  This can indicate a
    labeling problem, especially if the files being referred to  are not top
    level directories. Any files/directories under standard system directories,
    /usr, /var. /dev, /tmp, ..., should not be labeled with the default label.
    The default label is for files/directories which do not have a label on a
    parent directory. So if you create a new directory in / you might
    legitimately get this label.

Allowing Access
    If you want a confined domain to use these files you will probably need to
    relabel the file/directory with chcon. In some cases it is just easier to
    relabel the system, to relabel execute: "touch /.autorelabel; reboot"

Additional Information        

Source Context                system_u:system_r:procmail_t
Target Context                system_u:object_r:default_t
Target Objects                root [ dir ]
Affected RPM Packages         procmail-3.22-19.fc7
                              [application]filesystem-2.4.6-1.fc7 [target]
Policy RPM                    selinux-policy-2.6.4-8.fc7
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.default
Host Name                     grottingen.no-ip.org
Platform                      Linux grottingen.no-ip.org 2.6.21-1.3194.fc7 #1
                              SMP Wed May 23 22:35:01 EDT 2007 i686 athlon
Alert Count                   2
First Seen                    Thu 31 May 2007 11:00:18 PM EDT
Last Seen                     Fri 01 Jun 2007 01:25:07 PM EDT
Local ID                      54e1aa05-fdc3-40ce-b00d-09811a2ed5b3
Line Numbers                  

Raw Audit Messages            

avc: denied { search } for comm="procmail" dev=dm-0 egid=0 euid=0
exe="/usr/bin/procmail" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="root"
pid=4056 scontext=system_u:system_r:procmail_t:s0 sgid=0
subj=system_u:system_r:procmail_t:s0 suid=0 tclass=dir
tcontext=system_u:object_r:default_t:s0 tty=(none) uid=0

2)Summary
    SELinux is preventing /usr/bin/updatedb (locate_t) "getattr" to
    /var/named/chroot/dev/random (named_conf_t).

Detailed Description
    SELinux denied access requested by /usr/bin/updatedb. It is not expected
    that this access is required by /usr/bin/updatedb and this access may signal
    an intrusion attempt. It is also possible that the specific version or
    configuration of the application is causing it to require additional access.

Allowing Access
    Sometimes labeling problems can cause SELinux denials.  You could try to
    restore the default system file context for /var/named/chroot/dev/random,
    restorecon -v /var/named/chroot/dev/random If this does not work, there is
    currently no automatic way to allow this access. Instead,  you can generate
    a local policy module to allow this access - see
    http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable
    SELinux protection altogether. Disabling SELinux protection is not
    recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
    against this package.

Additional Information        

Source Context                system_u:system_r:locate_t
Target Context                system_u:object_r:named_conf_t
Target Objects                /var/named/chroot/dev/random [ chr_file ]
Affected RPM Packages         mlocate-0.16-1 [application]bind-
                              chroot-9.4.0-6.fc7 [target]
Policy RPM                    selinux-policy-2.6.4-8.fc7
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.catchall_file
Host Name                     grottingen.no-ip.org
Platform                      Linux grottingen.no-ip.org 2.6.21-1.3194.fc7 #1
                              SMP Wed May 23 22:35:01 EDT 2007 i686 athlon
Alert Count                   1
First Seen                    Thu 31 May 2007 10:44:25 PM EDT
Last Seen                     Thu 31 May 2007 10:44:25 PM EDT
Local ID                      5c838255-5048-4971-9ccf-b10b8394f5cd
Line Numbers                  

Raw Audit Messages            

avc: denied { getattr } for comm="updatedb" dev=dm-0 egid=0 euid=0
exe="/usr/bin/updatedb" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="random"
path="/var/named/chroot/dev/random" pid=32532
scontext=system_u:system_r:locate_t:s0 sgid=0 subj=system_u:system_r:locate_t:s0
suid=0 tclass=chr_file tcontext=system_u:object_r:named_conf_t:s0 tty=(none)
uid=0

3)Summary
    SELinux is preventing /usr/bin/updatedb (locate_t) "getattr" to
    /var/named/chroot/dev/null (named_conf_t).

Detailed Description
    SELinux denied access requested by /usr/bin/updatedb. It is not expected
    that this access is required by /usr/bin/updatedb and this access may signal
    an intrusion attempt. It is also possible that the specific version or
    configuration of the application is causing it to require additional access.

Allowing Access
    Sometimes labeling problems can cause SELinux denials.  You could try to
    restore the default system file context for /var/named/chroot/dev/null,
    restorecon -v /var/named/chroot/dev/null If this does not work, there is
    currently no automatic way to allow this access. Instead,  you can generate
    a local policy module to allow this access - see
    http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable
    SELinux protection altogether. Disabling SELinux protection is not
    recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
    against this package.

