Bug 882255 - SELinux is preventing /usr/sbin/console-kit-daemon from 'read' accesses on the unix_stream_socket .
Summary: SELinux is preventing /usr/sbin/console-kit-daemon from 'read' accesses on th...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 18
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:5103820eedd966767d9dbf74e68...
: 881937 882356 882416 882454 882472 882486 882502 882638 882640 883187 885215 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-11-30 14:08 UTC by Heiko Adams
Modified: 2013-03-25 19:24 UTC (History)
19 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-12-07 04:29:31 UTC
Type: ---


Attachments (Terms of Use)
File: description (2.29 KB, text/plain)
2012-11-30 14:08 UTC, Heiko Adams
no flags Details

Description Heiko Adams 2012-11-30 14:08:03 UTC
Additional info:
hashmarkername: setroubleshoot
kernel:         3.6.7-5.fc18.x86_64
type:           libreport

Comment 1 Heiko Adams 2012-11-30 14:08:07 UTC
Created attachment 655032 [details]
File: description

Comment 2 Miroslav Grepl 2012-11-30 20:16:12 UTC
Fixed in selinux-policy-3.11.1-58.fc18.noarch

Comment 3 Adam Williamson 2012-11-30 20:52:24 UTC
Doing a yum update that included selinux-policy-targeted.noarch 0:3.11.1-57.fc18 . I also saw this in the yum output:

  Updating   : selinux-policy-targeted-3.11.1-57.fc18.noarch             26/100 
libsepol.print_missing_requirements: permissive_consolekit_t's global requirements were not met: type/attribute consolekit_t (No such file or directory).
libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory).
/usr/sbin/semodule:  Failed!

I think selinux-policy-targeted is trying to do stuff to ConsoleKit without first checking if it's present. CK is legacy stuff now and only present on older installs that have been updated, or installs of desktops which haven't yet migrated to the New Way Of Doing Things.


Package: (null)
OS Release: Fedora release 18 (Spherical Cow)

Comment 4 Fedora Update System 2012-12-01 10:32:37 UTC
selinux-policy-3.11.1-58.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/FEDORA-2012-19374/selinux-policy-3.11.1-58.fc18

Comment 5 Fedora Update System 2012-12-02 19:28:39 UTC
Package selinux-policy-3.11.1-59.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-59.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-19374/selinux-policy-3.11.1-59.fc18
then log in and leave karma (feedback).

Comment 6 Miroslav Grepl 2012-12-03 08:08:17 UTC
*** Bug 882472 has been marked as a duplicate of this bug. ***

Comment 7 Miroslav Grepl 2012-12-03 08:08:22 UTC
*** Bug 882356 has been marked as a duplicate of this bug. ***

Comment 8 Miroslav Grepl 2012-12-03 08:09:27 UTC
*** Bug 881937 has been marked as a duplicate of this bug. ***

Comment 9 Miroslav Grepl 2012-12-03 08:19:08 UTC
*** Bug 882486 has been marked as a duplicate of this bug. ***

Comment 10 Miroslav Grepl 2012-12-03 08:27:02 UTC
*** Bug 882416 has been marked as a duplicate of this bug. ***

Comment 11 Miroslav Grepl 2012-12-03 08:58:22 UTC
*** Bug 882638 has been marked as a duplicate of this bug. ***

Comment 13 Miroslav Grepl 2012-12-03 10:05:27 UTC
*** Bug 882454 has been marked as a duplicate of this bug. ***

Comment 14 Miroslav Grepl 2012-12-03 10:08:04 UTC
*** Bug 882640 has been marked as a duplicate of this bug. ***

Comment 15 Miroslav Grepl 2012-12-03 10:08:39 UTC
*** Bug 882502 has been marked as a duplicate of this bug. ***

Comment 16 Miroslav Grepl 2012-12-03 10:48:17 UTC
The following workaround together with "-59.fc18" build will be needed for "file_t" issues.

# setenforce 0
# fixfiles restore
# setenforce 1

It "only" affects updates-testing. Thank you for your testing so we caught this issue before updates repo.

