Bug 481499 - Summary: SELinux is preventing updatedb (locate_t) "getattr" to /home/rene/.fontconfig (unlabeled_t). Detailed Description: SELinux denied access requested by updatedb. /home/rene/.fontconfig may be a mislabeled. /home/rene/.fontconfig default SELinux
Summary: SELinux is preventing updatedb (locate_t) "getattr" to /home/rene/....
Product: Fedora
Classification: Fedora
Component: selinux-policy-mls (Show other bugs)
All Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
Depends On:
  Show dependency treegraph
Reported: 2009-01-25 12:53 EST by rg_linux1
Modified: 2009-01-30 07:59 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2009-01-26 13:25:36 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description rg_linux1 2009-01-25 12:53:01 EST
Description of problem:

I get this same report very often in the "setroubleshoot browser" I did what the advise to do in their message but I get it back all the type. I would like to know what to do such tha I do not get that message all the time which occurs often if I am in Firefox Mozilla on the Web. 

Version-Release number of selected component (if applicable):

Fedora Core 10 kernel


SELinux is preventing updatedb (locate_t) "getattr" to /home/rene/.fontconfig

Detailed Description:

SELinux denied access requested by updatedb. /home/rene/.fontconfig may be a
mislabeled. /home/rene/.fontconfig default SELinux type is fonts_config_home_t,
but its current type is unlabeled_t. Changing this file back to the default
type, may fix your problem.

File contexts can be assigned to a file in the following ways.

  * Files created in a directory receive the file context of the parent
    directory by default.
  * The SELinux policy might override the default label inherited from the
    parent directory by specifying a process running in context A which creates
    a file in a directory labeled B will instead create the file with label C.
    An example of this would be the dhcp client running with the dhclient_t type
    and creates a file in the directory /etc. This file would normally receive
    the etc_t type due to parental inheritance but instead the file is labeled
    with the net_conf_t type because the SELinux policy specifies this.
  * Users can change the file context on a file using tools such as chcon, or

This file could have been mislabeled either by user error, or if an normally
confined application was run under the wrong domain.

However, this might also indicate a bug in SELinux because the file should not
have been labeled with this type.

If you believe this is a bug, please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.

Allowing Access:

You can restore the default system context to this file by executing the
restorecon command. restorecon '/home/rene/.fontconfig', if this file is a
directory, you can recursively restore using restorecon -R

Fix Command:

restorecon '/home/rene/.fontconfig'

Additional Information:

Source Context                system_u:system_r:locate_t:s0
Target Context                system_u:object_r:unlabeled_t:s0
Target Objects                /home/rene/.fontconfig [ dir ]
Source                        updatedb
Source Path                   /usr/bin/updatedb
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           mlocate-0.21.1-1
Target RPM Packages           
Policy RPM                    selinux-policy-3.5.13-38.fc10
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   restorecon
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain
                              #1 SMP Tue Dec 16 15:12:04 EST 2008 i686 athlon
Alert Count                   36
First Seen                    Fri 12 Dec 2008 06:17:17 PM EST
Last Seen                     Sun 25 Jan 2009 09:32:48 AM EST
Local ID                      5c23640b-ad42-4422-82fc-6d43f0d2606b
Line Numbers                  

Raw Audit Messages            

node=localhost.localdomain type=AVC msg=audit(1232893968.819:21): avc:  denied  { getattr } for  pid=3924 comm="updatedb" path="/home/rene/.fontconfig" dev=dm-0 ino=36929607 scontext=system_u:system_r:locate_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir

node=localhost.localdomain type=SYSCALL msg=audit(1232893968.819:21): arch=40000003 syscall=196 success=no exit=-13 a0=93e80cd a1=bfbc5888 a2=5fcff4 a3=93e80cd items=0 ppid=3918 pid=3924 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="updatedb" exe="/usr/bin/updatedb" subj=system_u:system_r:locate_t:s0 key=(null)
Comment 1 Daniel Walsh 2009-01-26 13:25:36 EST
Please update to the latest policy, and restorecon on your home dir

restorecon -R -v /home
Comment 2 rg_linux1 2009-01-27 21:43:40 EST
Please explain what you mean by "Please update to the latest policy". I am sorry but I am not very familiar with this aspect of Linux. This is why I am asking the question. However, I applied the command you indicated.

Comment 3 Daniel Walsh 2009-01-30 07:59:24 EST
Use the package kit software update tools to download the latest packages.

Or as root, execute

yum upgrade

Note You need to log in before you can comment on or make changes to this bug.