Red Hat Bugzilla – Bug 444307
system-config-selinux stopped by AVC
Last modified: 2008-04-28 09:07:19 EDT
Description of problem: starting up system-config-selinux return an AVC error saying that SELinux has denied semodule access to potentially mislabeled file(s) (/home/jonu/.xsession-errors. ran restorecon -v '/home/jonu/.xsession-errors' and problem still persists Version-Release number of selected component (if applicable): selinux-policy-targeted-3.3.1-35.fc9.noarch How reproducible: 100% Summary: SELinux is preventing the semodule from using potentially mislabeled files (/home/jonu/.xsession-errors). Detailed Description: [SELinux is in permissive mode, the operation would have been denied but was permitted due to permissive mode.] SELinux has denied semodule access to potentially mislabeled file(s) (/home/jonu/.xsession-errors). This means that SELinux will not allow semodule to use these files. It is common for users to edit files in their home directory or tmp directories and then move (mv) them to system directories. The problem is that the files end up with the wrong file context which confined applications are not allowed to access. Allowing Access: If you want semodule to access this files, you need to relabel them using restorecon -v '/home/jonu/.xsession-errors'. You might want to relabel the entire directory using restorecon -R -v '/home/jonu'. Additional Information: Source Context unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c102 3 Target Context system_u:object_r:user_home_t:s0 Target Objects /home/jonu/.xsession-errors [ file ] Source semodule Source Path /usr/sbin/semodule Port <Unknown> Host yardsale Source RPM Packages policycoreutils-2.0.46-5.fc9 Target RPM Packages Policy RPM selinux-policy-3.3.1-35.fc9 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Permissive Plugin Name home_tmp_bad_labels Host Name yardsale Platform Linux yardsale 2.6.25-1.fc9.x86_64 #1 SMP Thu Apr 17 01:11:31 EDT 2008 x86_64 x86_64 Alert Count 2 First Seen Sat 26 Apr 2008 03:02:49 PM PDT Last Seen Sat 26 Apr 2008 03:04:13 PM PDT Local ID 44bec79b-c411-4900-9079-8f6aae54215c Line Numbers Raw Audit Messages host=yardsale type=AVC msg=audit(1209247453.573:71): avc: denied { append } for pid=8371 comm="semodule" path="/home/jonu/.xsession-errors" dev=sdb1 ino=31883266 scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_home_t:s0 tclass=file host=yardsale type=SYSCALL msg=audit(1209247453.573:71): arch=c000003e syscall=59 success=yes exit=0 a0=174d5f0 a1=174d990 a2=174c770 a3=340dd67a70 items=0 ppid=8370 pid=8371 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="semodule" exe="/usr/sbin/semodule" subj=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023 key=(null)
You can allow this for now. # audit2allow -M mypol -l -i /var/log/audit/audit.log # semodule -i mypol.pp It will be dontaudted in the future Fixed in selinux-policy-3.3.1-43.fc9.noarch