Comment 17 Fomalhaut 2012-12-03 17:44:36 UTC
Updated selinux* up "-59.fc18", but it did not remedy the problem: http://paste.stg.fedoraproject.org/2209/

Comment 18 Miroslav Grepl 2012-12-03 17:54:08 UTC
Fomalhaut,
could you re-mount it?

Comment 19 Daniel Belton 2012-12-03 18:06:48 UTC
the 3.11.1-59 policy did not fix this problem. It fixed my consolekit problem, but not the denials on lost+found, gvfs-trash, and several other files. 

I updated to the 3.11.1-59 and did a full filesystem relabel as well. Still getting the denials.

Comment 20 Daniel Belton 2012-12-03 18:07:56 UTC
As I mentioned in the other bug that you marked as a dupicate of this one, downgrading back to the 3.11.1-50 vesion fixed all of my issues.

Comment 21 Fomalhaut 2012-12-03 18:08:39 UTC
Miroslav Grepl : http://paste.stg.fedoraproject.org/2210/

Comment 22 Daniel Belton 2012-12-03 18:24:14 UTC
Here is what I am still getting after installing 3.11.1-59 and ran

setenforce 0
fixfiles restore
setenforce 1

-----
SELinux is preventing /usr/bin/ls from getattr access on the directory /mnt/Drive_J/lost+found.

*****  Plugin file (36.8 confidence) suggests  *******************************

If you think this is caused by a badly mislabeled machine.
Then you need to fully relabel.
Do
touch /.autorelabel; reboot

*****  Plugin file (36.8 confidence) suggests  *******************************

If you think this is caused by a badly mislabeled machine.
Then you need to fully relabel.
Do
touch /.autorelabel; reboot

*****  Plugin catchall_labels (23.2 confidence) suggests  ********************

If you want to allow ls to have getattr access on the lost+found directory
Then you need to change the label on /mnt/Drive_J/lost+found
Do
# semanage fcontext -a -t FILE_TYPE '/mnt/Drive_J/lost+found'
where FILE_TYPE is one of the following: httpd_sys_content_t, var_run_t, user_home_dir_t, systemd_logind_var_run_t, policykit_reload_t, systemd_passwd_var_run_t, gconf_home_t, home_root_t, init_var_run_t, gnome_home_t, httpd_user_content_t, admin_home_t, var_lib_t, var_run_t, httpd_user_script_exec_t, gconf_home_t, home_root_t, user_home_type, fsadm_var_run_t, sysctl_crypto_t, etc_t, boolean_type, krb5kdc_conf_t, krb5_host_rcache_t, chrome_sandbox_t, virt_home_t, winbind_var_run_t, readable_t, user_tmp_type, user_home_dir_t, systemd_logind_var_run_t, file_type, systemd_passwd_var_run_t, home_root_t, cfengine_var_lib_t, etc_t, mail_spool_t, user_home_dir_t, device_t, device_t, devpts_t, sysctl_vm_t, cert_t, user_tmpfs_type, proc_net_t, etc_t, cert_type, selinux_config_t, cgroup_t, sysfs_t, tmpfs_t, var_t, abrt_var_run_t, config_home_t, bin_t, boot_t, init_var_run_t, init_t, var_run_t, setrans_var_run_t, root_t, user_home_dir_t, device_t, tmp_t, usr_t, locale_t, var_t, sssd_public_t, etc_t, user_tmp_t, cupsd_etc_t, proc_t, sysfs_t, postfix_etc_t, device_t, tmp_t, tmp_t, var_t, sysctl_t, abrt_t, bin_t, etc_t, base_ro_file_type, unlabeled_t, lib_t, man_t, likewise_var_lib_t, mnt_t, user_tmp_t, alsa_etc_rw_t, proc_t, proc_type, public_content_rw_t, public_content_t, cgroup_t, root_t, sysfs_t, tmpfs_t, tmp_t, usr_t, var_t, sysctl_kernel_t, etc_mail_t, config_home_t, bin_t, cert_t, unconfined_dbusd_t, sysctl_vm_overcommit_t, init_t, cpu_online_t, mandb_cache_t, root_t, user_fonts_t, system_cronjob_var_lib_t, thumb_t, tmp_t, usr_t, var_t, mqueue_spool_t, krb5_conf_t, systemd_logind_sessions_t, policykit_var_lib_t, user_tmp_t, telepathy_data_home_t, semanage_store_t, cfengine_var_lib_t, telepathy_cache_home_t, systemd_unit_file_type, filesystem_type, user_fonts_t, user_home_t, cache_home_t, data_home_t, textrel_shlib_t, nx_server_var_lib_t, sysctl_type, device_t, devpts_t, var_spool_t, etc_t, cache_home_t, nscd_var_run_t, nslcd_var_run_t, data_home_t, sandbox_file_t, samba_var_t, proc_t, var_lib_t, var_run_t, smbd_var_run_t, user_fonts_config_t, cgroup_t, rpm_script_tmp_t, src_t, sysfs_t, tmpfs_t, sssd_var_lib_t, var_log_t, sysctl_type, modules_object_t, sysctl_t, avahi_var_run_t, home_root_t, bin_t, security_t, init_var_run_t, lib_t, samba_etc_t, mnt_t, var_lib_t, var_run_t, net_conf_t, systemd_unit_file_type, virt_var_run_t, usr_t, var_t, abrt_var_run_t, security_t, security_t, domain, rpm_log_t, default_t, var_run_t, var_log_t, unconfined_t, abrt_var_run_t, krb5_host_rcache_t, sysctl_kernel_t, sysfs_t, device_t, var_t, var_t, proc_t, sysctl_t, bin_t, security_t, mozilla_plugin_rw_t, nscd_var_run_t, pcscd_var_run_t, var_run_t, var_run_t, mozilla_plugin_t. 
Then execute: 
restorecon -v '/mnt/Drive_J/lost+found'


