Bug 432716 - SELinux is preventing /usr/bin/kbuildsycoca from creating a file with a SELinux is preventing /usr/bin/kbuildsycoca from creating a file with a context of unlabeled_t on a filesystem [NEEDINFO]
SELinux is preventing /usr/bin/kbuildsycoca from creating a file with a SELi...
Product: Fedora
Classification: Fedora
Component: kdelibs (Show other bugs)
i386 Linux
low Severity medium
: ---
: ---
Assigned To: Ngo Than
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2008-02-13 18:22 EST by jiu ke
Modified: 2009-01-09 00:59 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2009-01-09 00:59:17 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
dwalsh: needinfo? (jiuke2k)

Attachments (Terms of Use)

  None (edit)
Description jiu ke 2008-02-13 18:22:43 EST
Description of problem:

anytime, start a kde-based program (e.g. kpdf, amorok,) in gnome desktop of
fedora 8, a selinux pop-up window will show up at the taskbar area, saying 
"Selinux:  AVC deniel,  click  to view"

here is the detail information if I click to view (by now, I have 7784 count for
this selinux avc deniel message):

    SELinux is preventing /usr/bin/kbuildsycoca from creating a file with a
    context of unlabeled_t on a filesystem.

Detailed Description
    SELinux is preventing /usr/bin/kbuildsycoca from creating a file with a
    context of unlabeled_t on a filesystem. Usually this happens when you ask
    the cp command to maintain the context of a file when copying between file
    systems, "cp -a" for example.  Not all file contexts should be maintained
    between the file systems.  For example, a read-only file type like iso9660_t
    should not be placed on a r/w system.  "cp -P" might be a better solution,
    as this will adopt the default file context for the destination.

Allowing Access
    Use a command like "cp -P" to preserve all permissions except SELinux

Additional Information        

Source Context                system_u:object_r:unlabeled_t:s0
Target Context                system_u:object_r:fs_t:s0
Target Objects                None [ filesystem ]
Affected RPM Packages         kdelibs-3.5.8-19.fc8 [application]
Policy RPM                    selinux-policy-3.0.8-81.fc8
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.filesystem_associate
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain #1
                              SMP Sun Feb 10 17:48:34 EST 2008 i686 i686
Alert Count                   7538
First Seen                    Thu 03 Jan 2008 09:38:56 PM EST
Last Seen                     Wed 13 Feb 2008 06:04:13 PM EST
Local ID                      7c647c83-a7f2-46cc-a45d-828f73bdbfde
Line Numbers                  

Raw Audit Messages            

avc: denied { associate } for comm=kbuildsycoca egid=0 euid=500
exe=/usr/bin/kbuildsycoca exit=-13 fsgid=0 fsuid=500 gid=0 items=0
name=ksycocaGprnua.new pid=3799 scontext=system_u:object_r:unlabeled_t:s0 sgid=0
subj=system_u:system_r:unconfined_t:s0 suid=500 tclass=filesystem
tcontext=system_u:object_r:fs_t:s0 tty=(none) uid=500

Version-Release number of selected component (if applicable):

How reproducible:

use kpdf to open any pdf, or start amorak in gnome desktop in fedora 8

Steps to Reproduce:
Actual results:

the setroubleshoot service will stop by itself sometime later after OS start-up.

Expected results:

Additional info:
Comment 1 Daniel Walsh 2008-02-14 08:28:31 EST
This looks like you have a file system that we don't know about.   unlabeled_t
means the kernel does not how to label the file system.

Could you attach the output of df?
Comment 2 Eric Paris 2008-02-14 08:43:51 EST
also can you collect:

cat /proc/mounts
Comment 3 Shailesh Narvekar 2008-02-28 09:58:23 EST
I had exactly the same problem on my system. Here is how I solved it. I tried
running my KDE program(k3b) from the terminal window...and the error there was
kbuildsycoca had problem creating a file in /tmp/kdecache-root. I checked in
/tmp and the directory did not exist.

I created this directory and presto all the errors vanish(the command line error
as well as the SELinux one)

So I dont think this really is an SELinux issue as such...though I am not quite
sure why the kdecache-root had to be manually recreated.

Hope this helps.
Comment 4 Jeff Siddall 2008-03-18 10:39:42 EDT
I also had the same problem, specifically when using the menu editor.  I
discovered that on my machine the missing directory was in /var/tmp, not /tmp.

When I created /var/tmp/kdecache-<username> everything worked fine.
Comment 5 Bug Zapper 2008-11-26 04:48:47 EST
This message is a reminder that Fedora 8 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 8.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '8'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 8's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 8 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
Comment 6 Kevin Kofler 2008-11-26 05:56:54 EST
Does this still happen with the KDE 3.5.10 updates? Or when running a KDE 3 app in F9 or F10? The KDE 3 kbuildsycoca still exists there.
Comment 7 Bug Zapper 2009-01-09 00:59:17 EST
Fedora 8 changed to end-of-life (EOL) status on 2009-01-07. Fedora 8 is 
no longer maintained, which means that it will not receive any further 
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of 
Fedora please feel free to reopen this bug against that version.

Thank you for reporting this bug and we are sorry it could not be fixed.

Note You need to log in before you can comment on or make changes to this bug.