Summary: SELinux is preventing /usr/bin/python "relabelto" access on vg_testbed-lv_root. Detailed Description: [SELinux is in permissive mode. This access was not denied.] SELinux denied access requested by anaconda. It is not expected that this access is required by anaconda and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Context system_u:object_r:fixed_disk_device_t:s0 Target Objects vg_testbed-lv_root [ lnk_file ] Source anaconda Source Path /usr/bin/python Port <Unknown> Host (removed) Source RPM Packages python-2.6.4-20.fc13 Target RPM Packages Policy RPM selinux-policy-3.7.10-3.fc13 Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Plugin Name catchall Host Name (removed) Platform Linux (removed) 2.6.33-0.52.rc8.git6.fc13.x86_64 #1 SMP Tue Feb 23 04:52:05 UTC 2010 x86_64 x86_64 Alert Count 1 First Seen Fri 26 Feb 2010 12:25:16 PM PST Last Seen Fri 26 Feb 2010 12:25:16 PM PST Local ID 433ba7d3-18f3-4b27-a8a1-71377dfaae8f Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1267215916.514:24462): avc: denied { relabelto } for pid=2044 comm="anaconda" name="vg_testbed-lv_root" dev=devtmpfs ino=20943 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=lnk_file node=(removed) type=SYSCALL msg=audit(1267215916.514:24462): arch=c000003e syscall=189 success=yes exit=4294967424 a0=2b18d64 a1=7fe626fd1689 a2=4e12620 a3=29 items=0 ppid=2043 pid=2044 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="anaconda" exe="/usr/bin/python" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) Hash String generated from catchall,anaconda,unconfined_t,fixed_disk_device_t,lnk_file,relabelto audit2allow suggests: #============= unconfined_t ============== allow unconfined_t fixed_disk_device_t:lnk_file relabelto;
This alert is shown at the end of install from the F13 Alpha live image, so it's pretty visible, but since - as it says - SELinux is in permissive mode on a live boot, it shouldn't break anything. We should clean it up for cosmetic reasons, though.
Strange since it should not happen. A link file should never be labeled fixed_disk_device_t.
Fixed in selinux-policy-3.7.10-6.fc13.noarch Miroslav can you change the line in devices.te allow devices_unconfined_type device_node:{ blk_file chr_file lnk_file } *;
Ok, also added to selinux-policy-3.6.32-96.fc12.
selinux-policy-3.7.11-1.fc13 has been submitted as an update for Fedora 13. http://admin.fedoraproject.org/updates/selinux-policy-3.7.11-1.fc13
selinux-policy-3.7.11-1.fc13 has been pushed to the Fedora 13 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.7.11-1.fc13
selinux-policy-3.7.11-1.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report.