Bug 476209 - SELinux is preventing updatedb (locate_t) "read" to ./.mozilla (unlabeled_t).
SELinux is preventing updatedb (locate_t) "read" to ./.mozilla (unlabeled_t).
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
10
i686 Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-12-12 09:14 EST by Luis Montalvo
Modified: 2008-12-23 11:20 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-12-23 11:20:16 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
/var/log/audit/audit.log (compressed) (40.51 KB, application/x-gzip)
2008-12-19 01:03 EST, Luis Montalvo
no flags Details

  None (edit)
Description Luis Montalvo 2008-12-12 09:14:09 EST
Description of problem:

SELinux is preventing updatedb to access several system and user files.

Version-Release number of selected component (if applicable):


How reproducible:

I noticed the problem after an update from FC8 to FC10

Steps to Reproduce:
1.
2.
3.
  
Actual results:

SELinux prevents access to several system and user files.

Expected results:


Additional info:

Hereafter the message on the screen after running the command:

"sealert -l 845561a1-9a2f-4bd0-a500-abb82572b140".

Running restorecon -v './.mozilla' changed nothing.

{Begin of sealert message}

Summary:

SELinux is preventing updatedb (locate_t) "read" to ./.mozilla (unlabeled_t).

Detailed Description:

[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]

SELinux denied access requested by updatedb. It is not expected that this access
is required by updatedb and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for ./.mozilla,

restorecon -v './.mozilla'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:locate_t:s0
Target Context                system_u:object_r:unlabeled_t:s0
Target Objects                ./.mozilla [ dir ]
Source                        updatedb
Source Path                   /usr/bin/updatedb
Port                          <Unknown>
Host                          colibri.localdomain
Source RPM Packages           mlocate-0.21.1-1
Target RPM Packages           
Policy RPM                    selinux-policy-3.5.13-30.fc10
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   catchall_file
Host Name                     colibri.localdomain
Platform                      Linux colibri.localdomain 2.6.27.5-117.fc10.i686
                              #1 SMP Tue Nov 18 12:19:59 EST 2008 i686 athlon
Alert Count                   3
First Seen                    Mon Dec  8 01:35:26 2008
Last Seen                     Fri Dec 12 10:59:10 2008
Local ID                      845561a1-9a2f-4bd0-a500-abb82572b140
Line Numbers                  

Raw Audit Messages            

node=colibri.localdomain type=AVC msg=audit(1229075950.651:59): avc:  denied  { read } for  pid=10016 comm="updatedb" name=".mozilla" dev=dm-0 ino=2523578 scontext=system_u:system_r:locate_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir

node=colibri.localdomain type=SYSCALL msg=audit(1229075950.651:59): arch=40000003 syscall=5 success=yes exit=9 a0=804edc9 a1=8000 a2=0 a3=8000 items=0 ppid=10010 pid=10016 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="updatedb" exe="/usr/bin/updatedb" subj=system_u:system_r:locate_t:s0 key=(null)

{End of sealert message}
Comment 1 Daniel Walsh 2008-12-12 09:35:02 EST
restorecon -R -v /home 

Should fix.

Not sure why this is mislabled.
Comment 2 Luis Montalvo 2008-12-12 13:32:23 EST
Running the command "restorecon -R -v /home" changed nothig. The error messages are the same.
Comment 3 Daniel Walsh 2008-12-12 13:56:03 EST
Ok any change this .mozilla is in /root?

restorecon -R -v /root
Comment 4 Luis Montalvo 2008-12-13 10:17:37 EST
I have tried "restorecon -R -v /root" and "restorecon -R -v /" and the result remains the same.
There is a .mozilla in /root and one in the /home/user directory.

In the following I include the output after running the command:

grep "SELinux is preventing" messages.

