Bug 475985 - seLinux prevents copy to /tmp/...
seLinux prevents copy to /tmp/...
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
x86_64 Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2008-12-11 08:00 EST by Bob Horrobin
Modified: 2009-02-27 03:54 EST (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2009-02-27 03:54:38 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Bob Horrobin 2008-12-11 08:00:49 EST
Description of problem:

Version-Release number of selected component (if applicable):


SELinux is preventing cp (unlabeled_t) "associate" unlabeled_t.

Detailed Description:

SELinux denied access requested by cp. It is not expected that this access is
required by cp and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                unconfined_u:object_r:unlabeled_t:s0
Target Context                system_u:object_r:unlabeled_t:s0
Target Objects                mount [ filesystem ]
Source                        cp
Source Path                   /bin/cp
Port                          <Unknown>
Host                          ciro04.cirocourt
Source RPM Packages           coreutils-6.10-33.fc9
Target RPM Packages           
Policy RPM                    selinux-policy-3.3.1-111.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     ciro04.cirocourt
Platform                      Linux ciro04.cirocourt #1
                              SMP Wed Nov 12 18:31:37 EST 2008 x86_64 x86_64
Alert Count                   1
First Seen                    Thu 11 Dec 2008 12:42:48 GMT
Last Seen                     Thu 11 Dec 2008 12:42:48 GMT
Local ID                      f3a1ad58-437c-4a75-bd73-bca81d308315
Line Numbers                  

Raw Audit Messages            

node=ciro04.cirocourt type=AVC msg=audit(1228999368.791:222): avc:  denied  { associate } for  pid=4061 comm="cp" name="mount" scontext=unconfined_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem

node=ciro04.cirocourt type=SYSCALL msg=audit(1228999368.791:222): arch=c000003e syscall=2 success=no exit=-13 a0=20818a0 a1=c1 a2=1ed a3=354a567a70 items=0 ppid=4055 pid=4061 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=2 comm="cp" exe="/bin/cp" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)

How reproducible:
consistent even as root

Steps to Reproduce:
1.[bobhorrobin@ciro04 dazukofs-3.0.0-rc4]$ su -c "cp /bin/* /tmp/dazukofs_test"
Actual results: 
cp: cannot create regular file `/tmp/dazukofs_test/tar': Permission denied

Expected results:

Additional info:
Comment 1 Daniel Walsh 2008-12-11 08:43:00 EST
Some how you have an unlabeled_t file on /bin.  

sudo restorecon -R -v /bin

Should fix.
Comment 2 Bob Horrobin 2008-12-11 09:01:08 EST
Thanks for the prompt reply.  su -c "restorecon -R -v /bin" has no effect as no files are reset.
Comment 3 Daniel Walsh 2008-12-11 09:19:31 EST
What file system are you using?

ls -lZ /tmp/dazukofs_test
Comment 4 Bob Horrobin 2008-12-11 11:10:52 EST
I get no response from that command!  

[bobhorrobin@ciro04 ~]$ ls -lZ /tmp/dazukofs_test
[bobhorrobin@ciro04 ~]$
Comment 5 Bob Horrobin 2008-12-11 11:14:36 EST
A sample from the original 'cp' errors is as follows (this might give you a clue):

cp: cannot create regular file `/tmp/dazukofs_test/ypdomainname': Permission denied
cp: cannot create regular file `/tmp/dazukofs_test/zcat': Permission denied
Comment 6 Bob Horrobin 2008-12-11 18:57:47 EST
I don't know if this helps as I am not sure what you mean by file system but it does show the details of the empty dazukofs_test directory.

 ls -lZ /tmp
-rw-------  bobhorrobin bobhorrobin unconfined_u:object_r:user_tmp_t:s0 1ENWLU.tmp
drwxrwxr-x  bobhorrobin bobhorrobin system_u:object_r:unlabeled_t:s0 dazukofs_test
drwx------  bobhorrobin bobhorrobin unconfined_u:object_r:user_tmp_t:s0 gconfd-bobhorrobin
drwx------  gdm gdm system_u:object_r:xdm_tmp_t:s0   gconfd-gdm
Comment 7 Bob Horrobin 2008-12-11 19:37:20 EST
I have now got this to work but it does not explain the problem.  

I created a new directory /tmp/xx
Repeated my original cp command but to the new directory /tmp/xx
Removed the old directory /tmp/dazukofs_test
Renamed the old directory /tmp/xx to /tmp/dazukofs_test

The only difference in the sequence of commands is that I had originally mounted to /tmp/dazukofs_test directory before I did the copy.  This would imply that the problem is associated with dazukofs or some interaction with dazukofs and SeLinux.

mount -t dazukofs /tmp/dazukofs_test /tmp/dazukofs_test

Unless you wish to persue this I suggest that we close it.  I have achieved my objective.

Thanks for your help.
Comment 8 Daniel Walsh 2008-12-12 09:42:51 EST
What is dazukofs?  The problem is SELinux has no idea what this file ssytem is so it labels it unlabeled_t.  Is this a file system that supports Extended Attributes?
Comment 9 Bob Horrobin 2008-12-12 11:30:43 EST
DazukoFS is a stackable filesystem that provides a mechanism for userspace
applications to perform online file access control. It was originally
developed to support online virus scanners, but could be useful for any
application that wishes to perform online file access control.

This will replace Dazuko which is required to run antivirus applications such as avast, avira, clam or avg.

Ref: http://dazuko.dnsalias.org/wiki/index.php/Main_Page

This is about all that I know.  I hope that with SELinux, common sense and a good firewall much of this is unnecessary.

I can't find anything that will answer you questions directly.  My interest is that if I want anti-virus software I also need dazuko for it to work.  As Dazuko will not work with kernel 2.6.27.. I thought that I would get ahead of the game with Dazukofs.  It does not look as if they are close yet.
Comment 10 Daniel Walsh 2008-12-12 13:48:30 EST
Ok, we are going to temporarily label it as nfs_t, which will allow the operation you described above to work.  eparis is working on sulutions for this file system and encryptfs to be able to handle these problems in the future, better.

Note You need to log in before you can comment on or make changes to this bug.