Bug 537613 (file_t) - SELinux is preventing access to files with the label, file_t.
Summary: SELinux is preventing access to files with the label, file_t.
Keywords:
Status: CLOSED CANTFIX
Alias: file_t
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 16
Hardware: i386
OS: Linux
low
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:59ed9543ad3...
: 537614 538012 538796 539306 539550 539552 539587 540562 540976 540977 540989 543464 543466 544178 544324 544492 544541 544578 544712 544797 544798 544800 544903 544998 544999 545483 545484 545485 545487 545654 545749 548748 548749 548823 549094 549340 553597 558823 563239 573491 581014 648588 699671 790574 790575 790576 798744 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-11-15 02:16 UTC by Gleb Sharkunov
Modified: 2012-07-20 11:31 UTC (History)
26 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2009-11-16 15:26:22 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Gleb Sharkunov 2009-11-15 02:16:30 UTC 
Summary:

SELinux is preventing access to files with the label, file_t.

Detailed Description:

SELinux permission checks on files labeled file_t are being denied. file_t is
the context the SELinux kernel gives to files that do not have a label. This
indicates a serious labeling problem. No files on an SELinux box should ever be
labeled file_t. If you have just added a new disk drive to the system you can
relabel it using the restorecon command. Otherwise you should relabel the entire
file system.

Allowing Access:

You can execute the following command as root to relabel your computer system:
"touch /.autorelabel; reboot"

Additional Information:

Source Context                system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context                system_u:object_r:file_t:s0
Target Objects                .dmrc [ file ]
Source                        kdm
Source Path                   /usr/bin/kdm
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           kdm-4.3.2-1.fc12
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.32-41.fc12
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   file
Host Name                     (removed)
Platform                      Linux (removed) 2.6.31.5-127.fc12.i686.PAE #1
                              SMP Sat Nov 7 21:25:57 EST 2009 i686 athlon
Alert Count                   2
First Seen                    Sun 15 Nov 2009 04:14:16 AM EET
Last Seen                     Sun 15 Nov 2009 04:14:22 AM EET
Local ID                      55ff6fdf-3228-49f3-813f-aff1394cec5c
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1258251262.363:27874): avc:  denied  { read } for  pid=1505 comm="kdm" name=".dmrc" dev=sda2 ino=119 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file

node=(removed) type=SYSCALL msg=audit(1258251262.363:27874): arch=40000003 syscall=5 success=no exit=-13 a0=8065dbb a1=8800 a2=0 a3=1 items=0 ppid=1475 pid=1505 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="kdm" exe="/usr/bin/kdm" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)



Hash String generated from  selinux-policy-3.6.32-41.fc12,file,kdm,xdm_t,file_t,file,read
audit2allow suggests:

#============= xdm_t ==============
allow xdm_t file_t:file read;
Comment 1 Daniel Walsh 2009-11-16 15:26:22 UTC 
Either your entire system is badly mislabeled in which case you need to do as the setroubleshoot suggest or you have attached a home dir from a machine without SELinux support and you need to put labels on it.

restorecon -R -v /home

Should fix.

Either way you need to fix the labels.
Comment 2 Daniel Walsh 2009-11-16 15:31:36 UTC 
*** Bug 537614 has been marked as a duplicate of this bug. ***
Comment 3 Daniel Walsh 2009-11-16 15:32:35 UTC 

