Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 444307 - system-config-selinux stopped by AVC
system-config-selinux stopped by AVC
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
rawhide
All Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
Depends On:
Blocks: F9Blocker
  Show dependency treegraph
 
Reported: 2008-04-26 18:08 EDT by John Poelstra
Modified: 2008-04-28 09:07 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-04-28 09:07:19 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description John Poelstra 2008-04-26 18:08:05 EDT 
Description of problem:
starting up system-config-selinux return an AVC error saying that SELinux has
denied semodule access to potentially mislabeled file(s)
(/home/jonu/.xsession-errors.

ran restorecon -v '/home/jonu/.xsession-errors' and problem still persists

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.3.1-35.fc9.noarch

How reproducible:
100% 


Summary:

SELinux is preventing the semodule from using potentially mislabeled files
(/home/jonu/.xsession-errors).

Detailed Description:

[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]

SELinux has denied semodule access to potentially mislabeled file(s)
(/home/jonu/.xsession-errors). This means that SELinux will not allow semodule
to use these files. It is common for users to edit files in their home directory
or tmp directories and then move (mv) them to system directories. The problem is
that the files end up with the wrong file context which confined applications
are not allowed to access.

Allowing Access:

If you want semodule to access this files, you need to relabel them using
restorecon -v '/home/jonu/.xsession-errors'. You might want to relabel the
entire directory using restorecon -R -v '/home/jonu'.

Additional Information:

Source Context                unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c102
                              3
Target Context                system_u:object_r:user_home_t:s0
Target Objects                /home/jonu/.xsession-errors [ file ]
Source                        semodule
Source Path                   /usr/sbin/semodule
Port                          <Unknown>
Host                          yardsale
Source RPM Packages           policycoreutils-2.0.46-5.fc9
Target RPM Packages           
Policy RPM                    selinux-policy-3.3.1-35.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   home_tmp_bad_labels
Host Name                     yardsale
Platform                      Linux yardsale 2.6.25-1.fc9.x86_64 #1 SMP Thu Apr
                              17 01:11:31 EDT 2008 x86_64 x86_64
Alert Count                   2
First Seen                    Sat 26 Apr 2008 03:02:49 PM PDT
Last Seen                     Sat 26 Apr 2008 03:04:13 PM PDT
Local ID                      44bec79b-c411-4900-9079-8f6aae54215c
Line Numbers                  

Raw Audit Messages            

host=yardsale type=AVC msg=audit(1209247453.573:71): avc:  denied  { append }
for  pid=8371 comm="semodule" path="/home/jonu/.xsession-errors" dev=sdb1
ino=31883266 scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023
tcontext=system_u:object_r:user_home_t:s0 tclass=file

host=yardsale type=SYSCALL msg=audit(1209247453.573:71): arch=c000003e
syscall=59 success=yes exit=0 a0=174d5f0 a1=174d990 a2=174c770 a3=340dd67a70
items=0 ppid=8370 pid=8371 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) ses=1 comm="semodule" exe="/usr/sbin/semodule"
subj=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023 key=(null)
Comment 1 Daniel Walsh 2008-04-28 09:07:19 EDT 
You can allow this for now.

# audit2allow -M mypol -l -i /var/log/audit/audit.log
# semodule -i mypol.pp

It will be dontaudted in the future

Fixed in selinux-policy-3.3.1-43.fc9.noarch
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.