Description of problem: Version-Release number of selected component (if applicable): Summary: SELinux is preventing cp (unlabeled_t) "associate" unlabeled_t. Detailed Description: SELinux denied access requested by cp. It is not expected that this access is required by cp and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context unconfined_u:object_r:unlabeled_t:s0 Target Context system_u:object_r:unlabeled_t:s0 Target Objects mount [ filesystem ] Source cp Source Path /bin/cp Port <Unknown> Host ciro04.cirocourt Source RPM Packages coreutils-6.10-33.fc9 Target RPM Packages Policy RPM selinux-policy-3.3.1-111.fc9 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name ciro04.cirocourt Platform Linux ciro04.cirocourt 2.6.27.5-37.fc9.x86_64 #1 SMP Wed Nov 12 18:31:37 EST 2008 x86_64 x86_64 Alert Count 1 First Seen Thu 11 Dec 2008 12:42:48 GMT Last Seen Thu 11 Dec 2008 12:42:48 GMT Local ID f3a1ad58-437c-4a75-bd73-bca81d308315 Line Numbers Raw Audit Messages node=ciro04.cirocourt type=AVC msg=audit(1228999368.791:222): avc: denied { associate } for pid=4061 comm="cp" name="mount" scontext=unconfined_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem node=ciro04.cirocourt type=SYSCALL msg=audit(1228999368.791:222): arch=c000003e syscall=2 success=no exit=-13 a0=20818a0 a1=c1 a2=1ed a3=354a567a70 items=0 ppid=4055 pid=4061 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=2 comm="cp" exe="/bin/cp" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) How reproducible: consistent even as root Steps to Reproduce: 1.[bobhorrobin@ciro04 dazukofs-3.0.0-rc4]$ su -c "cp /bin/* /tmp/dazukofs_test" . Actual results: cp: cannot create regular file `/tmp/dazukofs_test/tar': Permission denied Expected results: copied Additional info:
Some how you have an unlabeled_t file on /bin. sudo restorecon -R -v /bin Should fix.
Thanks for the prompt reply. su -c "restorecon -R -v /bin" has no effect as no files are reset.
What file system are you using? ls -lZ /tmp/dazukofs_test
I get no response from that command! [bobhorrobin@ciro04 ~]$ ls -lZ /tmp/dazukofs_test [bobhorrobin@ciro04 ~]$
A sample from the original 'cp' errors is as follows (this might give you a clue): cp: cannot create regular file `/tmp/dazukofs_test/ypdomainname': Permission denied cp: cannot create regular file `/tmp/dazukofs_test/zcat': Permission denied
I don't know if this helps as I am not sure what you mean by file system but it does show the details of the empty dazukofs_test directory. ls -lZ /tmp -rw------- bobhorrobin bobhorrobin unconfined_u:object_r:user_tmp_t:s0 1ENWLU.tmp drwxrwxr-x bobhorrobin bobhorrobin system_u:object_r:unlabeled_t:s0 dazukofs_test drwx------ bobhorrobin bobhorrobin unconfined_u:object_r:user_tmp_t:s0 gconfd-bobhorrobin drwx------ gdm gdm system_u:object_r:xdm_tmp_t:s0 gconfd-gdm ......
I have now got this to work but it does not explain the problem. I created a new directory /tmp/xx Repeated my original cp command but to the new directory /tmp/xx Removed the old directory /tmp/dazukofs_test Renamed the old directory /tmp/xx to /tmp/dazukofs_test The only difference in the sequence of commands is that I had originally mounted to /tmp/dazukofs_test directory before I did the copy. This would imply that the problem is associated with dazukofs or some interaction with dazukofs and SeLinux. mount -t dazukofs /tmp/dazukofs_test /tmp/dazukofs_test Unless you wish to persue this I suggest that we close it. I have achieved my objective. Thanks for your help.
What is dazukofs? The problem is SELinux has no idea what this file ssytem is so it labels it unlabeled_t. Is this a file system that supports Extended Attributes?
DazukoFS is a stackable filesystem that provides a mechanism for userspace applications to perform online file access control. It was originally developed to support online virus scanners, but could be useful for any application that wishes to perform online file access control. This will replace Dazuko which is required to run antivirus applications such as avast, avira, clam or avg. Ref: http://dazuko.dnsalias.org/wiki/index.php/Main_Page This is about all that I know. I hope that with SELinux, common sense and a good firewall much of this is unnecessary. I can't find anything that will answer you questions directly. My interest is that if I want anti-virus software I also need dazuko for it to work. As Dazuko will not work with kernel 2.6.27.. I thought that I would get ahead of the game with Dazukofs. It does not look as if they are close yet.
Ok, we are going to temporarily label it as nfs_t, which will allow the operation you described above to work. eparis is working on sulutions for this file system and encryptfs to be able to handle these problems in the future, better.