Summary: SELinux is preventing /usr/bin/nautilus "execute" access on linux.bin. Detailed Description: SELinux denied access requested by nautilus. It is not expected that this access is required by nautilus and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context user_u:user_r:user_t:s0 Target Context system_u:object_r:dosfs_t:s0 Target Objects linux.bin [ file ] Source nautilus Source Path /usr/bin/nautilus Port <Unknown> Host (removed) Source RPM Packages nautilus-2.28.4-2.fc12 Target RPM Packages Policy RPM selinux-policy-3.6.32-99.fc12 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall Host Name (removed) Platform Linux f15 2.6.32.9-70.fc12.i686 #1 SMP Wed Mar 3 05:14:32 UTC 2010 i686 athlon Alert Count 1 First Seen Tue 16 Mar 2010 07:59:00 PM EDT Last Seen Tue 16 Mar 2010 07:59:00 PM EDT Local ID c4b89a27-c024-434d-9cc8-c60fba93b158 Line Numbers Raw Audit Messages node=f15 type=AVC msg=audit(1268783940.707:15): avc: denied { execute } for pid=2097 comm="nautilus" name="linux.bin" dev=sdf1 ino=127 scontext=user_u:user_r:user_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=file node=f15 type=SYSCALL msg=audit(1268783940.707:15): arch=40000003 syscall=33 success=no exit=-13 a0=9209ad0 a1=1 a2=68d1a4 a3=b6a05340 items=0 ppid=1642 pid=2097 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="nautilus" exe="/usr/bin/nautilus" subj=user_u:user_r:user_t:s0 key=(null) Hash String generated from catchall,nautilus,user_t,dosfs_t,file,execute audit2allow suggests: #============= user_t ============== allow user_t dosfs_t:file execute;
Miroslav add fs_exec_noxattr(staff_t) and fs_exec_noxattr(user_t) To the roles directory. Dima did you intend to use confined users?
No, I incidentally added my user name to the list of SELinux policy user templates. Yesterday I removed my user name from this list and haven't seen any issues with this host since then, Thank you, Dima.
Well you found a bug by using confined users. Thanks. :^)
Fixed in selinux-policy-3.6.32-106.fc12
selinux-policy-3.6.32-106.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-106.fc12
selinux-policy-3.6.32-106.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-106.fc12
selinux-policy-3.6.32-106.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.