Bug 490746 - SELinux hindert restorecon (setfiles_t) "write" am Zugriff auf /home/simon/.xsession-errors (user_home_t).
SELinux hindert restorecon (setfiles_t) "write" am Zugriff auf /home/simon/.x...
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
x86_64 Linux
low Severity urgent
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
: Reopened
Depends On:
  Show dependency treegraph
Reported: 2009-03-17 15:52 EDT by Simon Lewis
Modified: 2009-03-23 14:57 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2009-03-23 13:36:02 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Simon Lewis 2009-03-17 15:52:11 EDT

SELinux hindert restorecon (setfiles_t) "write" am Zugriff auf
/home/simon/.xsession-errors (user_home_t).

Detaillierte Beschreibung:

SELinux denied access requested by restorecon. /home/simon/.xsession-errors may
be a mislabeled. /home/simon/.xsession-errors default SELinux type is xdm_home_t,
but its current type is user_home_t. Changing this file back to the default
type, may fix your problem.

File contexts can be assigned to a file in the following ways.

  * Files created in a directory receive the file context of the parent
    directory by default.
  * The SELinux policy might override the default label inherited from the
    parent directory by specifying a process running in context A which creates
    a file in a directory labeled B will instead create the file with label C.
    An example of this would be the dhcp client running with the dhclient_t type
    and creates a file in the directory /etc. This file would normally receive
    the etc_t type due to parental inheritance but instead the file is labeled
    with the net_conf_t type because the SELinux policy specifies this.
  * Users can change the file context on a file using tools such as chcon, or

This file could have been mislabeled either by user error, or if an normally
confined application was run under the wrong domain.

However, this might also indicate a bug in SELinux because the file should not
have been labeled with this type.

If you believe this is a bug, please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.

Zugriff erlauben:

Sie können den Standarddateikontext für diese Datei wiederherstellen durch die
Ausführung des restorecon-Befehls. restorecon '/home/simon/.xsession-errors',
wenn diese Datei ein Verzeichnis ist, Sie können es auch rekursiv machen durch
restorecon -R '/home/simon/.xsession-errors'.

Fixer Befehl:

restorecon '/home/simon/.xsession-errors'

Zusätzliche Informationen:

Quellkontext                  unconfined_u:system_r:setfiles_t:s0
Zielkontext                   unconfined_u:object_r:user_home_t:s0
Zielobjekte                   /home/simon/.xsession-errors [ file ]
Quelle                        setfiles
Quellen-Pfad                  /sbin/setfiles
Port                          <Unbekannt>
Host                          hp550-01
Quellen-RPM-Pakete            policycoreutils-2.0.57-17.fc10
RPM-Richtlinie                selinux-policy-3.5.13-47.fc10
SELinux aktiviert             True
Richtlinienversion            targeted
MLS aktiviert                 True
Enforcing-Modus               Enforcing
Plugin-Name                   restorecon
Hostname                      hp550-01
Plattform                     Linux hp550-01 #1
                              SMP Mon Feb 23 13:00:23 EST 2009 x86_64 x86_64
Anzahl der Alarme             3
Zuerst gesehen                Di 17 Mär 2009 20:15:24 CET
Zuletzt gesehen               Di 17 Mär 2009 20:15:25 CET
Lokale ID                     d08b1924-a7c9-4ef7-8767-f327bfd25e27


node=hp550-01 type=AVC msg=audit(1237317325.828:35): avc:  denied  { write } for  pid=3640 comm="restorecon" path="/home/simon/.xsession-errors" dev=sda8 ino=3620872 scontext=unconfined_u:system_r:setfiles_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file

node=hp550-01 type=SYSCALL msg=audit(1237317325.828:35): arch=c000003e syscall=59 success=yes exit=0 a0=13d64e0 a1=13d4720 a2=13d4c60 a3=0 items=0 ppid=3564 pid=3640 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="restorecon" exe="/sbin/setfiles" subj=unconfined_u:system_r:setfiles_t:s0 key=(null)
Comment 1 Daniel Walsh 2009-03-18 09:13:45 EDT
restorecon -R -v /home/simon/.xsession-errors

Some how this file got created with the wrong label.

The message told you to do this and would have eliminated all of these bugzillas.
Comment 2 Simon Lewis 2009-03-18 15:15:00 EDT
Hallo Daniel

Thanks for your suggestion, if only it were so simple...

This bug seems to be an end-less loop - the restorecon command immediately forces a further an AVC-Access-Denial.

Perhaps you can give me a tip as to what I am doing wrong - in the terminal I used the the following commands:

bash-3.2$ su -
[root@hp550-01 ~]# restorecon -R -v /home/simon/.xsession-errors
[root@hp550-01 ~]#

The following AVC-Access-Denial is issued:


SELinux hindert den restorecon daran, evtl. falsch gekennzeichnete Dateien zu
verwenden (/tmp/kde-simon/konsoleTw2863.tmp).

Detaillierte Beschreibung:

SELinux verweigerte restorecon den Zugriff auf potentiell falsch gekennzeichnete
Dateien (/tmp/kde-simon/konsoleTw2863.tmp). Dies bedeutet, dass SELinux
restorecon die Verwendung dieser Dateien untersagt. Es ist üblich, dass
Benutzer Dateien in Ihrem Benutzerverzeichnis oder in temporären Verzeichnissen
editieren und dann in Systemverzeichnisse verschieben (mv). Das Problem ist,
dass diese dort mit einem Dateikontext abgelegt werden, auf den bestimmte
Anwendungen nicht zugreifen dürfen.

