Bug 490749 - SELinux hindert load_policy (load_policy_t) "write" am Zugriff auf /home/simon/.xsession-errors (user_home_t).
SELinux hindert load_policy (load_policy_t) "write" am Zugriff auf /home/simo...
Status: CLOSED CANTFIX
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
10
x86_64 Linux
low Severity urgent
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-03-17 15:54 EDT by Simon Lewis
Modified: 2009-03-18 09:14 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-03-18 09:14:55 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Simon Lewis 2009-03-17 15:54:32 EDT
Zusammenfassung:

SELinux hindert load_policy (load_policy_t) "write" am Zugriff auf
/home/simon/.xsession-errors (user_home_t).

Detaillierte Beschreibung:

SELinux denied access requested by load_policy. /home/simon/.xsession-errors may
be a mislabeled. /home/simon/.xsession-errors default SELinux type is xdm_home_t,
but its current type is user_home_t. Changing this file back to the default
type, may fix your problem.

File contexts can be assigned to a file in the following ways.

  * Files created in a directory receive the file context of the parent
    directory by default.
  * The SELinux policy might override the default label inherited from the
    parent directory by specifying a process running in context A which creates
    a file in a directory labeled B will instead create the file with label C.
    An example of this would be the dhcp client running with the dhclient_t type
    and creates a file in the directory /etc. This file would normally receive
    the etc_t type due to parental inheritance but instead the file is labeled
    with the net_conf_t type because the SELinux policy specifies this.
  * Users can change the file context on a file using tools such as chcon, or
    restorecon.

This file could have been mislabeled either by user error, or if an normally
confined application was run under the wrong domain.

However, this might also indicate a bug in SELinux because the file should not
have been labeled with this type.

If you believe this is a bug, please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.

Zugriff erlauben:

Sie können den Standarddateikontext für diese Datei wiederherstellen durch die
Ausführung des restorecon-Befehls. restorecon '/home/simon/.xsession-errors',
wenn diese Datei ein Verzeichnis ist, Sie können es auch rekursiv machen durch
restorecon -R '/home/simon/.xsession-errors'.

Fixer Befehl:

restorecon '/home/simon/.xsession-errors'

Zusätzliche Informationen:

Quellkontext                  unconfined_u:system_r:load_policy_t:s0
Zielkontext                   unconfined_u:object_r:user_home_t:s0
Zielobjekte                   /home/simon/.xsession-errors [ file ]
Quelle                        load_policy
Quellen-Pfad                  /usr/sbin/load_policy
Port                          <Unbekannt>
Host                          hp550-01
Quellen-RPM-Pakete            policycoreutils-2.0.57-17.fc10
Ziel-RPM-Pakete               
RPM-Richtlinie                selinux-policy-3.5.13-47.fc10
SELinux aktiviert             True
Richtlinienversion            targeted
MLS aktiviert                 True
Enforcing-Modus               Enforcing
Plugin-Name                   restorecon
Hostname                      hp550-01
Plattform                     Linux hp550-01 2.6.27.19-170.2.35.fc10.x86_64 #1
                              SMP Mon Feb 23 13:00:23 EST 2009 x86_64 x86_64
Anzahl der Alarme             1
Zuerst gesehen                Di 17 Mär 2009 20:15:24 CET
Zuletzt gesehen               Di 17 Mär 2009 20:15:24 CET
Lokale ID                     9612e364-b649-4382-ade1-8348f517ac86
Zeilennummern                 

Raw-Audit-Meldungen           

node=hp550-01 type=AVC msg=audit(1237317324.151:30): avc:  denied  { write } for  pid=3573 comm="load_policy" path="/home/simon/.xsession-errors" dev=sda8 ino=3620872 scontext=unconfined_u:system_r:load_policy_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file

node=hp550-01 type=AVC msg=audit(1237317324.151:30): avc:  denied  { write } for  pid=3573 comm="load_policy" path="/home/simon/.xsession-errors" dev=sda8 ino=3620872 scontext=unconfined_u:system_r:load_policy_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file

node=hp550-01 type=SYSCALL msg=audit(1237317324.151:30): arch=c000003e syscall=59 success=yes exit=0 a0=23b1b90 a1=7fe0b8f70fa0 a2=0 a3=7fffc5ddd000 items=0 ppid=3571 pid=3573 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="load_policy" exe="/usr/sbin/load_policy" subj=unconfined_u:system_r:load_policy_t:s0 key=(null)
Comment 1 Daniel Walsh 2009-03-18 09:14:55 EDT
restorecon -R -v /home/simon/.xsession-errors

Some how this file got created with the wrong label.

The message told you to do this and would have eliminated all of these bugzillas.

Note You need to log in before you can comment on or make changes to this bug.