*** This bug has been marked as a duplicate of bug 530925 ***
Comment 4 Daniel Walsh 2009-11-17 13:39:29 UTC 
*** Bug 538012 has been marked as a duplicate of this bug. ***
Comment 5 Daniel Walsh 2009-11-19 15:17:10 UTC 
*** Bug 538796 has been marked as a duplicate of this bug. ***
Comment 6 Daniel Walsh 2009-11-19 20:56:32 UTC 
*** Bug 539306 has been marked as a duplicate of this bug. ***
Comment 7 Daniel Walsh 2009-11-20 15:15:03 UTC 
*** Bug 539550 has been marked as a duplicate of this bug. ***
Comment 8 Daniel Walsh 2009-11-20 15:17:01 UTC 
*** Bug 539552 has been marked as a duplicate of this bug. ***
Comment 9 Daniel Walsh 2009-11-20 17:00:31 UTC 
*** Bug 539587 has been marked as a duplicate of this bug. ***
Comment 10 Daniel Walsh 2009-11-23 18:45:02 UTC 
*** Bug 540562 has been marked as a duplicate of this bug. ***
Comment 11 Daniel Walsh 2009-11-24 16:29:36 UTC 
*** Bug 540976 has been marked as a duplicate of this bug. ***
Comment 12 Daniel Walsh 2009-11-24 16:40:46 UTC 
*** Bug 540989 has been marked as a duplicate of this bug. ***
Comment 13 Daniel Walsh 2009-11-24 16:42:46 UTC 
*** Bug 540977 has been marked as a duplicate of this bug. ***
Comment 14 Daniel Walsh 2009-12-02 14:56:54 UTC 
*** Bug 543464 has been marked as a duplicate of this bug. ***
Comment 15 Daniel Walsh 2009-12-02 14:59:33 UTC 
*** Bug 543466 has been marked as a duplicate of this bug. ***
Comment 16 Miroslav Grepl 2009-12-04 11:36:18 UTC 
*** Bug 544178 has been marked as a duplicate of this bug. ***
Comment 17 Daniel Walsh 2009-12-05 10:46:02 UTC 
*** Bug 544541 has been marked as a duplicate of this bug. ***
Comment 18 Daniel Walsh 2009-12-05 10:52:21 UTC 
*** Bug 544492 has been marked as a duplicate of this bug. ***
Comment 19 Daniel Walsh 2009-12-05 11:35:37 UTC 
*** Bug 544324 has been marked as a duplicate of this bug. ***
Comment 20 Daniel Walsh 2009-12-05 23:20:43 UTC 
*** Bug 544578 has been marked as a duplicate of this bug. ***
Comment 21 Daniel Walsh 2009-12-06 15:00:40 UTC 
*** Bug 544712 has been marked as a duplicate of this bug. ***
Comment 22 Daniel Walsh 2009-12-06 15:57:35 UTC 
*** Bug 544797 has been marked as a duplicate of this bug. ***
Comment 23 Daniel Walsh 2009-12-06 15:57:56 UTC 
*** Bug 544798 has been marked as a duplicate of this bug. ***
Comment 24 Daniel Walsh 2009-12-06 15:58:20 UTC 
*** Bug 544800 has been marked as a duplicate of this bug. ***
Comment 25 Miroslav Grepl 2009-12-07 10:55:01 UTC 
*** Bug 544999 has been marked as a duplicate of this bug. ***
Comment 26 Miroslav Grepl 2009-12-07 10:56:30 UTC 
*** Bug 544903 has been marked as a duplicate of this bug. ***
Comment 27 Miroslav Grepl 2009-12-07 10:57:32 UTC 
*** Bug 544998 has been marked as a duplicate of this bug. ***
Comment 28 Daniel Walsh 2009-12-09 13:56:27 UTC 
*** Bug 545483 has been marked as a duplicate of this bug. ***
Comment 29 Daniel Walsh 2009-12-09 13:56:43 UTC 
*** Bug 545484 has been marked as a duplicate of this bug. ***
Comment 30 Daniel Walsh 2009-12-09 13:57:41 UTC 
*** Bug 545485 has been marked as a duplicate of this bug. ***
Comment 31 Daniel Walsh 2009-12-09 13:58:06 UTC 
*** Bug 545487 has been marked as a duplicate of this bug. ***
Comment 32 Daniel Walsh 2009-12-09 14:21:17 UTC 
*** Bug 545654 has been marked as a duplicate of this bug. ***
Comment 33 Daniel Walsh 2009-12-09 15:08:11 UTC 
*** Bug 545749 has been marked as a duplicate of this bug. ***
Comment 34 Daniel Walsh 2009-12-18 13:59:33 UTC 
*** Bug 548748 has been marked as a duplicate of this bug. ***
Comment 35 Daniel Walsh 2009-12-18 14:00:49 UTC 
*** Bug 548749 has been marked as a duplicate of this bug. ***
Comment 36 Gleb Sharkunov 2009-12-18 14:13:22 UTC 
well actually this happens when im trying the LFS (linux from scratch). the very steps describing the new partition creation on the free space makes this message to popup.

i started off with lfs to try to understand how the whole thingy works but thanx to selinux it make all even more confusing :D
Comment 37 Daniel Walsh 2009-12-18 15:13:04 UTC 
SELinux just wants you to put labels on this disk.  A simple restorecon would do it.

