Description of problem: I did a fresh install for the Intel Video test day (using their supplied image, which should be very close to the F14 Beta), and immedately upon login I got an SELinux alert regarding abrt. Version-Release number of selected component (if applicable): selinux-policy-3.9.5-7.fc14.noarch How reproducible: Very Steps to Reproduce: 1. Install Intel Video test day image 2. Log in 3. Click on the SELinux alerts tray icon Actual results: Summary: SELinux is preventing access to files with the label, file_t. Detailed Description: SELinux permission checks on files labeled file_t are being denied. file_t is the context the SELinux kernel gives to files that do not have a label. This indicates a serious labeling problem. No files on an SELinux box should ever be labeled file_t. If you have just added a disk drive to the system you can relabel it using the restorecon command. For example if you saved the home directory from a previous installation that did not use SELinux, 'restorecon -R -v /home' will fix the labels. Otherwise you should relabel the entire file system. Allowing Access: You can execute the following command as root to relabel your computer system: "touch /.autorelabel; reboot" Additional Information: Source Context system_u:system_r:abrt_t:s0-s0:c0.c1023 Target Context system_u:object_r:file_t:s0 Target Objects macros.imgcreate [ file ] Source abrtd Source Path /usr/sbin/abrtd Port <Unknown> Host localhost.localdomain Source RPM Packages abrt-1.1.13-2.fc14 Target RPM Packages Policy RPM selinux-policy-3.9.5-3.fc14 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name file Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.35.6-34.fc14.x86_64 #1 SMP Mon Sep 27 05:15:59 UTC 2010 x86_64 x86_64 Alert Count 1 First Seen Thu 30 Sep 2010 01:59:30 PM EDT Last Seen Thu 30 Sep 2010 01:59:30 PM EDT Local ID 7f345bf2-0e5d-4e9b-8680-11b9f22e2e65 Line Numbers Raw Audit Messages node=localhost.localdomain type=AVC msg=audit(1285869570.493:10): avc: denied { read } for pid=1624 comm="abrtd" name="macros.imgcreate" dev=dm-1 ino=52824 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file node=localhost.localdomain type=SYSCALL msg=audit(1285869570.493:10): arch=c000003e syscall=2 success=no exit=-13 a0=2105b10 a1=0 a2=1b6 a3=0 items=0 ppid=1623 pid=1624 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="abrtd" exe="/usr/sbin/abrtd" subj=system_u:system_r:abrt_t:s0-s0:c0.c1023 key=(null) Expected results: No SELinux alerts on a freshly installed system. Additional info:
This looks like the livecd-tools did not fix the labeling before generate the image. macros.imgcreate does not have a label on it.
setfiles may have been run too early. Someone mentioned in the discussion about building on selinux disabled systems that it got run before the post install stuff. If macros.imgcreate gets created in post install (I don't know if it does) then that would be an explanation for the issue. I won't get to look at this today, but should get a chance over the weekend.
This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component.
This should be solved by the fix for bug 648591 *** This bug has been marked as a duplicate of bug 648591 ***