Bug 426711 - selinux when updatedb runs on file with type unlabeled_t (?)
selinux when updatedb runs on file with type unlabeled_t (?)
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
8
All Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-12-24 14:15 EST by Need Real Name
Modified: 2007-12-31 11:21 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-12-31 07:31:57 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Need Real Name 2007-12-24 14:15:25 EST
Description of problem:
I seem to get selinux error messages whenever updatedb runs on a file with type
unlabeled_t

type=AVC msg=audit(1197455827.650:482): avc:  denied  { getattr } for  pid=10076
comm="updatedb" path="/mnt/drive/myfile" dev=sdc5 ino=15908866
scontext=system_u:system_r:locate_t:s0 tcontext=system_u:object_r:unlabeled_t:s0
tclass=dir
type=AVC msg=audit(1197455827.693:483): avc:  denied  { search } for  pid=10076
comm="updatedb" name="myfile" dev=sdc5 ino=15908866
scontext=system_u:system_r:locate_t:s0 tcontext=system_u:object_r:unlabeled_t:s0
tclass=dir
type=AVC msg=audit(1197455827.695:484): avc:  denied  { read } for  pid=10076
comm="updatedb" name="myfile" dev=sdc5 ino=15908866
scontext=system_u:system_r:locate_t:s0 tcontext=system_u:object_r:unlabeled_t:s0
tclass=dir
Comment 1 Need Real Name 2007-12-24 14:20:03 EST
Note this same file also gives selinux problems when setroubleshootd runs:

type=AVC msg=audit(1198394047.881:284): avc:  denied  { getattr } for  pid=2868
comm="setroubleshootd" name="myfile" dev=sdc5 ino=15908870
scontext=system_u:system_r:setroubleshootd_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir
Comment 2 Daniel Walsh 2007-12-31 07:31:57 EST
How did you get an unlabeled_t file?  You should not have these on your system.

This should only happen if you install a policy module, and label a file based
on that module, then remove the policy module.  

restorecon -R -v /mnt/drive/myfile 

should fix this. 

One other way this could happen is if you had labeled this file system on a
different SELinux machine and have now mounted it on a different machine with a
different selinux policy.

unlabeled_t means the file has a label on it that the kernel/policy does not
understand.
Comment 3 Need Real Name 2007-12-31 11:21:35 EST
Thanks - the unlabeled files came from an older drive that I had mounted and
probably was pre-selinux labeling.

I guess I am still not sure why it should be an error for updatedb or
setroubleshootd to read these files.
In fact it is a bit ironic that the selinux error when updatedb reads the
unlabeled files triggers setroubleshootd which then generates its own selinux error.

If that is the desired behavior, it is fine with me since it is easy to
label/relable so the selinux errors aren't troublesome. Just curious whether
this is the right behavior.

Thanks

Note You need to log in before you can comment on or make changes to this bug.