Begin{output}

Dec  7 19:24:23 colibri setroubleshoot: #012    SELinux is preventing the /usr/sbin/dansguardian from using potentially mislabeled files (<Unknown>).#012     For complete SELinux messages. run sealert -l a3122812-68aa-4166-9cf2-fc45994a6106
Dec  7 19:24:38 colibri setroubleshoot: #012    SELinux is preventing /usr/bin/updatedb (locate_t) "getattr" to /root/.config/gtk-2.0 (unlabeled_t).#012     For complete SELinux messages. run sealert -l 11f5b0d6-b4a1-4e3c-a033-0f5e266c6dee
Dec  7 19:24:38 colibri setroubleshoot: #012    SELinux is preventing /usr/bin/updatedb (locate_t) "search" to <Unknown> (unlabeled_t).#012     For complete SELinux messages. run sealert -l 4beb0b18-eca5-43fc-8774-dd7f2c6b9947
Dec  7 19:24:38 colibri setroubleshoot: #012    SELinux is preventing /usr/bin/updatedb (locate_t) "getattr" to /root/.gnome2/evince (unlabeled_t).#012     For complete SELinux messages. run sealert -l 4d090902-2f11-4b23-a864-f7e978af6750
Dec  7 19:24:39 colibri setroubleshoot: #012    SELinux is preventing /usr/bin/updatedb (locate_t) "getattr" to /root/.mozilla (unlabeled_t).#012     For complete SELinux messages. run sealert -l d1be3a4f-6bd5-42f9-924d-c24f1b8bec81
Dec  7 19:24:39 colibri setroubleshoot: #012    SELinux is preventing /usr/bin/updatedb (locate_t) "search" to <Unknown> (unlabeled_t).#012     For complete SELinux messages. run sealert -l 4beb0b18-eca5-43fc-8774-dd7f2c6b9947
Dec  7 19:24:39 colibri setroubleshoot: #012    SELinux is preventing /usr/bin/updatedb (locate_t) "read" to <Unknown> (unlabeled_t).#012     For complete SELinux messages. run sealert -l a2104272-1eb6-4140-945c-fb2dd05dd24d
Dec  7 19:25:27 colibri setroubleshoot: #012    SELinux is preventing /usr/sbin/dansguardian (logrotate_t) "accept" to <Unknown> (logrotate_t).#012     For complete SELinux messages. run sealert -l 61d2b980-d46c-4833-a905-ec6d3d066d4d
Dec  7 19:25:27 colibri setroubleshoot: #012    SELinux is preventing /usr/sbin/dansguardian (logrotate_t) "name_connect" to <Unknown> (http_cache_port_t).#012     For complete SELinux messages. run sealert -l 2792fe2b-0c40-4962-9b59-55bb303199ea
Dec  8 01:35:27 colibri setroubleshoot: SELinux is preventing updatedb (locate_t) "getattr" to /root/.config/gtk-2.0 (unlabeled_t). For complete SELinux messages. run sealert -l 53e88238-e09e-43ce-ac10-542f1794967e
Dec  8 01:35:28 colibri setroubleshoot: SELinux is preventing updatedb (locate_t) "search" to ./.gnome2 (unlabeled_t). For complete SELinux messages. run sealert -l a4417bba-3d6d-45e5-b611-55c8b9dbb85b
Dec  8 01:35:29 colibri setroubleshoot: SELinux is preventing updatedb (locate_t) "getattr" to /root/.gnome2/evince (unlabeled_t). For complete SELinux messages. run sealert -l 93a67646-4ef2-4cce-b3d9-7bbc37f6abec
Dec  8 01:35:30 colibri setroubleshoot: SELinux is preventing updatedb (locate_t) "getattr" to /root/.mozilla (unlabeled_t). For complete SELinux messages. run sealert -l 59e6a997-b683-4222-8bcc-ce7b21f2d4f9
Dec  8 01:35:31 colibri setroubleshoot: SELinux is preventing updatedb (locate_t) "search" to ./.mozilla (unlabeled_t). For complete SELinux messages. run sealert -l df9d9342-18d7-4c97-962a-6027e2873702
