435934 – SELinux is preventing access to files with the label, file_t.

Bug 435934 - SELinux is preventing access to files with the label, file_t.

Summary: SELinux is preventing access to files with the label, file_t.

Status:	CLOSED NOTABUG
Alias:	None
Product:	Red Hat Enterprise Linux 5
Classification:	Red Hat
Component:	selinux-policy
Sub Component:	(Show other bugs)
Version:	5.2
Hardware:	All Linux
Priority:	low
Severity:	low
Target Milestone:	rc
Target Release:	---
Assignee:	Daniel Walsh
QA Contact:
Docs Contact:
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2008-03-04 15:02 UTC by Eduard Benes
Modified:	2008-03-04 20:35 UTC (History)
CC List:	0 users
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2008-03-04 20:35:51 UTC
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---
Dependent Products:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Eduard Benes 2008-03-04 15:02:24 UTC

Setroubleshoot reports this alert after the machine resumes from suspend.

Summary:

SELinux is preventing access to files with the label, file_t.

Detailed Description:

SELinux permission checks on files labeled file_t are being denied. file_t is
the context the SELinux kernel gives to files that do not have a label. This
indicates a serious labeling problem. No files on an SELinux box should ever be
labeled file_t. If you have just added a new disk drive to the system you can
relabel it using the restorecon command. Otherwise you should relabel the entire
files system.

Allowing Access:

You can execute the following command as root to relabel your computer system:
"touch /.autorelabel; reboot"

Additional Information:

Source Context                system_u:system_r:hald_t
Target Context                system_u:object_r:file_t
Target Objects                ./config [ file ]
Source                        ls
Source Path                   /bin/ls
Port                          <Unknown>
Host                          dhcp-lab-118.englab.brq.redhat.com
Source RPM Packages           coreutils-5.97-14.el5
Target RPM Packages           
Policy RPM                    selinux-policy-2.4.6-121.el5
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   file
Host Name                     dhcp-lab-118.englab.brq.redhat.com
Platform                      Linux dhcp-lab-118.englab.brq.redhat.com
                              2.6.18-83.el5 #1 SMP Thu Feb 21 12:14:23 EST 2008
                              i686 i686
Alert Count                   5
First Seen                    Tue Mar  4 15:25:11 2008
Last Seen                     Tue Mar  4 15:46:02 2008
Local ID                      24902571-e547-4417-b126-02e8a0fa023f
Line Numbers                  

Raw Audit Messages            

host=dhcp-lab-118.englab.brq.redhat.com type=AVC msg=audit(1204641962.9:26): 
avc:  denied  { read } for  pid=8297 comm="ls" name="config" dev=dm-0 
ino=2718885 scontext=system_u:system_r:hald_t:s0 
tcontext=system_u:object_r:file_t:s0 tclass=file

host=dhcp-lab-118.englab.brq.redhat.com type=SYSCALL 
msg=audit(1204641962.9:26): arch=40000003 syscall=5 success=no exit=-13 
a0=8beb70 a1=8000 a2=1b6 a3=9896008 items=0 ppid=8295 pid=8297 auid=4294967295 
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) 
ses=4294967295 comm="ls" exe="/bin/ls" subj=system_u:system_r:hald_t:s0 
key=(null)

Comment 1 Daniel Walsh 2008-03-04 20:35:51 UTC

This is a labeling problem. How did config loose it's label.  restorecon config 

will fix it.  But somehow this file got onto an SELinux box without a label.

Note You need to log in before you can comment on or make changes to this bug.