Zusammenfassung: SELinux hindert restorecon (setfiles_t) "write" am Zugriff auf /home/simon/.xsession-errors (user_home_t). Detaillierte Beschreibung: SELinux denied access requested by restorecon. /home/simon/.xsession-errors may be a mislabeled. /home/simon/.xsession-errors default SELinux type is xdm_home_t, but its current type is user_home_t. Changing this file back to the default type, may fix your problem. File contexts can be assigned to a file in the following ways. * Files created in a directory receive the file context of the parent directory by default. * The SELinux policy might override the default label inherited from the parent directory by specifying a process running in context A which creates a file in a directory labeled B will instead create the file with label C. An example of this would be the dhcp client running with the dhclient_t type and creates a file in the directory /etc. This file would normally receive the etc_t type due to parental inheritance but instead the file is labeled with the net_conf_t type because the SELinux policy specifies this. * Users can change the file context on a file using tools such as chcon, or restorecon. This file could have been mislabeled either by user error, or if an normally confined application was run under the wrong domain. However, this might also indicate a bug in SELinux because the file should not have been labeled with this type. If you believe this is a bug, please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Zugriff erlauben: Sie können den Standarddateikontext für diese Datei wiederherstellen durch die Ausführung des restorecon-Befehls. restorecon '/home/simon/.xsession-errors', wenn diese Datei ein Verzeichnis ist, Sie können es auch rekursiv machen durch restorecon -R '/home/simon/.xsession-errors'. Fixer Befehl: restorecon '/home/simon/.xsession-errors' Zusätzliche Informationen: Quellkontext unconfined_u:system_r:setfiles_t:s0 Zielkontext unconfined_u:object_r:user_home_t:s0 Zielobjekte /home/simon/.xsession-errors [ file ] Quelle setfiles Quellen-Pfad /sbin/setfiles Port <Unbekannt> Host hp550-01 Quellen-RPM-Pakete policycoreutils-2.0.57-17.fc10 Ziel-RPM-Pakete RPM-Richtlinie selinux-policy-3.5.13-47.fc10 SELinux aktiviert True Richtlinienversion targeted MLS aktiviert True Enforcing-Modus Enforcing Plugin-Name restorecon Hostname hp550-01 Plattform Linux hp550-01 2.6.27.19-170.2.35.fc10.x86_64 #1 SMP Mon Feb 23 13:00:23 EST 2009 x86_64 x86_64 Anzahl der Alarme 3 Zuerst gesehen Di 17 Mär 2009 20:15:24 CET Zuletzt gesehen Di 17 Mär 2009 20:15:25 CET Lokale ID d08b1924-a7c9-4ef7-8767-f327bfd25e27 Zeilennummern Raw-Audit-Meldungen node=hp550-01 type=AVC msg=audit(1237317325.828:35): avc: denied { write } for pid=3640 comm="restorecon" path="/home/simon/.xsession-errors" dev=sda8 ino=3620872 scontext=unconfined_u:system_r:setfiles_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file node=hp550-01 type=SYSCALL msg=audit(1237317325.828:35): arch=c000003e syscall=59 success=yes exit=0 a0=13d64e0 a1=13d4720 a2=13d4c60 a3=0 items=0 ppid=3564 pid=3640 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="restorecon" exe="/sbin/setfiles" subj=unconfined_u:system_r:setfiles_t:s0 key=(null)
restorecon -R -v /home/simon/.xsession-errors Some how this file got created with the wrong label. The message told you to do this and would have eliminated all of these bugzillas.
