Bug 444307 - system-config-selinux stopped by AVC
Summary: system-config-selinux stopped by AVC
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted   
(Show other bugs)
Version: rawhide
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Ben Levenson
Depends On:
Blocks: F9Blocker
TreeView+ depends on / blocked
Reported: 2008-04-26 22:08 UTC by John Poelstra
Modified: 2008-04-28 13:07 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-04-28 13:07:19 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description John Poelstra 2008-04-26 22:08:05 UTC
Description of problem:
starting up system-config-selinux return an AVC error saying that SELinux has
denied semodule access to potentially mislabeled file(s)

ran restorecon -v '/home/jonu/.xsession-errors' and problem still persists

Version-Release number of selected component (if applicable):

How reproducible:


SELinux is preventing the semodule from using potentially mislabeled files

Detailed Description:

[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]

SELinux has denied semodule access to potentially mislabeled file(s)
(/home/jonu/.xsession-errors). This means that SELinux will not allow semodule
to use these files. It is common for users to edit files in their home directory
or tmp directories and then move (mv) them to system directories. The problem is
that the files end up with the wrong file context which confined applications
are not allowed to access.

Allowing Access:

If you want semodule to access this files, you need to relabel them using
restorecon -v '/home/jonu/.xsession-errors'. You might want to relabel the
entire directory using restorecon -R -v '/home/jonu'.

Additional Information:

Source Context                unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c102
Target Context                system_u:object_r:user_home_t:s0
Target Objects                /home/jonu/.xsession-errors [ file ]
Source                        semodule
Source Path                   /usr/sbin/semodule
Port                          <Unknown>
Host                          yardsale
Source RPM Packages           policycoreutils-2.0.46-5.fc9
Target RPM Packages           
Policy RPM                    selinux-policy-3.3.1-35.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   home_tmp_bad_labels
Host Name                     yardsale
Platform                      Linux yardsale 2.6.25-1.fc9.x86_64 #1 SMP Thu Apr
                              17 01:11:31 EDT 2008 x86_64 x86_64
Alert Count                   2
First Seen                    Sat 26 Apr 2008 03:02:49 PM PDT
Last Seen                     Sat 26 Apr 2008 03:04:13 PM PDT
Local ID                      44bec79b-c411-4900-9079-8f6aae54215c
Line Numbers                  

Raw Audit Messages            

host=yardsale type=AVC msg=audit(1209247453.573:71): avc:  denied  { append }
for  pid=8371 comm="semodule" path="/home/jonu/.xsession-errors" dev=sdb1
ino=31883266 scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023
tcontext=system_u:object_r:user_home_t:s0 tclass=file

host=yardsale type=SYSCALL msg=audit(1209247453.573:71): arch=c000003e
syscall=59 success=yes exit=0 a0=174d5f0 a1=174d990 a2=174c770 a3=340dd67a70
items=0 ppid=8370 pid=8371 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) ses=1 comm="semodule" exe="/usr/sbin/semodule"
subj=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023 key=(null)

Comment 1 Daniel Walsh 2008-04-28 13:07:19 UTC
You can allow this for now.

# audit2allow -M mypol -l -i /var/log/audit/audit.log
# semodule -i mypol.pp

It will be dontaudted in the future

Fixed in selinux-policy-3.3.1-43.fc9.noarch

Note You need to log in before you can comment on or make changes to this bug.