Bug 665304 - SELinux is preventing /sbin/setfiles from 'associate' accesses on the filesystem /sys.
Summary: SELinux is preventing /sbin/setfiles from 'associate' accesses on the filesys...
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: rawhide
Hardware: x86_64
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:31763356a9d...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-12-23 07:49 UTC by Matěj Cepl
Modified: 2018-04-11 08:29 UTC (History)
3 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2011-03-31 19:59:15 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Matěj Cepl 2010-12-23 07:49:14 UTC 
SELinux is preventing /sbin/setfiles from 'associate' accesses on the filesystem /sys.

*****  Plugin filesystem_associate (99.5 confidence) suggests  ***************

If you believe setfiles should be allowed to create sys files
Then you need to use a different command. You are not allowed to preserve the SELinux context on the target file system.
Do
use a command like "cp -p" to preserve all permissions except SELinux context.

*****  Plugin catchall (1.49 confidence) suggests  ***************************

If you believe that setfiles should be allowed associate access on the sys filesystem by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep /sbin/setfiles /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:object_r:mock_var_lib_t:s0
Target Context                system_u:object_r:sysfs_t:s0
Target Objects                /sys [ filesystem ]
Source                        restorecon
Source Path                   /sbin/setfiles
Port                          <Neznámé>
Host                          (removed)
Source RPM Packages           policycoreutils-2.0.84-5.fc15
Target RPM Packages           filesystem-2.4.36-1.fc15
Policy RPM                    selinux-policy-3.9.11-2.fc15
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     (removed)
Platform                      Linux (removed) 2.6.37-0.rc6.git5.1.fc15.x86_64 #1
                              SMP Mon Dec 20 04:17:15 UTC 2010 x86_64 x86_64
Alert Count                   1
First Seen                    Čt 23. prosinec 2010, 02:01:59 CET
Last Seen                     Čt 23. prosinec 2010, 02:01:59 CET
Local ID                      d4289f9e-6924-4e03-8a15-c98afacc7378

Raw Audit Messages
type=AVC msg=audit(1293066119.504:1615): avc:  denied  { associate } for  pid=23775 comm="restorecon" name="/" dev=sysfs ino=1 scontext=system_u:object_r:mock_var_lib_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=filesystem

restorecon,mock_var_lib_t,sysfs_t,filesystem,associate
type=SYSCALL msg=audit(1293066119.504:1615): arch=x86_64 syscall=lsetxattr success=yes exit=0 a0=7f21a1237060 a1=7f219ed36e2a a2=7f21a12381a0 a3=24 items=0 ppid=23624 pid=23775 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts6 ses=1 comm=restorecon exe=/sbin/setfiles subj=unconfined_u:system_r:setfiles_t:s0-s0:c0.c1023 key=(null)
restorecon,mock_var_lib_t,sysfs_t,filesystem,associate

#============= mock_var_lib_t ==============
allow mock_var_lib_t sysfs_t:filesystem associate;
Comment 1 Daniel Walsh 2010-12-23 14:51:47 UTC 
Matej what were you doing to cause this?
Comment 2 Matěj Cepl 2010-12-23 19:26:45 UTC 
just clicked on "Restore context" in sealert troubleshoot window. But maybe it was caused by very much messed up (post mock) labels on my disk.
Note You need to log in before you can comment on or make changes to this bug.