SELinux does not like unlabelled disks, since it has no idea what kind of data resides on it.

If this is a guide that tells you how to install it should mention SELinux.
Comment 38 Daniel Walsh 2009-12-18 15:14:02 UTC 
Ok, I guess LFS is a book...
Comment 39 Daniel Walsh 2009-12-18 20:49:59 UTC 
*** Bug 548823 has been marked as a duplicate of this bug. ***
Comment 40 Gleb Sharkunov 2009-12-19 08:40:18 UTC 
sorry for delays ;) yeah LFS is a book. www.linuxfromscratch.org

however its not its fault as it is. the book assumes that you already know something about linux.. which i snot exactly my case as im just learning :)

but anyways. thatx for reply.. im currently reading more about selinux and other stuff so atleast i can make sense when reporting a bug :)
Comment 41 Miroslav Grepl 2009-12-21 08:19:13 UTC 
*** Bug 549094 has been marked as a duplicate of this bug. ***
Comment 42 Miroslav Grepl 2009-12-21 15:21:57 UTC 
*** Bug 549340 has been marked as a duplicate of this bug. ***
Comment 43 Daniel Walsh 2010-01-08 13:34:56 UTC 
*** Bug 553597 has been marked as a duplicate of this bug. ***
Comment 44 Miroslav Grepl 2010-01-27 12:44:31 UTC 
*** Bug 558823 has been marked as a duplicate of this bug. ***
Comment 45 Daniel Walsh 2010-02-09 16:52:17 UTC 
*** Bug 563239 has been marked as a duplicate of this bug. ***
Comment 46 Daniel Walsh 2010-03-15 02:56:22 UTC 
*** Bug 573491 has been marked as a duplicate of this bug. ***
Comment 47 Daniel Walsh 2010-04-11 11:36:04 UTC 
*** Bug 581014 has been marked as a duplicate of this bug. ***
Comment 48 Daniel Walsh 2010-10-08 12:51:08 UTC 
*** Bug 641153 has been marked as a duplicate of this bug. ***
Comment 49 Daniel Walsh 2010-11-01 17:34:58 UTC 
*** Bug 648588 has been marked as a duplicate of this bug. ***
Comment 50 Adam Williamson 2011-02-25 19:56:24 UTC 
*** Bug 648588 has been marked as a duplicate of this bug. ***
Comment 51 Daniel Walsh 2011-04-26 14:56:43 UTC 
*** Bug 699671 has been marked as a duplicate of this bug. ***
Comment 52 Daniel Walsh 2012-02-14 21:06:40 UTC 
*** Bug 790574 has been marked as a duplicate of this bug. ***
Comment 53 Daniel Walsh 2012-02-14 21:07:13 UTC 
*** Bug 790575 has been marked as a duplicate of this bug. ***
Comment 54 Daniel Walsh 2012-02-14 21:07:25 UTC 
*** Bug 790576 has been marked as a duplicate of this bug. ***
Comment 55 alfredo_sulb2b@yahoo.com.br 2012-02-15 00:19:39 UTC 
(In reply to comment #1)
> Either your entire system is badly mislabeled in which case you need to do as
> the setroubleshoot suggest or you have attached a home dir from a machine
> without SELinux support and you need to put labels on it.
> 
> restorecon -R -v /home
> 
> Should fix.
> 
> Either way you need to fix the labels.

Thank you
Comment 56 Daniel Walsh 2012-02-29 19:09:13 UTC 
*** Bug 798744 has been marked as a duplicate of this bug. ***
Note You need to log in before you can comment on or make changes to this bug.