Zugriff erlauben:

Wenn Sie restorecon den Zugriff auf diese Dateien erlauben möchten, müssen Sie
diese mit restorecon -v /tmp/kde-simon/konsoleTw2863.tmp neu kennzeichnen. Sie
können auch gleich das ganze Verzeichnis mit restorecon -R -v /tmp/kde-simon
neu kennzeichnen.

Zusätzliche Informationen:

Quellkontext                  unconfined_u:unconfined_r:setfiles_t:s0
Zielkontext                   unconfined_u:object_r:user_tmp_t:s0
Zielobjekte                   /tmp/kde-simon/konsoleTw2863.tmp [ file ]
Quelle                        restorecon
Quellen-Pfad                  /sbin/setfiles
Port                          <Unbekannt>
Host                          hp550-01
Quellen-RPM-Pakete            policycoreutils-2.0.57-17.fc10
RPM-Richtlinie                selinux-policy-3.5.13-48.fc10
SELinux aktiviert             True
Richtlinienversion            targeted
MLS aktiviert                 True
Enforcing-Modus               Enforcing
Plugin-Name                   home_tmp_bad_labels
Hostname                      hp550-01
Plattform                     Linux hp550-01 #1
                              SMP Mon Feb 23 13:00:23 EST 2009 x86_64 x86_64
Anzahl der Alarme             1
Zuerst gesehen                Mi 18 Mär 2009 19:56:46 CET
Zuletzt gesehen               Mi 18 Mär 2009 19:56:46 CET
Lokale ID                     0f4ce6df-3ed5-4c14-925e-d4404b7da35a


node=hp550-01 type=AVC msg=audit(1237402606.616:16): avc:  denied  { read } for  pid=2908 comm="restorecon" path="/tmp/kde-simon/konsoleTw2863.tmp" dev=sda6 ino=377357 scontext=unconfined_u:unconfined_r:setfiles_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file

node=hp550-01 type=AVC msg=audit(1237402606.616:16): avc:  denied  { read } for  pid=2908 comm="restorecon" path="/tmp/kde-simon/konsoledT2863.tmp" dev=sda6 ino=377358 scontext=unconfined_u:unconfined_r:setfiles_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file

node=hp550-01 type=SYSCALL msg=audit(1237402606.616:16): arch=c000003e syscall=59 success=yes exit=0 a0=26367a0 a1=2628420 a2=2635fe0 a3=7fffabb73220 items=0 ppid=2875 pid=2908 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="restorecon" exe="/sbin/setfiles" subj=unconfined_u:unconfined_r:setfiles_t:s0 key=(null)

Best regards, Simon.
Comment 3 Daniel Walsh 2009-03-18 15:32:41 EDT
Which we covered in another bug. 

The file should now be labeled

xdm_home_t which will eliminate all the avc's about writing to user_home_t.

The kde leaked file descriptor will be there until they fix their code.

You can allow this rule for now by executing

# grep user_tmp_t /var/log/audit/audit.log | audit2allow -M kdebroke
# semodule -i kdebroke.pp
Comment 4 Simon Lewis 2009-03-19 02:34:45 EDT
Hello Daniel

Many thanks for the quick responses.

Comment 5 Daniel Walsh 2009-03-19 09:09:06 EDT
Did the labeling on the .xsession-errors file change to xdm_home_t?  If yes then this bug should be closed.
Comment 6 Simon Lewis 2009-03-19 14:25:01 EDT
Hello Daniel

Sorry I have only been using Fedora 10 for one week - please can you give me a tip as to how to check the labelling?

For the previous 9 years I have been using openSUSE (all version from 10.0 to 11.0). I did try the 64-bit version of openSUSE 11.1 but it proved to be very unstable, especially as I stated added the necessary drivers.

I'm pleased I switched to Fedora 10. It appears to be rock-solid. Already I can use the notebook as a PVR recording from DVB-T. And with your and your colleagues help I have managed to install the necessary drivers that I need.

Regards, Simon
Comment 7 Miroslav Grepl 2009-03-23 09:11:05 EDT
There is user guide how to handle SELinux in Fedora 10:

Example how to check labeling of .xsession-errors:
# ls -Z ~/.xsession-errors
system_u:object_r:xdm_home_t:s0  /home/mgrepl/.xsession-errors

For your information you can get the default SELinux security context:
# matchpathcon ~/.xsession-errors
/home/mgrepl/.xsession-errors	system_u:object_r:xdm_home_t:s0
Comment 8 Daniel Walsh 2009-03-23 13:36:02 EDT
Great to hear, you like F10.  I am closing this bug for now.  If you have any repeated problems, please reopen.
Comment 9 Simon Lewis 2009-03-23 14:57:13 EDT
Hello Daniel

Yes, by all means close the bug - my notebook is working perfectly under F10

Hears the output from the two commands you suggested:

bash-3.2$ ls -Z ~/.xsession-errors
-rw-------  simon simon system_u:object_r:xdm_home_t:s0  /home/simon/.xsession-errors
bash-3.2$ system_u:object_r:xdm_home_t:s0  /home/mgrepl/.xsession-errors
bash: system_u:object_r:xdm_home_t:s0: command not found

bash-3.2$ matchpathcon ~/.xsession-errors
/home/simon/.xsession-errors    system_u:object_r:xdm_home_t:s0
bash-3.2$ /home/mgrepl/.xsession-errors system_u:object_r:xdm_home_t:s0

Best regards, Simon

Note You need to log in before you can comment on or make changes to this bug.