Dec  8 01:35:32 colibri setroubleshoot: SELinux is preventing updatedb (locate_t) "read" to ./.mozilla (unlabeled_t). For complete SELinux messages. run sealert -l 845561a1-9a2f-4bd0-a500-abb82572b140
Dec  9 05:53:59 colibri setroubleshoot: SELinux is preventing updatedb (locate_t) "getattr" to /root/.config/gtk-2.0 (unlabeled_t). For complete SELinux messages. run sealert -l 53e88238-e09e-43ce-ac10-542f1794967e
Dec  9 05:54:00 colibri setroubleshoot: SELinux is preventing updatedb (locate_t) "search" to ./.gnome2 (unlabeled_t). For complete SELinux messages. run sealert -l a4417bba-3d6d-45e5-b611-55c8b9dbb85b
Dec  9 05:54:01 colibri setroubleshoot: SELinux is preventing updatedb (locate_t) "getattr" to /root/.gnome2/evince (unlabeled_t). For complete SELinux messages. run sealert -l 93a67646-4ef2-4cce-b3d9-7bbc37f6abec
Dec  9 05:54:02 colibri setroubleshoot: SELinux is preventing updatedb (locate_t) "getattr" to /root/.mozilla (unlabeled_t). For complete SELinux messages. run sealert -l 59e6a997-b683-4222-8bcc-ce7b21f2d4f9
Dec  9 05:54:03 colibri setroubleshoot: SELinux is preventing updatedb (locate_t) "search" to ./.mozilla (unlabeled_t). For complete SELinux messages. run sealert -l df9d9342-18d7-4c97-962a-6027e2873702
Dec  9 05:54:04 colibri setroubleshoot: SELinux is preventing updatedb (locate_t) "read" to ./.mozilla (unlabeled_t). For complete SELinux messages. run sealert -l 845561a1-9a2f-4bd0-a500-abb82572b140
Dec 10 20:56:42 colibri setroubleshoot: SELinux is preventing the rm from using potentially mislabeled files (./mozilla). For complete SELinux messages. run sealert -l 6e8faea2-266f-478a-b263-8b4a48710099
Dec 12 10:59:10 colibri setroubleshoot: SELinux is preventing updatedb (locate_t) "getattr" to /root/.gnome2 (unlabeled_t). For complete SELinux messages. run sealert -l 52af72ad-4ac7-43b5-ab5d-71ca4d303bbf
Dec 12 10:59:11 colibri setroubleshoot: SELinux is preventing updatedb (locate_t) "search" to ./.gnome2 (unlabeled_t). For complete SELinux messages. run sealert -l a4417bba-3d6d-45e5-b611-55c8b9dbb85b
Dec 12 10:59:11 colibri setroubleshoot: SELinux is preventing updatedb (locate_t) "getattr" to /root/.gnome2/evince (unlabeled_t). For complete SELinux messages. run sealert -l a0421991-4567-408b-a6ec-3bfb86c15000
Dec 12 10:59:11 colibri setroubleshoot: SELinux is preventing updatedb (locate_t) "getattr" to /root/.mozilla (unlabeled_t). For complete SELinux messages. run sealert -l 6af7e060-fedf-4a51-be3f-ceb934b6a90c
Dec 12 10:59:12 colibri setroubleshoot: SELinux is preventing updatedb (locate_t) "search" to ./.mozilla (unlabeled_t). For complete SELinux messages. run sealert -l df9d9342-18d7-4c97-962a-6027e2873702
Dec 12 10:59:13 colibri setroubleshoot: SELinux is preventing updatedb (locate_t) "read" to ./.mozilla (unlabeled_t). For complete SELinux messages. run sealert -l 845561a1-9a2f-4bd0-a500-abb82572b140
Dec 13 11:27:47 colibri setroubleshoot: SELinux is preventing restorecon (setfiles_t) "net_admin" setfiles_t. For complete SELinux messages. run sealert -l d17e577f-13a0-49c5-8a71-71a90531b1db
End{output}
Comment 5 Daniel Walsh 2008-12-15 10:20:01 EST
Did anything change when you ran 

