Bug 674548 - SELinux is preventing /sbin/setfiles from 'relabelfrom' accesses on the file SELinux Management Tool.
Summary: SELinux is preventing /sbin/setfiles from 'relabelfrom' accesses on the file ...
Keywords:
Status: CLOSED INSUFFICIENT_DATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 14
Hardware: i386
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:8ac9f2aa792...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-02-02 13:04 UTC by Mads Kiilerich
Modified: 2011-02-02 18:47 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-02-02 18:47:17 UTC
Type: ---


Attachments (Terms of Use)

Description Mads Kiilerich 2011-02-02 13:04:30 UTC
SELinux is preventing /sbin/setfiles from 'relabelfrom' accesses on the file SELinux Management Tool.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that setfiles should be allowed relabelfrom access on the SELinux Management Tool file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep restorecon /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                unconfined_u:system_r:setfiles_t:s0
Target Context                unconfined_u:object_r:gnome_home_t:s0:c293,c554
Target Objects                SELinux Management Tool [ file ]
Source                        restorecon
Source Path                   /sbin/setfiles
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           policycoreutils-2.0.83-33.10.fc14
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.7-25.fc14
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 2.6.35.10-74.fc14.i686.PAE #1 SMP Thu
                              Dec 23 16:10:47 UTC 2010 i686 i686
Alert Count                   1
First Seen                    Wed 02 Feb 2011 02:02:33 PM CET
Last Seen                     Wed 02 Feb 2011 02:02:33 PM CET
Local ID                      8273bc55-9eb7-46ad-862b-e7ad2b1df8b0

Raw Audit Messages
type=AVC msg=audit(1296651753.848:46): avc:  denied  { relabelfrom } for  pid=29314 comm="restorecon" name=53454C696E7578204D616E6167656D656E7420546F6F6C dev=sda3 ino=337656 scontext=unconfined_u:system_r:setfiles_t:s0 tcontext=unconfined_u:object_r:gnome_home_t:s0:c293,c554 tclass=file


type=SYSCALL msg=audit(1296651753.848:46): arch=i386 syscall=lsetxattr success=no exit=EACCES a0=23f2b94 a1=9d2023 a2=2394cb8 a3=22 items=0 ppid=29237 pid=29314 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm=restorecon exe=/sbin/setfiles subj=unconfined_u:system_r:setfiles_t:s0 key=(null)

Hash: restorecon,setfiles_t,gnome_home_t,file,relabelfrom

audit2allow

#============= setfiles_t ==============
#!!!! This avc is a constraint violation.  You will need to add an attribute to either the source or target type to make it work.
#Contraint rule: 
allow setfiles_t gnome_home_t:file relabelfrom;

audit2allow -R

#============= setfiles_t ==============
#!!!! This avc is a constraint violation.  You will need to add an attribute to either the source or target type to make it work.
#Contraint rule: 
allow setfiles_t gnome_home_t:file relabelfrom;

Comment 1 Mads Kiilerich 2011-02-02 13:07:43 UTC
I got this when upgrading from
  selinux-policy-3.9.7-25.fc14.noarch
  selinux-policy-targeted-3.9.7-25.fc14.noarch
to
  selinux-policy-3.9.7-28.fc14.noarch
  selinux-policy-targeted-3.9.7-28.fc14.noarch
for testing bug 673224 (but on another machine)

Comment 2 Daniel Walsh 2011-02-02 13:19:02 UTC
Why does this have a weird MCS label?  Were you playing with MCS Labels?  
unconfined_u:object_r:gnome_home_t:s0:c293,c554

Or did something happen with sandbox of libvirt?

what does 

id -Z  

Show?

Comment 3 Mads Kiilerich 2011-02-02 13:55:50 UTC
I might have had the mls policy installed on this machine, but I haven't actively used it. Should I look for wrong labels in the filesystem or old rules in the SE db?

[root@dev-mk ~]# id -Z
unconfined_u:unconfined_r:unconfined_t:s0

(It would be nice if it showed the exact filename instead of just "SELinux Management Tool". But tracing that to system-config-selinux didn't reveal anything...)

Comment 4 Mads Kiilerich 2011-02-02 15:08:27 UTC
Hmm. Yes, there is something strange with my system-config-selinux. I get the following when I start it. I don't know what to look for, but I will try a relabel-on-boot.


SELinux is preventing /usr/bin/python from unlink access on the file SELinux Management Tool.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that python should be allowed unlink access on the SELinux Management Tool file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep /usr/share/syst /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:unconfined_t:s0
Target Context                unconfined_u:object_r:gnome_home_t:s0:c293,c554
Target Objects                SELinux Management Tool [ file ]
Source                        /usr/share/syst
Source Path                   /usr/bin/python
Port                          <Unknown>
Host                          dev-mk
Source RPM Packages           python-2.7-8.fc14.1
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.7-28.fc14
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     dev-mk
Platform                      Linux dev-mk 2.6.35.10-74.fc14.i686.PAE #1 SMP Thu
                              Dec 23 16:10:47 UTC 2010 i686 i686
Alert Count                   1
First Seen                    Wed 02 Feb 2011 04:05:33 PM CET
Last Seen                     Wed 02 Feb 2011 04:05:33 PM CET
Local ID                      5042885d-3f6c-4077-95d2-8e747e4fb2d1

Raw Audit Messages
type=AVC msg=audit(1296659133.299:156): avc:  denied  { unlink } for  pid=9237 comm="/usr/share/syst" name=53454C696E7578204D616E6167656D656E7420546F6F6C dev=sda3 ino=337656 scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:gnome_home_t:s0:c293,c554 tclass=file


type=SYSCALL msg=audit(1296659133.299:156): arch=i386 syscall=rename success=yes exit=0 a0=d66fa20 a1=d66f968 a2=27127c a3=b777a688 items=0 ppid=9233 pid=9237 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm=/usr/share/syst exe=/usr/bin/python subj=unconfined_u:unconfined_r:unconfined_t:s0 key=(null)

Hash: /usr/share/syst,unconfined_t,gnome_home_t,file,unlink

audit2allow

#============= unconfined_t ==============
#!!!! This avc is a constraint violation.  You will need to add an attribute to either the source or target type to make it work.
#Contraint rule: 
allow unconfined_t gnome_home_t:file unlink;

audit2allow -R

#============= unconfined_t ==============
#!!!! This avc is a constraint violation.  You will need to add an attribute to either the source or target type to make it work.
#Contraint rule: 
allow unconfined_t gnome_home_t:file unlink;

Comment 5 Mads Kiilerich 2011-02-02 16:45:59 UTC
It seems like a relabel-on-boot fixed these problems.

Does that from your POV solve this problem? It looks to me like an upgrade problem caused by 3.9.7-28 or some other recent updates.

Comment 6 Daniel Walsh 2011-02-02 18:47:17 UTC
No the problem was you had a gnome_home_t file  on your system with a weird MCS label.   Looked like something created by sandbox, although I do not know why.

The 
SELinux Management Tool
file had a wrong label on it.  Probably running restorecon on this file would have solved your problem.

Reopen if it happens again.


Note You need to log in before you can comment on or make changes to this bug.