Description of problem: SELinux denied access requested by find. /var/lib/misc/prelink.full may be a mislabeled. /var/lib/misc/prelink.full default SELinux type is prelink_var_lib_t, but its current type is cron_var_lib_t. Changing this file back to the default type, may fix your problem. Version-Release number of selected component (if applicable): 3.6.23-55f12 How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: SE Troubleshooter keeps popping this warning and SELinux is preventing /bin/bash "write" access to /var/lib/misc/prelink.quick. The message context is roughly the same verbage. Expected results: Additional info: Ran suggested fix commands, just letting you know someone changed a call to process. Text from both messages: [find has a permissive type (prelink_cron_system_t). This access was not denied.] SELinux denied access requested by find. /var/lib/misc/prelink.full may be a mislabeled. /var/lib/misc/prelink.full default SELinux type is prelink_var_lib_t, but its current type is cron_var_lib_t. Changing this file back to the default type, may fix your problem. File contexts can be assigned to a file in the following ways. * Files created in a directory receive the file context of the parent directory by default. * The SELinux policy might override the default label inherited from the parent directory by specifying a process running in context A which creates a file in a directory labeled B will instead create the file with label C. An example of this would be the dhcp client running with the dhclient_t type and creating a file in the directory /etc. This file would normally receive the etc_t type due to parental inheritance but instead the file is labeled with the net_conf_t type because the SELinux policy specifies this. * Users can change the file context on a file using tools such as chcon, or restorecon. This file could have been mislabeled either by user error, or if an normally confined application was run under the wrong domain. However, this might also indicate a bug in SELinux because the file should not have been labeled with this type. If you believe this is a bug, please file a bug report against this package. Allowing Access: You can restore the default system context to this file by executing the restorecon command. restorecon '/var/lib/misc/prelink.full', if this file is a directory, you can recursively restore using restorecon -R '/var/lib/misc/prelink.full'. Fix Command: /sbin/restorecon '/var/lib/misc/prelink.full' Additional Information: Source Context system_u:system_r:prelink_cron_system_t:s0-s0:c0.c 1023 Target Context system_u:object_r:cron_var_lib_t:s0 Target Objects /var/lib/misc/prelink.full [ file ] Source find Source Path /bin/find Port <Unknown> Host tmickF12 Source RPM Packages findutils-4.4.2-4.fc12 Target RPM Packages prelink-0.4.2-4.fc12 Policy RPM selinux-policy-3.6.32-55.fc12 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name restorecon Host Name tmickF12 Platform Linux tmickF12 2.6.31.6-162.fc12.i686.PAE #1 SMP Fri Dec 4 00:43:59 EST 2009 i686 athlon Alert Count 7 First Seen Wed 09 Dec 2009 03:48:15 AM MST Last Seen Tue 15 Dec 2009 03:17:03 AM MST Local ID 3582335b-405e-4f22-a187-71e7c701eae8 Line Numbers Raw Audit Messages node=tmickF12 type=AVC msg=audit(1260872223.383:22347): avc: denied { getattr } for pid=16883 comm="find" path="/var/lib/misc/prelink.full" dev=dm-0 ino=29188 scontext=system_u:system_r:prelink_cron_system_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cron_var_lib_t:s0 tclass=file node=tmickF12 type=SYSCALL msg=audit(1260872223.383:22347): arch=40000003 syscall=300 success=yes exit=0 a0=ffffff9c a1=9052704 a2=90526a4 a3=100 items=0 ppid=16882 pid=16883 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=155 comm="find" exe="/bin/find" subj=system_u:system_r:prelink_cron_system_t:s0-s0:c0.c1023 key=(null) SELinux is preventing /bin/bash "write" access to /var/lib/misc/prelink.quick. Detailed Description: [prelink has a permissive type (prelink_cron_system_t). This access was not denied.] SELinux denied access requested by prelink. /var/lib/misc/prelink.quick may be a mislabeled. /var/lib/misc/prelink.quick default SELinux type is prelink_var_lib_t, but its current type is cron_var_lib_t. Changing this file