Hallo Daniel Thanks for your suggestion, if only it were so simple... This bug seems to be an end-less loop - the restorecon command immediately forces a further an AVC-Access-Denial. Perhaps you can give me a tip as to what I am doing wrong - in the terminal I used the the following commands: bash-3.2$ su - Passwort: [root@hp550-01 ~]# restorecon -R -v /home/simon/.xsession-errors [root@hp550-01 ~]# The following AVC-Access-Denial is issued: Zusammenfassung: SELinux hindert den restorecon daran, evtl. falsch gekennzeichnete Dateien zu verwenden (/tmp/kde-simon/konsoleTw2863.tmp). Detaillierte Beschreibung: SELinux verweigerte restorecon den Zugriff auf potentiell falsch gekennzeichnete Dateien (/tmp/kde-simon/konsoleTw2863.tmp). Dies bedeutet, dass SELinux restorecon die Verwendung dieser Dateien untersagt. Es ist üblich, dass Benutzer Dateien in Ihrem Benutzerverzeichnis oder in temporären Verzeichnissen editieren und dann in Systemverzeichnisse verschieben (mv). Das Problem ist, dass diese dort mit einem Dateikontext abgelegt werden, auf den bestimmte Anwendungen nicht zugreifen dürfen. Zugriff erlauben: Wenn Sie restorecon den Zugriff auf diese Dateien erlauben möchten, müssen Sie diese mit restorecon -v /tmp/kde-simon/konsoleTw2863.tmp neu kennzeichnen. Sie können auch gleich das ganze Verzeichnis mit restorecon -R -v /tmp/kde-simon neu kennzeichnen. Zusätzliche Informationen: Quellkontext unconfined_u:unconfined_r:setfiles_t:s0 Zielkontext unconfined_u:object_r:user_tmp_t:s0 Zielobjekte /tmp/kde-simon/konsoleTw2863.tmp [ file ] Quelle restorecon Quellen-Pfad /sbin/setfiles Port <Unbekannt> Host hp550-01 Quellen-RPM-Pakete policycoreutils-2.0.57-17.fc10 Ziel-RPM-Pakete RPM-Richtlinie selinux-policy-3.5.13-48.fc10 SELinux aktiviert True Richtlinienversion targeted MLS aktiviert True Enforcing-Modus Enforcing Plugin-Name home_tmp_bad_labels Hostname hp550-01 Plattform Linux hp550-01 2.6.27.19-170.2.35.fc10.x86_64 #1 SMP Mon Feb 23 13:00:23 EST 2009 x86_64 x86_64 Anzahl der Alarme 1 Zuerst gesehen Mi 18 Mär 2009 19:56:46 CET Zuletzt gesehen Mi 18 Mär 2009 19:56:46 CET Lokale ID 0f4ce6df-3ed5-4c14-925e-d4404b7da35a Zeilennummern Raw-Audit-Meldungen node=hp550-01 type=AVC msg=audit(1237402606.616:16): avc: denied { read } for pid=2908 comm="restorecon" path="/tmp/kde-simon/konsoleTw2863.tmp" dev=sda6 ino=377357 scontext=unconfined_u:unconfined_r:setfiles_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file node=hp550-01 type=AVC msg=audit(1237402606.616:16): avc: denied { read } for pid=2908 comm="restorecon" path="/tmp/kde-simon/konsoledT2863.tmp" dev=sda6 ino=377358 scontext=unconfined_u:unconfined_r:setfiles_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file node=hp550-01 type=SYSCALL msg=audit(1237402606.616:16): arch=c000003e syscall=59 success=yes exit=0 a0=26367a0 a1=2628420 a2=2635fe0 a3=7fffabb73220 items=0 ppid=2875 pid=2908 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="restorecon" exe="/sbin/setfiles" subj=unconfined_u:unconfined_r:setfiles_t:s0 key=(null) Best regards, Simon.
Which we covered in another bug. The file should now be labeled xdm_home_t which will eliminate all the avc's about writing to user_home_t. The kde leaked file descriptor will be there until they fix their code. You can allow this rule for now by executing # grep user_tmp_t /var/log/audit/audit.log | audit2allow -M kdebroke # semodule -i kdebroke.pp
Hello Daniel Many thanks for the quick responses. Simon
Did the labeling on the .xsession-errors file change to xdm_home_t? If yes then this bug should be closed.
Hello Daniel Sorry I have only been using Fedora 10 for one week - please can you give me a tip as to how to check the labelling? For the previous 9 years I have been using openSUSE (all version from 10.0 to 11.0). I did try the 64-bit version of openSUSE 11.1 but it proved to be very unstable, especially as I stated added the necessary drivers. I'm pleased I switched to Fedora 10. It appears to be rock-solid. Already I can use the notebook as a PVR recording from DVB-T. And with your and your colleagues help I have managed to install the necessary drivers that I need. Regards, Simon
There is user guide how to handle SELinux in Fedora 10: http://docs.fedoraproject.org/selinux-user-guide/f10/en-US/ Example how to check labeling of .xsession-errors: # ls -Z ~/.xsession-errors system_u:object_r:xdm_home_t:s0 /home/mgrepl/.xsession-errors For your information you can get the default SELinux security context: # matchpathcon ~/.xsession-errors /home/mgrepl/.xsession-errors system_u:object_r:xdm_home_t:s0
Great to hear, you like F10. I am closing this bug for now. If you have any repeated problems, please reopen.
Hello Daniel Yes, by all means close the bug - my notebook is working perfectly under F10 Hears the output from the two commands you suggested: bash-3.2$ ls -Z ~/.xsession-errors -rw------- simon simon system_u:object_r:xdm_home_t:s0 /home/simon/.xsession-errors bash-3.2$ system_u:object_r:xdm_home_t:s0 /home/mgrepl/.xsession-errors bash: system_u:object_r:xdm_home_t:s0: command not found bash-3.2$ matchpathcon ~/.xsession-errors /home/simon/.xsession-errors system_u:object_r:xdm_home_t:s0 bash-3.2$ /home/mgrepl/.xsession-errors system_u:object_r:xdm_home_t:s0 Best regards, Simon