Bug 524464 - setroubleshoot: SELinux is preventing the /bin/cp from using potentially mislabeled files (vboxadd-Module.symvers).
Summary: setroubleshoot: SELinux is preventing the /bin/cp from using potentially...
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: rawhide
Hardware: i386
OS: Linux
low
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:0ca1387ddb5...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-09-20 15:05 UTC by Fredrik Duprez
Modified: 2009-09-21 12:17 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-09-21 12:17:37 UTC

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Fredrik Duprez 2009-09-20 15:05:33 UTC 
The following was filed automatically by setroubleshoot:

Summary:

SELinux is preventing the /bin/cp from using potentially mislabeled files
(vboxadd-Module.symvers).

Detailed Description:

[cp has a permissive type (initrc_t). This access was not denied.]

SELinux has denied cp access to potentially mislabeled file(s)
(vboxadd-Module.symvers). This means that SELinux will not allow cp to use these
files. It is common for users to edit files in their home directory or tmp
directories and then move (mv) them to system directories. The problem is that
the files end up with the wrong file context which confined applications are not
allowed to access.

Allowing Access:

If you want cp to access this files, you need to relabel them using restorecon
-v 'vboxadd-Module.symvers'. You might want to relabel the entire directory
using restorecon -R -v ''.

Additional Information:

Source Context                unconfined_u:system_r:initrc_t:s0
Target Context                unconfined_u:object_r:user_tmp_t:s0
Target Objects                vboxadd-Module.symvers [ file ]
Source                        cp
Source Path                   /bin/cp
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           coreutils-7.5-6.fc12
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.31-3.fc12
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   home_tmp_bad_labels
Host Name                     (removed)
Platform                      Linux (removed) 2.6.31-0.204.rc9.fc12.i686 #1 SMP
                              Sat Sep 5 21:01:10 EDT 2009 i686 i686
Alert Count                   1
First Seen                    Sat 12 Sep 2009 05:00:34 PM CEST
Last Seen                     Sat 12 Sep 2009 05:00:34 PM CEST
Local ID                      275e8f6a-328b-4ebd-a5c6-fdf9829c1ace
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1252767634.128:108): avc:  denied  { write } for  pid=18449 comm="cp" name="vboxadd-Module.symvers" dev=dm-0 ino=87425 scontext=unconfined_u:system_r:initrc_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file

node=(removed) type=SYSCALL msg=audit(1252767634.128:108): arch=40000003 syscall=5 success=yes exit=4 a0=bfe9d913 a1=8201 a2=0 a3=1a4 items=0 ppid=18448 pid=18449 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="cp" exe="/bin/cp" subj=unconfined_u:system_r:initrc_t:s0 key=(null)


audit2allow suggests:

#============= initrc_t ==============
allow initrc_t user_tmp_t:file write;
Comment 1 Daniel Walsh 2009-09-21 12:17:37 UTC 
Fixed in latest policy.  Please yum update.
Note You need to log in before you can comment on or make changes to this bug.