Bug 440012 - SELinux is preventing access to files with the label, file_t.
SELinux is preventing access to files with the label, file_t.
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: pulseaudio (Show other bugs)
rawhide
All Linux
low Severity low
: ---
: ---
Assigned To: Lennart Poettering
Fedora Extras Quality Assurance
: SELinux
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-04-01 07:25 EDT by Matěj Cepl
Modified: 2008-04-04 16:15 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-04-04 16:15:51 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Matěj Cepl 2008-04-01 07:25:41 EDT
Description of problem:

Souhrn:

SELinux is preventing access to files with the label, file_t.

Podrobný popis:

SELinux permission checks on files labeled file_t are being denied. file_t is
the context the SELinux kernel gives to files that do not have a label. This
indicates a serious labeling problem. No files on an SELinux box should ever be
labeled file_t. If you have just added a new disk drive to the system you can
relabel it using the restorecon command. Otherwise you should relabel the entire
files system.

Povolení přístupu:

You can execute the following command as root to relabel your computer system:
"touch /.autorelabel; reboot"

Další informace:

Kontext zdroje                system_u:system_r:tmpreaper_t
Kontext cíle                 system_u:object_r:file_t
Objekty cíle                 ./.esd-500 [ dir ]
Zdroj                         tmpwatch
Cesta zdroje                  /usr/sbin/tmpwatch
Port                          <Neznámé>
Počítač                    viklef.ceplovi.cz
RPM balíčky zdroje          tmpwatch-2.9.13-2
RPM balíčky cíle           
RPM politiky                  selinux-policy-3.3.1-26.fc9
Selinux povolen               True
Typ politiky                  targeted
MLS povoleno                  True
Vynucovací režim            Enforcing
Název zásuvného modulu     file
Název počítače            viklef.ceplovi.cz
Platforma                     Linux viklef.ceplovi.cz
                              2.6.25-0.172.rc7.git4.fc9.i686 #1 SMP Fri Mar 28
                              21:46:59 EDT 2008 i686 i686
Počet uporoznění           1
Poprvé viděno               Út 1. duben 2008, 12:41:24 CEST
Naposledy viděno             Út 1. duben 2008, 12:41:24 CEST
Místní ID                   d0a1d6b3-08ff-40b0-9fad-f4bf298ee6c5
Čísla řádků              

Původní zprávy auditu      

host=viklef.ceplovi.cz type=AVC msg=audit(1207046484.23:50): avc:  denied  {
read } for  pid=8753 comm="tmpwatch" name=".esd-500" dev=dm-0 ino=6044453
scontext=system_u:system_r:tmpreaper_t:s0 tcontext=system_u:object_r:file_t:s0
tclass=dir

host=viklef.ceplovi.cz type=SYSCALL msg=audit(1207046484.23:50): arch=40000003
syscall=5 success=no exit=-13 a0=804ac62 a1=98800 a2=0 a3=0 items=0 ppid=8751
pid=8753 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) ses=4294967295 comm="tmpwatch" exe="/usr/sbin/tmpwatch"
subj=system_u:system_r:tmpreaper_t:s0 key=(null)

Version-Release number of selected component (if applicable):
pulseaudio-0.9.10-1.fc9.i386
selinux-policy-targeted-3.3.1-26.fc9.noarch
Comment 1 Matěj Cepl 2008-04-01 07:32:39 EDT
And one more:


Souhrn:

SELinux is preventing access to files with the label, file_t.

Podrobný popis:

SELinux permission checks on files labeled file_t are being denied. file_t is
the context the SELinux kernel gives to files that do not have a label. This
indicates a serious labeling problem. No files on an SELinux box should ever be
labeled file_t. If you have just added a new disk drive to the system you can
relabel it using the restorecon command. Otherwise you should relabel the entire
files system.

Povolení přístupu:

You can execute the following command as root to relabel your computer system:
"touch /.autorelabel; reboot"

Další informace:

Kontext zdroje                system_u:system_r:xdm_t:SystemLow-SystemHigh
Kontext cíle                 system_u:object_r:file_t
Objekty cíle                 ./pid [ file ]
Zdroj                         pulseaudio
Cesta zdroje                  /usr/bin/pulseaudio
Port                          <Neznámé>
Počítač                    viklef.ceplovi.cz
RPM balíčky zdroje          pulseaudio-0.9.10-1.fc9
RPM balíčky cíle           
RPM politiky                  selinux-policy-3.3.1-26.fc9
Selinux povolen               True
Typ politiky                  targeted
MLS povoleno                  True
Vynucovací režim            Enforcing
Název zásuvného modulu     file
Název počítače            viklef.ceplovi.cz
Platforma                     Linux viklef.ceplovi.cz
                              2.6.25-0.163.rc7.git1.fc9.i686 #1 SMP Thu Mar 27
                              09:56:04 EDT 2008 i686 i686
Počet uporoznění           1
Poprvé viděno               Út 1. duben 2008, 11:13:19 CEST
Naposledy viděno             Út 1. duben 2008, 11:13:19 CEST
Místní ID                   1ac32fac-fc6b-44af-9ed7-b23d25d3964c
Čísla řádků              

Původní zprávy auditu      

host=viklef.ceplovi.cz type=AVC msg=audit(1207041199.679:4349): avc:  denied  {
read write } for  pid=12266 comm="pulseaudio" name="pid" dev=dm-0 ino=6733720
scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
tcontext=system_u:object_r:file_t:s0 tclass=file

host=viklef.ceplovi.cz type=SYSCALL msg=audit(1207041199.679:4349):
arch=40000003 syscall=5 success=no exit=-13 a0=bf84c324 a1=28142 a2=180 a3=28142
items=0 ppid=12259 pid=12266 auid=4294967295 uid=42 gid=42 euid=42 suid=42
fsuid=42 egid=42 sgid=42 fsgid=42 tty=(none) ses=4294967295 comm="pulseaudio"
exe="/usr/bin/pulseaudio" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
Comment 2 Lennart Poettering 2008-04-02 12:31:03 EDT
I am not sure what the first dump has to do with PA?

Also, this sounds like a SELinux policy error to me?
Comment 3 Daniel Walsh 2008-04-04 16:15:51 EDT
This is a labeling problem, not sure how it was created.  It has nothing to do
with pulseaudio.

A relabel of the file system and a clearing out of /tmp should fix.

Note You need to log in before you can comment on or make changes to this bug.