Bug 374341 - SELinux is preventing the /usr/sbin/semodule from using potentially mislabeled files (/home/kostya/.xsession-errors).
SELinux is preventing the /usr/sbin/semodule from using potentially mislabele...
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
8
i686 Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-11-10 01:35 EST by Konstantin Svist
Modified: 2008-06-27 19:52 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-06-27 19:52:53 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Konstantin Svist 2007-11-10 01:35:18 EST
Description of problem:
SELinux Management application generates this selinux alert:

"""
Summary
    SELinux is preventing the /usr/sbin/semodule from using potentially
    mislabeled files (/home/kostya/.xsession-errors).

Detailed Description
    SELinux has denied /usr/sbin/semodule access to potentially mislabeled
    file(s) (/home/kostya/.xsession-errors).  This means that SELinux will not
    allow /usr/sbin/semodule to use these files.  It is common for users to edit
    files in their home directory or tmp directories and then move (mv) them to
    system directories.  The problem is that the files end up with the wrong
    file context which confined applications are not allowed to access.

Allowing Access
    If you want /usr/sbin/semodule to access this files, you need to relabel
    them using restorecon -v /home/kostya/.xsession-errors.  You might want to
    relabel the entire directory using restorecon -R -v /home/kostya.

Additional Information        

Source Context                system_u:system_r:semanage_t:s0
Target Context                unconfined_u:object_r:unconfined_home_t:s0
Target Objects                /home/kostya/.xsession-errors [ file ]
Affected RPM Packages         policycoreutils-2.0.31-7.fc8 [application]
Policy RPM                    selinux-policy-3.0.8-44.fc8
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.home_tmp_bad_labels
Host Name                     mireille.svist.lan
Platform                      Linux mireille.svist.lan 2.6.23.1-42.fc8 #1 SMP
                              Tue Oct 30 13:55:12 EDT 2007 i686 i686
Alert Count                   4
First Seen                    Fri 09 Nov 2007 02:25:38 PM PST
Last Seen                     Fri 09 Nov 2007 02:30:44 PM PST
Local ID                      2e73e8cf-0f69-443d-814d-6a1f20baf7a4
Line Numbers                  

Raw Audit Messages            

avc: denied { write } for comm=semodule dev=sda9 egid=0 euid=0
exe=/usr/sbin/semodule exit=0 fsgid=0 fsuid=0 gid=0 items=0 path=/home/kostya
/.xsession-errors pid=5235 scontext=system_u:system_r:semanage_t:s0 sgid=0
subj=system_u:system_r:semanage_t:s0 suid=0 tclass=file
tcontext=unconfined_u:object_r:unconfined_home_t:s0 tty=(none) uid=0
"""

The suggestion by setroubleshoot is to "restorecon -v
/home/kostya/.xsession-errors" but that does nothing - after restarting SELinux
Management application, the error appears again.


How reproducible:
Every time


Steps to Reproduce:
1. Start SELinux Management (KDE Menu -> System -> SELinux Management)
  
Actual results:
Error appears

Expected results:
No errors
Comment 1 Daniel Walsh 2007-11-10 07:24:17 EST
You can safely ignore this.  I will don't audit it in the next version of policy

Fixed in selinux-policy-3.0.8-51.fc8
Comment 2 Konstantin Svist 2007-11-13 17:00:41 EST
Should I wait until the new policy is made available through yum repositories?
Or is there a way of updating it somehow else?
Comment 3 Daniel Walsh 2007-11-14 10:29:32 EST
selinux-policy-3.0.8-53.fc8 is available in Fedora Testing now.
Comment 4 Konstantin Svist 2007-11-14 13:34:02 EST
updated to 3.0.8-52.fc8 using
# yum update --enablerepo=updates-testing '*selinux*'

This bug appears to be fixed, as you said. Should I close the bug now or wait
for the release version to come out?
From available options, guessing it should be "RELEASE_PENDING" but not changing
it since I don't know how you do things around these parts ;)
Comment 5 John Poelstra 2008-06-27 19:52:53 EDT
closing

Note You need to log in before you can comment on or make changes to this bug.