Hide Forgot
libreport version: 2.0.8 executable: /usr/bin/python hashmarkername: setroubleshoot kernel: 3.1.5-6.fc16.x86_64 reason: SELinux is preventing /bin/bash from 'read' accesses on the file /home/amit/.sandboxrc. time: Fri 23 Dec 2011 03:11:27 PM IST description: :SELinux is preventing /bin/bash from 'read' accesses on the file /home/amit/.sandboxrc. : :***** Plugin restorecon (99.5 confidence) suggests ************************* : :If you want to fix the label. :/home/amit/.sandboxrc default label should be user_home_t. :Then you can run restorecon. :Do :# /sbin/restorecon -v /home/amit/.sandboxrc : :***** Plugin catchall (1.49 confidence) suggests *************************** : :If you believe that bash should be allowed read access on the .sandboxrc file by default. :Then you should report this as a bug. :You can generate a local policy module to allow this access. :Do :allow this access for now by executing: :# grep .sandboxrc /var/log/audit/audit.log | audit2allow -M mypol :# semodule -i mypol.pp : :Additional Information: :Source Context unconfined_u:unconfined_r:sandbox_web_client_t:s0: : c686,c948 :Target Context unconfined_u:object_r:sandbox_file_t:s0:c479,c507 :Target Objects /home/amit/.sandboxrc [ file ] :Source .sandboxrc :Source Path /bin/bash :Port <Unknown> :Host (removed) :Source RPM Packages bash-4.2.20-1.fc16 :Target RPM Packages :Policy RPM selinux-policy-3.10.0-64.fc16 :Selinux Enabled True :Policy Type targeted :Enforcing Mode Enforcing :Host Name (removed) :Platform Linux (removed) 3.1.5-6.fc16.x86_64 #1 SMP : Thu Dec 15 16:14:44 UTC 2011 x86_64 x86_64 :Alert Count 1 :First Seen Fri 23 Dec 2011 12:10:25 AM IST :Last Seen Fri 23 Dec 2011 12:10:25 AM IST :Local ID cdd641b8-19a4-4b2b-a198-a2ec5ac353c9 : :Raw Audit Messages :type=AVC msg=audit(1324579225.663:6601): avc: denied { read } for pid=32171 comm=".sandboxrc" path="/home/amit/.sandboxrc" dev=dm-2 ino=3806126 scontext=unconfined_u:unconfined_r:sandbox_web_client_t:s0:c686,c948 tcontext=unconfined_u:object_r:sandbox_file_t:s0:c479,c507 tclass=file : : :type=SYSCALL msg=audit(1324579225.663:6601): arch=x86_64 syscall=read success=no exit=EACCES a0=ff a1=1e65520 a2=e2 a3=8 items=0 ppid=32170 pid=32171 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=170 comm=.sandboxrc exe=/bin/bash subj=unconfined_u:unconfined_r:sandbox_web_client_t:s0:c686,c948 key=(null) : :Hash: .sandboxrc,sandbox_web_client_t,sandbox_file_t,file,read : :audit2allow : :#============= sandbox_web_client_t ============== :#!!!! This avc is a constraint violation. You will need to add an attribute to either the source or target type to make it work. :#Constraint rule: :allow sandbox_web_client_t sandbox_file_t:file read; : :audit2allow -R : :#============= sandbox_web_client_t ============== :#!!!! This avc is a constraint violation. You will need to add an attribute to either the source or target type to make it work. :#Constraint rule: :allow sandbox_web_client_t sandbox_file_t:file read; :
Did you attempt to setup a permanent homedir?
*** Bug 770074 has been marked as a duplicate of this bug. ***
(In reply to comment #1) > Did you attempt to setup a permanent homedir? I use this command to invoke the sandbox: sandbox -X -W metacity -t sandbox_web_t -H ~/.sandbox_ff_home firefox The directory ~/.sandbox_ff_home has been unmodified in quite a while. drwxrwxr-x. amit amit unconfined_u:object_r:sandbox_file_t:s0:c301,c788 .sandbox_ff_home
Could you test it with a different homedir?
sandbox is supposed to change the label of the homedir to match the MCS label it chose. It looks like this is failing for some reason.
Yes. But it is working for me.
Are you still getting it?
Haven't got it in quite a while
Ok reopen if it happens again.