*****  Plugin catchall (5.04 confidence) suggests  ***************************

If you believe that ls should be allowed getattr access on the lost+found directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep ls /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Target Context                system_u:object_r:file_t:s0
Target Objects                /mnt/Drive_J/lost+found [ dir ]
Source                        ls
Source Path                   /usr/bin/ls
Port                          <Unknown>
Host                          tower20.home
Source RPM Packages           coreutils-8.17-6.fc18.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.11.1-59.fc18.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     tower20.home
Platform                      Linux tower20.home 3.6.7-5.fc18.x86_64 #1 SMP Tue
                              Nov 20 19:40:08 UTC 2012 x86_64 x86_64
Alert Count                   1
First Seen                    2012-12-03 12:20:58 CST
Last Seen                     2012-12-03 12:20:58 CST
Local ID                      5006f3a6-a4a1-4a39-8856-4920a41176a1

Raw Audit Messages
type=AVC msg=audit(1354558858.408:345): avc:  denied  { getattr } for  pid=7518 comm="ls" path="/mnt/Drive_J/lost+found" dev="sdc1" ino=11 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=dir


type=SYSCALL msg=audit(1354558858.408:345): arch=x86_64 syscall=lstat success=no exit=EACCES a0=7fff7bb68300 a1=1f62f70 a2=1f62f70 a3=1f60330 items=0 ppid=1415 pid=7518 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm=ls exe=/usr/bin/ls subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)

Hash: ls,unconfined_t,file_t,dir,getattr
----

Comment 23 Miroslav Grepl 2012-12-03 19:58:48 UTC
Well the problem is some of these dirs are not going to be fixed by restorecon.

For exaple

# matchpathcon /mnt/Drive_J/lost+found
/mnt/Drive_J/lost+found	<<none>>

<<none>> means the label is not going to be restored.

We added some fixes related to file_t because we want to see if something is labeled file_t.

Daniel,
could you also try to re-mount /mnt/Drive_J?

