Summary: SELinux is preventing /usr/bin/abrt-pyhook-helper "chown" access. Detailed Description: [abrt-pyhook-hel has a permissive type (abrt_helper_t). This access was not denied.] SELinux denied access requested by abrt-pyhook-hel. It is not expected that this access is required by abrt-pyhook-hel and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context unconfined_u:unconfined_r:abrt_helper_t:s0-s0:c0.c 1023 Target Context unconfined_u:unconfined_r:abrt_helper_t:s0-s0:c0.c 1023 Target Objects None [ capability ] Source abrt-pyhook-hel Source Path /usr/bin/abrt-pyhook-helper Port <Unknown> Host (removed) Source RPM Packages abrt-addon-python-1.0.0-2.fc12 Target RPM Packages Policy RPM selinux-policy-3.6.32-49.fc12 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall Host Name (removed) Platform Linux (removed) 2.6.31.5-127.fc12.x86_64 #1 SMP Sat Nov 7 21:11:14 EST 2009 x86_64 x86_64 Alert Count 3 First Seen Fri 27 Nov 2009 03:05:22 PM CET Last Seen Fri 27 Nov 2009 03:27:34 PM CET Local ID fa26ac51-a243-44a7-bead-cddb4bbf67e9 Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1259332054.243:744): avc: denied { chown } for pid=8331 comm="abrt-pyhook-hel" capability=0 scontext=unconfined_u:unconfined_r:abrt_helper_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:abrt_helper_t:s0-s0:c0.c1023 tclass=capability node=(removed) type=SYSCALL msg=audit(1259332054.243:744): arch=c000003e syscall=92 success=yes exit=0 a0=a1a048 a1=0 a2=0 a3=7fff3dee9760 items=0 ppid=8330 pid=8331 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=483 sgid=483 fsgid=483 tty=pts4 ses=1 comm="abrt-pyhook-hel" exe="/usr/bin/abrt-pyhook-helper" subj=unconfined_u:unconfined_r:abrt_helper_t:s0-s0:c0.c1023 key=(null) Hash String generated from selinux-policy-3.6.32-49.fc12,catchall,abrt-pyhook-hel,abrt_helper_t,abrt_helper_t,capability,chown audit2allow suggests: #============= abrt_helper_t ============== allow abrt_helper_t self:capability chown;
You can add these rules for now using # grep avc /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Fixed in selinux-policy-3.6.32-52.fc12.noarch
selinux-policy-3.6.32-52.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-52.fc12
selinux-policy-3.6.32-52.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2009-12549
selinux-policy-3.6.32-55.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-55.fc12
selinux-policy-3.6.32-55.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2009-12650
selinux-policy-3.6.32-55.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.
I am new in Linux. I love Fedora OS but i still don't understand functional details and probably I shall not have the time to do it soon. So, I am terribly sorry if I ask or say anything wrong. Well , I wanted to use the famous and undeniably useful Google Earth. To my surprise, I could not install it with the package manager. Anyway, experienced users told to me that I can install it with one root command: "wget http://dl.google.com/earth/client/current/GoogleEarthLinux.bin && chmod +x GoogleEarthLinux.bin && ./GoogleEarthLinux.bin" I did this and googleearth runs normally if I switch the current enforcing mode to permissive. I do it, every time I need googleearth. When I close googleearth I switch again the current enforcing mode to the default (enforcing). If I try to use googleearth without the above procedure, then googleearth doesn't start because SELINUX reacts and that's the reason (probably) for this bug to my PC. I hope I help you some way. Thanks for your interest and please Keep working on FEDORA project - the best OS ever.
Try setsebool -P allow_execstack 1 What are the avc messages you are seeing?