restorecon -R -v /root

?

I would remove the /root/.mozilla directory anyways,  You should not be running firefox as root.
Comment 6 Luis Montalvo 2008-12-15 17:00:47 EST
 I just found that after the migration from FC8 to FC10 my /etc/yum.repos.d/fedora.repo remained that of FC8 and that an /etc/yum.repos.d/fedora.repo.rpmnew was created for that of FC10. I did not realize this before. All other repository files (e.g. /etc/yum.repos.dfedora-updates.repo) were correctly updated to those of FC10. I have manually fixed this now.
I have also removed the /root/.mozilla directory.

In the following the present output after running the command:

grep "SELinux is preventing" messages.

Begin{output}

Dec 14 13:25:57 colibri setroubleshoot: SELinux is preventing dansguardian (logrotate_t) "accept" to <Unknown> (logrotate_t). For complete SELinux messages. run sealert -l b4d5731b-ef3b-44f4-9638-b9bf4b646a3f
Dec 14 13:27:13 colibri setroubleshoot: SELinux is preventing dansguardian (logrotate_t) "name_connect" http_cache_port_t. For complete SELinux messages. run sealert -l 2c5b7259-7c31-4873-a5e8-882278eb3ba2
Dec 14 13:28:09 colibri setroubleshoot: SELinux is preventing the dansguardian from using potentially mislabeled files (.dguardianurlipc). For complete SELinux messages. run sealert -l 5c454e79-ed6e-4839-8749-c6fc0ddc3810
Dec 14 13:29:17 colibri setroubleshoot: SELinux is preventing dansguardian (logrotate_t) "accept" to <Unknown> (logrotate_t). For complete SELinux messages. run sealert -l b4d5731b-ef3b-44f4-9638-b9bf4b646a3f
Dec 14 13:37:32 colibri setroubleshoot: SELinux is preventing dansguardian (logrotate_t) "name_connect" http_cache_port_t. For complete SELinux messages. run sealert -l 2c5b7259-7c31-4873-a5e8-882278eb3ba2
Dec 14 13:37:46 colibri setroubleshoot: SELinux is preventing the dansguardian from using potentially mislabeled files (.dguardianurlipc). For complete SELinux messages. run sealert -l 5c454e79-ed6e-4839-8749-c6fc0ddc3810
Dec 14 13:41:53 colibri setroubleshoot: SELinux is preventing dansguardian (logrotate_t) "accept" to <Unknown> (logrotate_t). For complete SELinux messages. run sealert -l b4d5731b-ef3b-44f4-9638-b9bf4b646a3f
Dec 14 13:43:04 colibri setroubleshoot: SELinux is preventing dansguardian (logrotate_t) "name_connect" http_cache_port_t. For complete SELinux messages. run sealert -l 2c5b7259-7c31-4873-a5e8-882278eb3ba2
Dec 14 13:50:32 colibri setroubleshoot: SELinux is preventing the dansguardian from using potentially mislabeled files (.dguardianipc). For complete SELinux messages. run sealert -l a83805ed-75c1-481b-83fc-2eb07d0de1e0
Dec 14 14:10:53 colibri setroubleshoot: SELinux is preventing dansguardian (logrotate_t) "accept" to <Unknown> (logrotate_t). For complete SELinux messages. run sealert -l b4d5731b-ef3b-44f4-9638-b9bf4b646a3f
Dec 14 14:33:17 colibri setroubleshoot: SELinux is preventing dansguardian (logrotate_t) "name_connect" http_cache_port_t. For complete SELinux messages. run sealert -l 2c5b7259-7c31-4873-a5e8-882278eb3ba2
Dec 14 14:38:19 colibri setroubleshoot: SELinux is preventing the dansguardian from using potentially mislabeled files (.dguardianurlipc). For complete SELinux messages. run sealert -l 5c454e79-ed6e-4839-8749-c6fc0ddc3810
Dec 14 14:48:19 colibri setroubleshoot: SELinux is preventing dansguardian (logrotate_t) "accept" to <Unknown> (logrotate_t). For complete SELinux messages. run sealert -l b4d5731b-ef3b-44f4-9638-b9bf4b646a3f
Dec 14 14:49:38 colibri setroubleshoot: SELinux is preventing the squid daemon from connecting to network port 5349 For complete SELinux messages. run sealert -l 8a14c9e7-1492-4239-9b86-ed73ffa1115d
Dec 14 15:10:20 colibri setroubleshoot: SELinux is preventing the squid daemon from connecting to network port 14617 For complete SELinux messages. run sealert -l 8a14c9e7-1492-4239-9b86-ed73ffa1115d
Dec 14 17:45:14 colibri setroubleshoot: SELinux is preventing the nspluginscan from using potentially mislabeled files (libnpsoplugin.so). For complete SELinux messages. run sealert -l 3cf0baa8-bd5d-42c0-9188-0935632444f6
Dec 14 17:45:16 colibri setroubleshoot: SELinux is preventing the nspluginscan from using potentially mislabeled files (/home/luis/.mozilla/plugins/libnpsoplugin.so). For complete SELinux messages. run sealert -l 149d3c33-6847-412a-a151-6f3d1cbc6311
Dec 14 17:45:18 colibri setroubleshoot: SELinux is preventing the nspluginscan from using potentially mislabeled files (libnpsoplugin.so). For complete SELinux messages. run sealert -l 3cf0baa8-bd5d-42c0-9188-0935632444f6
Dec 14 17:45:19 colibri setroubleshoot: SELinux is preventing the nspluginscan from using potentially mislabeled files (/home/luis/.mozilla/plugins/libnpsoplugin.so). For complete SELinux messages. run sealert -l 149d3c33-6847-412a-a151-6f3d1cbc6311
Dec 15 21:19:18 colibri setroubleshoot: SELinux is preventing restorecon (setfiles_t) "net_admin" setfiles_t. For complete SELinux messages. run sealert -l d17e577f-13a0-49c5-8a71-71a90531b1db

End{output}
Comment 7 Daniel Walsh 2008-12-17 16:50:38 EST
Please attach /var/log/audit/audit.log (compressed.)
Comment 8 Luis Montalvo 2008-12-19 01:03:37 EST
Created attachment 327414 [details]
/var/log/audit/audit.log (compressed)
Comment 9 Daniel Walsh 2008-12-22 11:10:46 EST
So logrotate restarted or started a program called dansguardian?

Does this program have an init script?
Comment 10 Daniel Walsh 2008-12-22 11:13:53 EST
Make sure the init script is labeled correctly.

restorecon -R -v /etc
Comment 11 Luis Montalvo 2008-12-22 23:59:52 EST
The last updates of the selinux libraries and selinux targeted policy packages solved the problems. I have changed SELinux to enforcing mode now.

Note You need to log in before you can comment on or make changes to this bug.