Comment 24 Miroslav Grepl 2012-12-03 20:43:49 UTC
Also what does

# grep systemd-udevd /var/log/messages

Comment 25 Daniel Belton 2012-12-03 20:51:39 UTC
remounting the filesystem doesn't change things any at all. I still am getting numeous denials on that drive and others as well. 

# grep systemd-udevd /var/log/messages

Gives me no output. Nothing is found. 


I am getting the denials on numerous files, though.

Here is a clip from /var/log/audit/audit.log that has some of the denials.

-------

type=AVC msg=audit(1354564655.173:299): avc:  denied  { getattr } for  pid=1407 comm="setroubleshootd" path="/mnt/Drive_J/lost+found" dev="sdc1" ino=11 scontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=dir
type=AVC msg=audit(1354567749.037:313): avc:  denied  { getattr } for  pid=2202 comm="ls" path=2F6D6E742F426C61636B41726D6F7244726976652F5365616761746520426C61636B41726D6F72 dev="sdd1" ino=1222913 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:file_t:s0 tclass=dir
type=AVC msg=audit(1354567749.078:314): avc:  denied  { getattr } for  pid=2202 comm="ls" path="/mnt/BlackArmorDrive/myunrar2" dev="sdd1" ino=13 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:file_t:s0 tclass=file
type=AVC msg=audit(1354567749.078:315): avc:  denied  { getattr } for  pid=2202 comm="ls" path="/mnt/BlackArmorDrive/myunrar" dev="sdd1" ino=12 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:file_t:s0 tclass=file
type=AVC msg=audit(1354567749.099:316): avc:  denied  { getattr } for  pid=2202 comm="ls" path="/mnt/BlackArmorDrive/myunrar4" dev="sdd1" ino=15 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:file_t:s0 tclass=file
type=AVC msg=audit(1354567749.149:317): avc:  denied  { getattr } for  pid=1407 comm="setroubleshootd" path=2F6D6E742F426C61636B41726D6F7244726976652F5365616761746520426C61636B41726D6F72 dev="sdd1" ino=1222913 scontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:file_t:s0 tclass=dir
type=AVC msg=audit(1354567749.191:318): avc:  denied  { getattr } for  pid=2202 comm="ls" path="/mnt/BlackArmorDrive/myunrar3" dev="sdd1" ino=14 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:file_t:s0 tclass=file
type=AVC msg=audit(1354567749.233:319): avc:  denied  { getattr } for  pid=2202 comm="ls" path="/mnt/BlackArmorDrive/lost+found" dev="sdd1" ino=11 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=dir
type=AVC msg=audit(1354567749.504:320): avc:  denied  { getattr } for  pid=1407 comm="setroubleshootd" path=2F6D6E742F426C61636B41726D6F7244726976652F5365616761746520426C61636B41726D6F72 dev="sdd1" ino=1222913 scontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:file_t:s0 tclass=dir
type=AVC msg=audit(1354567749.581:321): avc:  denied  { getattr } for  pid=1407 comm="setroubleshootd" path="/mnt/BlackArmorDrive/myunrar2" dev="sdd1" ino=13 scontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:file_t:s0 tclass=file
type=AVC msg=audit(1354567749.924:322): avc:  denied  { getattr } for  pid=1407 comm="setroubleshootd" path="/mnt/BlackArmorDrive/myunrar2" dev="sdd1" ino=13 scontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:file_t:s0 tclass=file
type=AVC msg=audit(1354567749.971:323): avc:  denied  { getattr } for  pid=1407 comm="setroubleshootd" path="/mnt/BlackArmorDrive/myunrar" dev="sdd1" ino=12 scontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:file_t:s0 tclass=file
type=AVC msg=audit(1354567750.308:324): avc:  denied  { getattr } for  pid=1407 comm="setroubleshootd" path="/mnt/BlackArmorDrive/myunrar" dev="sdd1" ino=12 scontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:file_t:s0 tclass=file
type=AVC msg=audit(1354567750.356:325): avc:  denied  { getattr } for  pid=1407 comm="setroubleshootd" path="/mnt/BlackArmorDrive/myunrar4" dev="sdd1" ino=15 scontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:file_t:s0 tclass=file
type=AVC msg=audit(1354567750.694:326): avc:  denied  { getattr } for  pid=1407 comm="setroubleshootd" path="/mnt/BlackArmorDrive/myunrar4" dev="sdd1" ino=15 scontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:file_t:s0 tclass=file
type=AVC msg=audit(1354567750.741:327): avc:  denied  { getattr } for  pid=1407 comm="setroubleshootd" path="/mnt/BlackArmorDrive/myunrar3" dev="sdd1" ino=14 scontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:file_t:s0 tclass=file
type=AVC msg=audit(1354567751.082:328): avc:  denied  { getattr } for  pid=1407 comm="setroubleshootd" path="/mnt/BlackArmorDrive/myunrar3" dev="sdd1" ino=14 scontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:file_t:s0 tclass=file
type=AVC msg=audit(1354567751.132:329): avc:  denied  { getattr } for  pid=1407 comm="setroubleshootd" path="/mnt/BlackArmorDrive/lost+found" dev="sdd1" ino=11 scontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=dir
type=AVC msg=audit(1354567751.474:330): avc:  denied  { getattr } for  pid=1407 comm="setroubleshootd" path="/mnt/BlackArmorDrive/lost+found" dev="sdd1" ino=11 scontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=dir

