Bug 476923 - (staff_u) SELinux is preventing the sh from using potentially mislabeled files (Projekty).
(staff_u) SELinux is preventing the sh from using potentially mislabeled file...
Product: Fedora
Classification: Fedora
Component: openssh (Show other bugs)
All Linux
low Severity medium
: ---
: ---
Assigned To: Jan F. Chadima
Fedora Extras Quality Assurance
: SELinux
Depends On:
  Show dependency treegraph
Reported: 2008-12-17 19:23 EST by Matěj Cepl
Modified: 2009-10-15 10:39 EDT (History)
3 users (show)

See Also:
Fixed In Version: selinux-policy-3.5.13-35.fc10
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2009-10-15 10:39:33 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Matěj Cepl 2008-12-17 19:23:14 EST
When trying to git push a file from ~/Projekty/greasemonkey to my other computer (using git's ssh:// method) I get this AVC denial.

[matej@viklef greasemonkey]$ ls -ld ~/Projekty
lrwxrwxrwx 1 matej matej 37 18. pro 01.20 /home/matej/Projekty -> /home/matej/archiv/programky/eclipse/
[matej@viklef greasemonkey]$ 

Isn't it too draconian not to allow any symlinks in ~/ ?

SELinux is preventing the sh from using potentially mislabeled files (Projekty).

Podrobný popis:

SELinux has denied sh access to potentially mislabeled file(s) (Projekty). This
means that SELinux will not allow sh to use these files. It is common for users
to edit files in their home directory or tmp directories and then move (mv) them
to system directories. The problem is that the files end up with the wrong file
context which confined applications are not allowed to access.

Povolení přístupu:

If you want sh to access this files, you need to relabel them using restorecon
-v 'Projekty'. You might want to relabel the entire directory using restorecon
-R -v '<Unknown>'.

Další informace:

Kontext zdroje                staff_u:staff_r:staff_ssh_t:SystemLow-SystemHigh
Kontext cíle                 staff_u:object_r:user_home_t
Objekty cíle                 Projekty [ lnk_file ]
Zdroj                         sh
Cesta zdroje                  /bin/bash
Port                          <Neznámé>
Počítač                    viklef
RPM balíčky zdroje          bash-3.2-29.fc10
RPM balíčky cíle           
RPM politiky                  selinux-policy-3.5.13-34.fc10
Selinux povolen               True
Typ politiky                  targeted
MLS povoleno                  True
Vynucovací režim            Enforcing
Název zásuvného modulu     home_tmp_bad_labels
Název počítače            viklef
Platforma                     Linux viklef #1 SMP Mon Dec
                              1 22:42:50 EST 2008 i686 i686
Počet upozornění           1
Poprvé viděno               Čt 18. prosinec 2008, 01:21:15 CET
Naposledy viděno             Čt 18. prosinec 2008, 01:21:15 CET
Místní ID                   60bc5d64-d86f-42ab-b437-3f8acd81404c
Čísla řádků              

Původní zprávy auditu      

node=viklef type=AVC msg=audit(1229559675.498:1447): avc:  denied  { read } for  pid=25712 comm="sh" name="Projekty" dev=dm-5 ino=6635819 scontext=staff_u:staff_r:staff_ssh_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:user_home_t:s0 tclass=lnk_file

node=viklef type=SYSCALL msg=audit(1229559675.498:1447): arch=40000003 syscall=195 success=no exit=-13 a0=96dabe8 a1=bfcf9bf0 a2=762ff4 a3=0 items=0 ppid=25710 pid=25712 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts0 ses=2 comm="sh" exe="/bin/bash" subj=staff_u:staff_r:staff_ssh_t:s0-s0:c0.c1023 key=(null)
Comment 1 Daniel Walsh 2008-12-18 10:01:53 EST
If you put staff_ssh_t in permissive mode, does it actually try to read the file?
Comment 2 Matěj Cepl 2008-12-18 10:31:26 EST
I am probably dense, but I don't understand what you want me to do. Could you give me some commands to run or something?
Comment 3 Daniel Walsh 2008-12-18 10:36:52 EST
semanage permissive -a staff_ssh_t

Run you git test,

Collect avcs

semanage permissive -d staff_ssh_t
Comment 5 Daniel Walsh 2008-12-19 11:47:17 EST
Fixed in selinux-policy-3.5.13-35.fc10.src.rpm
Comment 6 Fedora Admin XMLRPC Client 2009-03-10 06:15:44 EDT
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.

Note You need to log in before you can comment on or make changes to this bug.