Hide Forgot
SELinux is preventing /sbin/setfiles from 'relabelfrom' accesses on the file SELinux Management Tool. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that setfiles should be allowed relabelfrom access on the SELinux Management Tool file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep restorecon /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context unconfined_u:system_r:setfiles_t:s0 Target Context unconfined_u:object_r:gnome_home_t:s0:c293,c554 Target Objects SELinux Management Tool [ file ] Source restorecon Source Path /sbin/setfiles Port <Unknown> Host (removed) Source RPM Packages policycoreutils-2.0.83-33.10.fc14 Target RPM Packages Policy RPM selinux-policy-3.9.7-25.fc14 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 2.6.35.10-74.fc14.i686.PAE #1 SMP Thu Dec 23 16:10:47 UTC 2010 i686 i686 Alert Count 1 First Seen Wed 02 Feb 2011 02:02:33 PM CET Last Seen Wed 02 Feb 2011 02:02:33 PM CET Local ID 8273bc55-9eb7-46ad-862b-e7ad2b1df8b0 Raw Audit Messages type=AVC msg=audit(1296651753.848:46): avc: denied { relabelfrom } for pid=29314 comm="restorecon" name=53454C696E7578204D616E6167656D656E7420546F6F6C dev=sda3 ino=337656 scontext=unconfined_u:system_r:setfiles_t:s0 tcontext=unconfined_u:object_r:gnome_home_t:s0:c293,c554 tclass=file type=SYSCALL msg=audit(1296651753.848:46): arch=i386 syscall=lsetxattr success=no exit=EACCES a0=23f2b94 a1=9d2023 a2=2394cb8 a3=22 items=0 ppid=29237 pid=29314 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm=restorecon exe=/sbin/setfiles subj=unconfined_u:system_r:setfiles_t:s0 key=(null) Hash: restorecon,setfiles_t,gnome_home_t,file,relabelfrom audit2allow #============= setfiles_t ============== #!!!! This avc is a constraint violation. You will need to add an attribute to either the source or target type to make it work. #Contraint rule: allow setfiles_t gnome_home_t:file relabelfrom; audit2allow -R #============= setfiles_t ============== #!!!! This avc is a constraint violation. You will need to add an attribute to either the source or target type to make it work. #Contraint rule: allow setfiles_t gnome_home_t:file relabelfrom;
I got this when upgrading from selinux-policy-3.9.7-25.fc14.noarch selinux-policy-targeted-3.9.7-25.fc14.noarch to selinux-policy-3.9.7-28.fc14.noarch selinux-policy-targeted-3.9.7-28.fc14.noarch for testing bug 673224 (but on another machine)
Why does this have a weird MCS label? Were you playing with MCS Labels? unconfined_u:object_r:gnome_home_t:s0:c293,c554 Or did something happen with sandbox of libvirt? what does id -Z Show?
I might have had the mls policy installed on this machine, but I haven't actively used it. Should I look for wrong labels in the filesystem or old rules in the SE db? [root@dev-mk ~]# id -Z unconfined_u:unconfined_r:unconfined_t:s0 (It would be nice if it showed the exact filename instead of just "SELinux Management Tool". But tracing that to system-config-selinux didn't reveal anything...)
Hmm. Yes, there is something strange with my system-config-selinux. I get the following when I start it. I don't know what to look for, but I will try a relabel-on-boot. SELinux is preventing /usr/bin/python from unlink access on the file SELinux Management Tool. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that python should be allowed unlink access on the SELinux Management Tool file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep /usr/share/syst /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context unconfined_u:unconfined_r:unconfined_t:s0 Target Context unconfined_u:object_r:gnome_home_t:s0:c293,c554 Target Objects SELinux Management Tool [ file ] Source /usr/share/syst Source Path /usr/bin/python Port <Unknown> Host dev-mk Source RPM Packages python-2.7-8.fc14.1 Target RPM Packages Policy RPM selinux-policy-3.9.7-28.fc14 Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name dev-mk Platform Linux dev-mk 2.6.35.10-74.fc14.i686.PAE #1 SMP Thu Dec 23 16:10:47 UTC 2010 i686 i686 Alert Count 1 First Seen Wed 02 Feb 2011 04:05:33 PM CET Last Seen Wed 02 Feb 2011 04:05:33 PM CET Local ID 5042885d-3f6c-4077-95d2-8e747e4fb2d1 Raw Audit Messages type=AVC msg=audit(1296659133.299:156): avc: denied { unlink } for pid=9237 comm="/usr/share/syst" name=53454C696E7578204D616E6167656D656E7420546F6F6C dev=sda3 ino=337656 scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:gnome_home_t:s0:c293,c554 tclass=file type=SYSCALL msg=audit(1296659133.299:156): arch=i386 syscall=rename success=yes exit=0 a0=d66fa20 a1=d66f968 a2=27127c a3=b777a688 items=0 ppid=9233 pid=9237 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm=/usr/share/syst exe=/usr/bin/python subj=unconfined_u:unconfined_r:unconfined_t:s0 key=(null) Hash: /usr/share/syst,unconfined_t,gnome_home_t,file,unlink audit2allow #============= unconfined_t ============== #!!!! This avc is a constraint violation. You will need to add an attribute to either the source or target type to make it work. #Contraint rule: allow unconfined_t gnome_home_t:file unlink; audit2allow -R #============= unconfined_t ============== #!!!! This avc is a constraint violation. You will need to add an attribute to either the source or target type to make it work. #Contraint rule: allow unconfined_t gnome_home_t:file unlink;
It seems like a relabel-on-boot fixed these problems. Does that from your POV solve this problem? It looks to me like an upgrade problem caused by 3.9.7-28 or some other recent updates.
No the problem was you had a gnome_home_t file on your system with a weird MCS label. Looked like something created by sandbox, although I do not know why. The SELinux Management Tool file had a wrong label on it. Probably running restorecon on this file would have solved your problem. Reopen if it happens again.