----------

Comment 26 Miroslav Grepl 2012-12-03 20:54:38 UTC
How do you mount it?

Comment 27 Daniel Belton 2012-12-03 21:00:20 UTC
It is mounted in my /etc/fstab

Here is the line that mounts that drive:

LABEL=Drive\040J  /mnt/Drive_J  ext4  defaults,noatime,comment=systemd.mount  0  2

Comment 28 Daniel Belton 2012-12-03 21:02:27 UTC
It is mounted in my /etc/fstab

Here is the line that mounts that drive:

LABEL=Drive\040J  /mnt/Drive_J  ext4  defaults,noatime,comment=systemd.mount  0  2

Comment 29 Daniel Walsh 2012-12-04 03:59:30 UTC
Relabel will not put labels on a disk mounted under /mnt, since it has no way to know what to label this.  If you want this shared with everyone I would label it usr_t


chcon -t usr_t /mnt/BlackArmorDrive

Or mount it with a context mount

mount -o context="system_u:object_r:usr_t:s0" ...

Comment 30 Adam Williamson 2012-12-04 04:34:12 UTC
dwalsh: should we have some kind of default for stuff mounted under /mnt ? it's an old standard, but one a lot of people still use.

Comment 31 Daniel Belton 2012-12-04 05:11:52 UTC
ok, then what put the label on it in the first place. 

Those filesystems have always been mounted under /mnt. Something labelled it to begin with. 

With setenforce 0

[root@tower20 Drive_J]# ls -alZ
drwxrwxrwx. root root system_u:object_r:usr_t:s0       .
drwxr-xr-x. root root system_u:object_r:mnt_t:s0       ..
drwxrwxrwx. root root system_u:object_r:file_t:s0      lost+found

This is what I get with setenforce 1

[root@tower20 Drive_J]# ls -alZ
ls: cannot access lost+found: Permission denied
drwxrwxrwx. root root system_u:object_r:usr_t:s0       .
drwxr-xr-x. root root system_u:object_r:mnt_t:s0       ..
?---------  ?    ?                                     lost+found

Comment 32 Daniel Belton 2012-12-04 05:24:51 UTC
Ok, I just fixed the issue here by creating a policy to allow access..

[root@tower20 /]# grep ls /var/log/audit/audit.log | audit2allow -M mypol
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i mypol.pp
[root@tower20 /]# semodule -i mypol.pp

[root@tower20 /]# cd /mnt/Drive_J
[root@tower20 Drive_J]# ls -alZ
drwxrwxrwx. root root system_u:object_r:usr_t:s0       .
drwxr-xr-x. root root system_u:object_r:mnt_t:s0       ..
drwxrwxrwx. root root system_u:object_r:file_t:s0      lost+found
drwxrwxrwx. Me   Me   unconfined_u:object_r:mnt_t:s0   Seeding


So for me, it's fixed for the time being.