I tried it , the googleearth didn't start and that's the Selinux reaction : Summary: SELinux is preventing /opt/google-earth/googleearth-bin "execmod" access to /opt/google-earth/librender.so. Detailed Description: SELinux denied access requested by googleearth-bin. /opt/google-earth/librender.so may be a mislabeled. /opt/google-earth/librender.so default SELinux type is textrel_shlib_t, but its current type is usr_t. Changing this file back to the default type, may fix your problem. File contexts can be assigned to a file in the following ways. * Files created in a directory receive the file context of the parent directory by default. * The SELinux policy might override the default label inherited from the parent directory by specifying a process running in context A which creates a file in a directory labeled B will instead create the file with label C. An example of this would be the dhcp client running with the dhclient_t type and creating a file in the directory /etc. This file would normally receive the etc_t type due to parental inheritance but instead the file is labeled with the net_conf_t type because the SELinux policy specifies this. * Users can change the file context on a file using tools such as chcon, or restorecon. This file could have been mislabeled either by user error, or if an normally confined application was run under the wrong domain. However, this might also indicate a bug in SELinux because the file should not have been labeled with this type. If you believe this is a bug, please file a bug report against this package. Allowing Access: You can restore the default system context to this file by executing the restorecon command. restorecon '/opt/google-earth/librender.so', if this file is a directory, you can recursively restore using restorecon -R '/opt/google-earth/librender.so'. Fix Command: /sbin/restorecon '/opt/google-earth/librender.so' Additional Information: Source Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Context unconfined_u:object_r:usr_t:s0 Target Objects /opt/google-earth/librender.so [ file ] Source googleearth-bin Source Path /opt/google-earth/googleearth-bin Port <Unknown> Host localhost.localdomain Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.6.32-56.fc12 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name restorecon Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.31.6-166.fc12.x86_64 #1 SMP Wed Dec 9 10:46:22 EST 2009 x86_64 x86_64 Alert Count 13 First Seen Wed 25 Nov 2009 12:30:49 PM EET Last Seen Fri 18 Dec 2009 07:05:20 PM EET Local ID 9da8dfd3-3123-4a50-8b84-53e2d981e8ea Line Numbers Raw Audit Messages node=localhost.localdomain type=AVC msg=audit(1261155920.21:40): avc: denied { execmod } for pid=2888 comm="googleearth-bin" path="/opt/google-earth/librender.so" dev=dm-0 ino=399543 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:usr_t:s0 tclass=file node=localhost.localdomain type=SYSCALL msg=audit(1261155920.21:40): arch=40000003 syscall=125 success=no exit=-13 a0=1619000 a1=87000 a2=5 a3=ff81d9e0 items=0 ppid=1 pid=2888 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="googleearth-bin" exe="/opt/google-earth/googleearth-bin" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
Did you try the suggested fix? restorecon -R -v /opt
Thanks a lot Daniel , I tried this and to my surprise it's finally ok now. No problem with selinux ! According to the bug summary, I had understood that the fix command was : /sbin/restorecon '/opt/google-earth/librender.so' Anyway, I don't know how selinux works , what is boolean etc. and I generally avoid to do anything risky by myself. Let me ask you something. How did you understand that this command was the suggested one and how someone like me can be sure to do something like that without any risk ?
SELinux is all about labeling, A great deal of problems are caused by bad labeling. Similar to permissions. restorecon is a tool that sets files to the default labeling. In this case you installed google-earth which contains libraries that were created badly. ( A google bug). And google-earth does not use rpm so the install procedure does not take into account SELinux labeling. When I see a execmod error, it usually indicates the library was built incorrectly, and I then checked the label of the path and saw that it should be labeled textrel_shlib_t. This is the same thing the troubleshooter did. THis is a short paper I wrote on what is selinux trying to tell me. http://people.fedoraproject.org/~dwalsh/SELinux/Presentations/selinux_four_things.pdf
Thank you again Daniel. I saved your instructions file about selinux and I will study it.
selinux-policy-3.6.32-120.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-120.fc12
selinux-policy-3.6.32-120.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.