Additional Information        

Source Context                system_u:system_r:locate_t
Target Context                system_u:object_r:named_conf_t
Target Objects                /var/named/chroot/dev/null [ chr_file ]
Affected RPM Packages         mlocate-0.16-1 [application]bind-
                              chroot-9.4.0-6.fc7 [target]
Policy RPM                    selinux-policy-2.6.4-8.fc7
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.catchall_file
Host Name                     grottingen.no-ip.org
Platform                      Linux grottingen.no-ip.org 2.6.21-1.3194.fc7 #1
                              SMP Wed May 23 22:35:01 EDT 2007 i686 athlon
Alert Count                   1
First Seen                    Thu 31 May 2007 10:44:25 PM EDT
Last Seen                     Thu 31 May 2007 10:44:25 PM EDT
Local ID                      c5fbf596-03e5-4786-874e-79618837c102
Line Numbers                  

Raw Audit Messages            

avc: denied { getattr } for comm="updatedb" dev=dm-0 egid=0 euid=0
exe="/usr/bin/updatedb" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="null"
path="/var/named/chroot/dev/null" pid=32532
scontext=system_u:system_r:locate_t:s0 sgid=0 subj=system_u:system_r:locate_t:s0
suid=0 tclass=chr_file tcontext=system_u:object_r:named_conf_t:s0 tty=(none)
uid=0

4) Summary
    SELinux is preventing /usr/bin/updatedb (locate_t) "getattr" to
    /var/gdm/.gdmfifo (xserver_log_t).

Detailed Description
    SELinux denied access requested by /usr/bin/updatedb. It is not expected
    that this access is required by /usr/bin/updatedb and this access may signal
    an intrusion attempt. It is also possible that the specific version or
    configuration of the application is causing it to require additional access.

Allowing Access
    You can generate a local policy module to allow this access - see
    http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable
    SELinux protection altogether. Disabling SELinux protection is not
    recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
    against this package.

Additional Information        

Source Context                system_u:system_r:locate_t
Target Context                system_u:object_r:xserver_log_t
Target Objects                /var/gdm/.gdmfifo [ fifo_file ]
Affected RPM Packages         mlocate-0.16-1 [application]
Policy RPM                    selinux-policy-2.6.4-8.fc7
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.catchall
Host Name                     grottingen.no-ip.org
Platform                      Linux grottingen.no-ip.org 2.6.21-1.3194.fc7 #1
                              SMP Wed May 23 22:35:01 EDT 2007 i686 athlon
Alert Count                   1
First Seen                    Thu 31 May 2007 10:44:25 PM EDT
Last Seen                     Fri 01 Jun 2007 01:30:11 PM EDT
Local ID                      a599faed-3429-4840-9123-78892b5bdfb9
Line Numbers                  

Raw Audit Messages            

avc: denied { getattr } for comm="updatedb" dev=dm-0 egid=0 euid=0
exe="/usr/bin/updatedb" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name=".gdmfifo"
path="/var/gdm/.gdmfifo" pid=30830 scontext=system_u:system_r:locate_t:s0 sgid=0
subj=system_u:system_r:locate_t:s0 suid=0 tclass=fifo_file
tcontext=system_u:object_r:xserver_log_t:s0 tty=(none) uid=0

5) Summary
    SELinux is preventing /usr/bin/updatedb (locate_t) "getattr" to
    /var/named/chroot/dev/zero (named_conf_t).

Detailed Description
    SELinux denied access requested by /usr/bin/updatedb. It is not expected
    that this access is required by /usr/bin/updatedb and this access may signal
    an intrusion attempt. It is also possible that the specific version or
    configuration of the application is causing it to require additional access.

Allowing Access
    Sometimes labeling problems can cause SELinux denials.  You could try to
    restore the default system file context for /var/named/chroot/dev/zero,
    restorecon -v /var/named/chroot/dev/zero If this does not work, there is
    currently no automatic way to allow this access. Instead,  you can generate
    a local policy module to allow this access - see
    http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable
    SELinux protection altogether. Disabling SELinux protection is not
    recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
    against this package.

Additional Information        

Source Context                system_u:system_r:locate_t
Target Context                system_u:object_r:named_conf_t
Target Objects                /var/named/chroot/dev/zero [ chr_file ]
Affected RPM Packages         mlocate-0.16-1 [application]bind-
                              chroot-9.4.0-6.fc7 [target]
Policy RPM                    selinux-policy-2.6.4-8.fc7
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.catchall_file
Host Name                     grottingen.no-ip.org
Platform                      Linux grottingen.no-ip.org 2.6.21-1.3194.fc7 #1
                              SMP Wed May 23 22:35:01 EDT 2007 i686 athlon
Alert Count                   1
First Seen                    Thu 31 May 2007 10:44:25 PM EDT
Last Seen                     Thu 31 May 2007 10:44:25 PM EDT
Local ID                      b9b4a941-7fab-441b-948c-1196afbb9e11
Line Numbers                  

Raw Audit Messages            

avc: denied { getattr } for comm="updatedb" dev=dm-0 egid=0 euid=0
exe="/usr/bin/updatedb" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="zero"
path="/var/named/chroot/dev/zero" pid=32532
scontext=system_u:system_r:locate_t:s0 sgid=0 subj=system_u:system_r:locate_t:s0
suid=0 tclass=chr_file tcontext=system_u:object_r:named_conf_t:s0 tty=(none)
uid=0



Comment 8 Daniel Walsh 2007-06-01 13:59:30 EDT
restorecon -R -v /root
Comment 9 Daniel Walsh 2007-08-22 10:16:50 EDT
Should be fixed in the current release

Note You need to log in before you can comment on or make changes to this bug.