Comment 33 Matt Goldyn 2012-12-04 11:24:33 UTC
extracting android system.img using dxdia kitchen. audit2allow not working (command not found)

Package: (null)
OS Release: Fedora release 18 (Spherical Cow)

Comment 34 Miroslav Grepl 2012-12-04 12:39:49 UTC
*** Bug 883187 has been marked as a duplicate of this bug. ***

Comment 35 Miroslav Grepl 2012-12-04 15:06:46 UTC
Any chance anybody sees

"Failed to set security context (null) for" 

in the /var/log/messages?

Comment 36 Daniel Belton 2012-12-04 16:14:05 UTC
(In reply to comment #33)
> extracting android system.img using dxdia kitchen. audit2allow not working
> (command not found)
> 
> Package: (null)
> OS Release: Fedora release 18 (Spherical Cow)

You need to install the policycoreutils-devel package to get audit2allow

yum install policycoreutils-devel

-------

Miroslav, I am not getting any of those messages in my /var/log/messages file here.

Comment 37 Fomalhaut 2012-12-04 17:03:27 UTC
Miroslav,

$ grep "Failed to set security context" /var/log/messages
Dec  4 06:37:37 fmhstar systemd-udevd[10259]: Failed to set security context (null) for /dev/input: File exists
Dec  4 06:37:37 fmhstar systemd-udevd[10259]: Failed to set security context (null) for /dev/input/by-id: File exists
Dec  4 06:39:16 fmhstar systemd-udevd[10421]: Failed to set security context (null) for /dev/disk: File exists
Dec  4 06:39:16 fmhstar systemd-udevd[10421]: Failed to set security context (null) for /dev/disk/by-path: File exists

Comment 38 Alessandro 2012-12-04 17:12:08 UTC
To open an usb external disk or open partition not in /etc/fstab

Package: (null)
Architecture: i686
OS Release: Fedora release 18 (Spherical Cow)

Comment 39 Alexander Ioannou 2012-12-04 21:30:21 UTC
Trying to update nfs-utils to 1:1.2.7-1.fc18.

Package: (null)
OS Release: Fedora release 18 (Spherical Cow)

Comment 40 Adam Williamson 2012-12-05 01:46:28 UTC
Still happening with -59 here. I did a full relabel after -59 was installed, no dice. I still get denials for /media/Sea500/images and /media/Sea500/lost+found .

Comment 41 Adam Williamson 2012-12-05 01:47:57 UTC
I don't have any 'Failed to set security context' errors in /var/log/messages .

Comment 42 Alessandro 2012-12-05 09:30:02 UTC
(In reply to comment #39)
> Trying to update nfs-utils to 1:1.2.7-1.fc18.
> 
> Package: (null)
> OS Release: Fedora release 18 (Spherical Cow)

the problem is with filesystem ext3 and ext4.
Filesystem ntfs and fat is read and write with no problems.

Comment 44 Daniel Belton 2012-12-06 15:47:43 UTC
Miroslav:

3.11.1-60 indeed appears to have fixed the file_t denials I was having, but I wish to make certain of something.

I created a policy (noted in comment 32 above) to allow the access. Does the update to selinux-policy and selinux-policy-targeted clear out the policy I manually created, or do I need to do something else to clear out the manual policy I created?

Also, I ran a complete filesystem relabel after installing selinux-policy 3.11.1-60 and I am getting a message on the relabel that I don't think I was getting with 3.11.1-59

SELinux: Context system_u:object_r:consoletype_exec_t:s0 is not valid (left unmapped)

Comment 45 Miroslav Grepl 2012-12-06 16:52:13 UTC
Run

# semodule -r mypol

Comment 46 Fedora Update System 2012-12-06 20:10:22 UTC
Package selinux-policy-3.11.1-60.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-60.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-19374/selinux-policy-3.11.1-60.fc18
then log in and leave karma (feedback).

Comment 47 Fedora Update System 2012-12-07 04:29:34 UTC
selinux-policy-3.11.1-60.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 48 Jason Montleon 2012-12-07 20:14:33 UTC
*** Bug 885215 has been marked as a duplicate of this bug. ***

Comment 49 Reinhard 2013-02-11 21:31:12 UTC
Not yet fixed for me

using
selinux-policy-targeted-3.11.1-76.fc18.noarch
selinux-policy-3.11.1-76.fc18.noarch

When using USB stick, /var/log/messages shows

Feb 11 22:22:27 localhost kernel: [19656.149559] usb 3-2: new high-speed USB device number 10 using xhci_hcd
Feb 11 22:22:27 localhost kernel: [19656.164033] usb 3-2: New USB device found, idVendor=1234, idProduct=0123
Feb 11 22:22:27 localhost kernel: [19656.164041] usb 3-2: New USB device strings: Mfr=1, Product=2, SerialNumber=3
Feb 11 22:22:27 localhost kernel: [19656.164045] usb 3-2: Product: DISK
Feb 11 22:22:27 localhost kernel: [19656.164048] usb 3-2: Manufacturer: USB
Feb 11 22:22:27 localhost kernel: [19656.164051] usb 3-2: SerialNumber: 9BC20800FFFF17BE
Feb 11 22:22:27 localhost kernel: [19656.166715] scsi14 : usb-storage 3-2:1.0
Feb 11 22:22:27 localhost mtp-probe: checking bus 3, device 10: "/sys/devices/pci0000:00/0000:00:14.0/usb3/3-2"
Feb 11 22:22:27 localhost mtp-probe: bus: 3, device: 10 was not an MTP device
Feb 11 22:22:28 localhost kernel: [19657.190236] scsi 14:0:0:0: Direct-Access     USB      DISK             DL13 PQ: 0 ANSI: 4
Feb 11 22:22:28 localhost kernel: [19657.191790] sd 14:0:0:0: Attached scsi generic sg2 type 0
Feb 11 22:22:29 localhost kernel: [19657.797966] sd 14:0:0:0: [sdb] 7843840 512-byte logical blocks: (4.01 GB/3.74 GiB)
Feb 11 22:22:29 localhost kernel: [19657.798258] sd 14:0:0:0: [sdb] Write Protect is off
Feb 11 22:22:29 localhost kernel: [19657.798662] sd 14:0:0:0: [sdb] No Caching mode page present
Feb 11 22:22:29 localhost kernel: [19657.798681] sd 14:0:0:0: [sdb] Assuming drive cache: write through
Feb 11 22:22:29 localhost kernel: [19657.802014] sd 14:0:0:0: [sdb] No Caching mode page present
Feb 11 22:22:29 localhost kernel: [19657.802021] sd 14:0:0:0: [sdb] Assuming drive cache: write through
Feb 11 22:22:29 localhost kernel: [19657.816724]  sdb: sdb1
Feb 11 22:22:29 localhost kernel: [19657.818149] sd 14:0:0:0: [sdb] No Caching mode page present
Feb 11 22:22:29 localhost kernel: [19657.818158] sd 14:0:0:0: [sdb] Assuming drive cache: write through
Feb 11 22:22:29 localhost kernel: [19657.818165] sd 14:0:0:0: [sdb] Attached SCSI removable disk
Feb 11 22:22:30 localhost systemd-udevd[27011]: Failed to set security context (null) for /dev/disk: File exists
Feb 11 22:22:30 localhost systemd-udevd[27011]: Failed to set security context (null) for /dev/disk/by-path: File exists


last two lines repeated ad infinitum.
setenforce 0
seems to be a workaround

Comment 50 Dan Stahlke 2013-02-12 14:08:50 UTC
I get this error as well with selinux-policy-targeted-3.11.1-76.fc18.noarch and
selinux-policy-3.11.1-76.fc18.noarch, although it only happens sometimes.  Killing all systemd-udevd processes fixes it.


Note You need to log in before you can comment on or make changes to this bug.