back to the default type, may fix your problem. File contexts can be assigned to a file in the following ways. * Files created in a directory receive the file context of the parent directory by default. * The SELinux policy might override the default label inherited from the parent directory by specifying a process running in context A which creates a file in a directory labeled B will instead create the file with label C. An example of this would be the dhcp client running with the dhclient_t type and creating a file in the directory /etc. This file would normally receive the etc_t type due to parental inheritance but instead the file is labeled with the net_conf_t type because the SELinux policy specifies this. * Users can change the file context on a file using tools such as chcon, or restorecon. This file could have been mislabeled either by user error, or if an normally confined application was run under the wrong domain. However, this might also indicate a bug in SELinux because the file should not have been labeled with this type. If you believe this is a bug, please file a bug report against this package. Allowing Access: You can restore the default system context to this file by executing the restorecon command. restorecon '/var/lib/misc/prelink.quick', if this file is a directory, you can recursively restore using restorecon -R '/var/lib/misc/prelink.quick'. Fix Command: /sbin/restorecon '/var/lib/misc/prelink.quick' Additional Information: Source Context system_u:system_r:prelink_cron_system_t:s0-s0:c0.c 1023 Target Context system_u:object_r:cron_var_lib_t:s0 Target Objects /var/lib/misc/prelink.quick [ file ] Source prelink Source Path /bin/bash Port <Unknown> Host tmickF12 Source RPM Packages bash-4.0.33-1.fc12 Target RPM Packages prelink-0.4.2-4.fc12 Policy RPM selinux-policy-3.6.32-55.fc12 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name restorecon Host Name tmickF12 Platform Linux tmickF12 2.6.31.6-162.fc12.i686.PAE #1 SMP Fri Dec 4 00:43:59 EST 2009 i686 athlon Alert Count 2 First Seen Wed 09 Dec 2009 03:48:15 AM MST Last Seen Wed 09 Dec 2009 03:48:15 AM MST Local ID a8a39593-15a9-4da5-bda9-4d5de1eb09ad Line Numbers Raw Audit Messages node=tmickF12 type=AVC msg=audit(1260355695.529:21460): avc: denied { write } for pid=8542 comm="prelink" name="prelink.quick" dev=dm-0 ino=103064 scontext=system_u:system_r:prelink_cron_system_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cron_var_lib_t:s0 tclass=file node=tmickF12 type=AVC msg=audit(1260355695.529:21460): avc: denied { open } for pid=8542 comm="prelink" name="prelink.quick" dev=dm-0 ino=103064 scontext=system_u:system_r:prelink_cron_system_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cron_var_lib_t:s0 tclass=file node=tmickF12 type=SYSCALL msg=audit(1260355695.529:21460): arch=40000003 syscall=5 success=yes exit=4 a0=85cd0d8 a1=8241 a2=1b6 a3=241 items=0 ppid=8532 pid=8542 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=11 comm="prelink" exe="/bin/bash" subj=system_u:system_r:prelink_cron_system_t:s0-s0:c0.c1023 key=(null)
Fix the labels in /var/lib/ restorecon -R -v /var/lib
There are _loads_ (most?) of fedora users with these annoying selinux alerts popping up once or twice a day. Ok - you have posted the workaround (I assume it works but haven't tried it yet) but I fail to see how that closes the issue and makes it NOTABUG. A bugfix update is required. Non-technical users are not going to come here and won't understand it if they did. I see from other bugzilla entries that this may be a complex packaging issue, but just because it's hard doesn't mean it should be ignored.
I just released -59 which will execute the restorecon command in the update.
Just the ticket. :) Teaching granny to suck eggs I'm sure, but... The trouble with tribbles ...um... security alerts, is that when a mortal user receives too many/false alarms, (s)he begins to ignore them, thus rendering the whole security alert reporting thing rather pointless. Just like windows vista security alerts. Far too many alerts. Users ignore them, always clicking OK, instantly rendering what was supposed to be a much safer OS a complete waste of time. Thats why this kind of bug should be considered HIGH PRIORITY, always. Thanks for the update :)