Description of problem: SELinux is preventing fprintd (fprintd_t) "read" to / (usbfs_t) Version-Release number of selected component (if applicable): [root@localhost ~]# rpm -qa | grep selinux | sort libselinux-2.0.80-1.fc11.i586 libselinux-devel-2.0.80-1.fc11.i586 libselinux-python-2.0.80-1.fc11.i586 libselinux-utils-2.0.80-1.fc11.i586 selinux-policy-3.6.12-39.fc11.noarch selinux-policy-targeted-3.6.12-39.fc11.noarch I installed a Fedora 11 xen guest on RHEL5.4 beta (I don't see how that could be the problem) with default package selection. After running the guest for less than 10 minutes I saw two of these AVCs. I'm marking this as a blocker based on https://fedoraproject.org/wiki/QA/ReleaseCriteria#Sanity Summary: SELinux is preventing fprintd (fprintd_t) "read" to / (usbfs_t). Detailed Description: SELinux denied access requested by fprintd. / may be a mislabeled. / default SELinux type is root_t, but its current type is usbfs_t. Changing this file back to the default type, may fix your problem. File contexts can be assigned to a file in the following ways. * Files created in a directory receive the file context of the parent directory by default. * The SELinux policy might override the default label inherited from the parent directory by specifying a process running in context A which creates a file in a directory labeled B will instead create the file with label C. An example of this would be the dhcp client running with the dhclient_t type and creates a file in the directory /etc. This file would normally receive the etc_t type due to parental inheritance but instead the file is labeled with the net_conf_t type because the SELinux policy specifies this. * Users can change the file context on a file using tools such as chcon, or restorecon. This file could have been mislabeled either by user error, or if an normally confined application was run under the wrong domain. However, this might also indicate a bug in SELinux because the file should not have been labeled with this type. If you believe this is a bug, please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Allowing Access: You can restore the default system context to this file by executing the restorecon command. restorecon '/', if this file is a directory, you can recursively restore using restorecon -R '/'. Fix Command: restorecon '/' Additional Information: Source Context system_u:system_r:fprintd_t:s0-s0:c0.c1023 Target Context system_u:object_r:usbfs_t:s0 Target Objects / [ dir ] Source fprintd Source Path /usr/libexec/fprintd Port <Unknown> Host localhost.localdomain Source RPM Packages fprintd-0.1-9.git04fd09cfa.fc11 Target RPM Packages filesystem-2.4.21-1.fc11 Policy RPM selinux-policy-3.6.12-39.fc11 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name restorecon Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.29.3-155.fc11.i686.PAE #1 SMP Wed May 20 17:31:09 EDT 2009 i686 i686 Alert Count 2 First Seen Tue 26 May 2009 07:27:01 PM PDT Last Seen Tue 26 May 2009 07:27:01 PM PDT Local ID b56c33ba-423f-43b4-b922-db0a71035665 Line Numbers Raw Audit Messages node=localhost.localdomain type=AVC msg=audit(1243391221.50:36396): avc: denied { read } for pid=2037 comm="fprintd" name="/" dev=usbfs ino=1964 scontext=system_u:system_r:fprintd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usbfs_t:s0 tclass=dir node=localhost.localdomain type=AVC msg=audit(1243391221.50:36396): avc: denied { open } for pid=2037 comm="fprintd" name="/" dev=usbfs ino=1964 scontext=system_u:system_r:fprintd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usbfs_t:s0 tclass=dir node=localhost.localdomain type=SYSCALL msg=audit(1243391221.50:36396): arch=40000003 syscall=5 success=yes exit=3 a0=13882f a1=98800 a2=13b470 a3=8706f18 items=0 ppid=2036 pid=2037 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="fprintd" exe="/usr/libexec/fprintd" subj=system_u:system_r:fprintd_t:s0-s0:c0.c1023 key=(null)
Could you run this command on your guest find / -printf "%P %Z\n" | grep usbfs_t TO find out where the usbfs_t directory is.
Fixed in selinux-policy-3.6.12-43.fc11.noarch Although I would still like to see the output of the command above.
(In reply to comment #1) > Could you run this command on your guest > > find / -printf "%P %Z\n" | grep usbfs_t > > TO find out where the usbfs_t directory is. proc/bus/usb system_u:object_r:usbfs_t:s0
still seeing with today's rawhide and a fresh install of RC2 on a paravirt guest
Which policy package are you installing? Could you try the latest in Koji?
This bug appears to have been reported against 'rawhide' during the Fedora 11 development cycle. Changing version to '11'. More information and reason for this action is here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping