Bug 314511 - NM/gdb SELinux denial
NM/gdb SELinux denial
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
rawhide
All Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-10-01 15:09 EDT by Zack Cerza
Modified: 2008-01-30 14:05 EST (History)
0 users

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-01-30 14:05:39 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Zack Cerza 2007-10-01 15:09:16 EDT
I'm guessing this was triggered by an NM crash.

NetworkManager-0.7.0-0.3.svn2914.fc8
selinux-policy-targeted-3.0.8-14.fc8
gdb-6.6-30.fc8

Summary
    SELinux is preventing access to files with the label, file_t.

Detailed Description
    SELinux permission checks on files labeled file_t are being denied.  file_t
    is the context the SELinux kernel gives to files that do not have a label.
    This indicates a serious labeling problem. No files on an SELinux box should
    ever be labeled file_t. If you have just added a new disk drive to the
    system you can relabel it using the restorecon command.  Otherwise you
    should relabel the entire files system.

Allowing Access
    You can execute the following command as root to relabel your computer
    system: "touch /.autorelabel; reboot"

Additional Information        

Source Context                system_u:system_r:NetworkManager_t:s0
Target Context                system_u:object_r:file_t:s0
Target Objects                None [ dir ]
Affected RPM Packages         gdb-6.6-30.fc8 [application]
Policy RPM                    selinux-policy-3.0.8-14.fc8
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.file
Host Name                     megadoomer
Platform                      Linux megadoomer 2.6.23-0.214.rc8.git2.fc8 #1 SMP
                              Fri Sep 28 17:38:00 EDT 2007 i686 i686
Alert Count                   20
First Seen                    Mon 01 Oct 2007 03:03:23 PM EDT
Last Seen                     Mon 01 Oct 2007 03:03:23 PM EDT
Local ID                      f0204547-7f01-403d-a61f-dcda36900b09
Line Numbers                  

Raw Audit Messages            

avc: denied { search } for comm=gdb dev=sda6 egid=0 euid=0 exe=/usr/bin/gdb
exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name=57 pid=9949
scontext=system_u:system_r:NetworkManager_t:s0 sgid=0
subj=system_u:system_r:NetworkManager_t:s0 suid=0 tclass=dir
tcontext=system_u:object_r:file_t:s0 tty=(none) uid=0
Comment 1 Zack Cerza 2007-10-01 15:10:28 EDT
I'm not sure what directory it was trying to touch, or why it was labeled
file_t, but I have done several autorelabels in the past.
Comment 2 Daniel Walsh 2007-10-01 16:21:31 EDT
Please execute

#fixfiles restore and see what happens?

Comment 3 Daniel Walsh 2007-10-09 16:52:39 EDT
autorelabel should work in selinux-policy-3.0.8-18.fc8
Comment 4 Daniel Walsh 2008-01-30 14:05:39 EST
Bulk closing a old selinux policy bugs that were in the modified state.  If the
bug is still not fixed.  Please reopen.

Note You need to log in before you can comment on or make changes to this bug.