Red Hat Bugzilla – Bug 476923
(staff_u) SELinux is preventing the sh from using potentially mislabeled files (Projekty).
Last modified: 2009-10-15 10:39:33 EDT
When trying to git push a file from ~/Projekty/greasemonkey to my other computer (using git's ssh:// method) I get this AVC denial. [matej@viklef greasemonkey]$ ls -ld ~/Projekty lrwxrwxrwx 1 matej matej 37 18. pro 01.20 /home/matej/Projekty -> /home/matej/archiv/programky/eclipse/ [matej@viklef greasemonkey]$ Isn't it too draconian not to allow any symlinks in ~/ ? -------------------------------- SELinux is preventing the sh from using potentially mislabeled files (Projekty). Podrobný popis: SELinux has denied sh access to potentially mislabeled file(s) (Projekty). This means that SELinux will not allow sh to use these files. It is common for users to edit files in their home directory or tmp directories and then move (mv) them to system directories. The problem is that the files end up with the wrong file context which confined applications are not allowed to access. Povolení přístupu: If you want sh to access this files, you need to relabel them using restorecon -v 'Projekty'. You might want to relabel the entire directory using restorecon -R -v '<Unknown>'. Další informace: Kontext zdroje staff_u:staff_r:staff_ssh_t:SystemLow-SystemHigh Kontext cíle staff_u:object_r:user_home_t Objekty cíle Projekty [ lnk_file ] Zdroj sh Cesta zdroje /bin/bash Port <Neznámé> Počítač viklef RPM balíčky zdroje bash-3.2-29.fc10 RPM balíčky cíle RPM politiky selinux-policy-3.5.13-34.fc10 Selinux povolen True Typ politiky targeted MLS povoleno True Vynucovací režim Enforcing Název zásuvného modulu home_tmp_bad_labels Název počítače viklef Platforma Linux viklef 2.6.27.7-134.fc10.i686 #1 SMP Mon Dec 1 22:42:50 EST 2008 i686 i686 Počet upozornění 1 Poprvé viděno Čt 18. prosinec 2008, 01:21:15 CET Naposledy viděno Čt 18. prosinec 2008, 01:21:15 CET Místní ID 60bc5d64-d86f-42ab-b437-3f8acd81404c Čísla řádků Původní zprávy auditu node=viklef type=AVC msg=audit(1229559675.498:1447): avc: denied { read } for pid=25712 comm="sh" name="Projekty" dev=dm-5 ino=6635819 scontext=staff_u:staff_r:staff_ssh_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:user_home_t:s0 tclass=lnk_file node=viklef type=SYSCALL msg=audit(1229559675.498:1447): arch=40000003 syscall=195 success=no exit=-13 a0=96dabe8 a1=bfcf9bf0 a2=762ff4 a3=0 items=0 ppid=25710 pid=25712 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts0 ses=2 comm="sh" exe="/bin/bash" subj=staff_u:staff_r:staff_ssh_t:s0-s0:c0.c1023 key=(null)
If you put staff_ssh_t in permissive mode, does it actually try to read the file?
I am probably dense, but I don't understand what you want me to do. Could you give me some commands to run or something?
semanage permissive -a staff_ssh_t Run you git test, Collect avcs semanage permissive -d staff_ssh_t
Fixed in selinux-policy-3.5.13-35.fc10.src.rpm
This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component.