Description of problem: 1. Plug in a USB drive 2. Can't use it, get lots of SELinux warnings instead SELinux is preventing /usr/bin/dolphin from 'getattr' accesses on the directory /run/media/kecskebak/KINGSTON-8. ***** Plugin file (36.8 confidence) suggests ******************************* If you think this is caused by a badly mislabeled machine. Then you need to fully relabel. Do touch /.autorelabel; reboot ***** Plugin file (36.8 confidence) suggests ******************************* If you think this is caused by a badly mislabeled machine. Then you need to fully relabel. Do touch /.autorelabel; reboot ***** Plugin catchall_labels (23.2 confidence) suggests ******************** If you want to allow dolphin to have getattr access on the KINGSTON-8 directory Then you need to change the label on /run/media/kecskebak/KINGSTON-8 Do # semanage fcontext -a -t FILE_TYPE '/run/media/kecskebak/KINGSTON-8' where FILE_TYPE is one of the following: httpd_sys_content_t, var_run_t, user_home_dir_t, systemd_logind_var_run_t, policykit_reload_t, systemd_passwd_var_run_t, gconf_home_t, home_root_t, init_var_run_t, gnome_home_t, httpd_user_content_t, admin_home_t, var_lib_t, var_run_t, httpd_user_script_exec_t, gconf_home_t, home_root_t, user_home_type, fsadm_var_run_t, sysctl_crypto_t, etc_t, boolean_type, krb5kdc_conf_t, krb5_host_rcache_t, chrome_sandbox_t, virt_home_t, winbind_var_run_t, readable_t, user_tmp_type, user_home_dir_t, systemd_logind_var_run_t, file_type, systemd_passwd_var_run_t, home_root_t, cfengine_var_lib_t, etc_t, mail_spool_t, user_home_dir_t, device_t, device_t, devpts_t, sysctl_vm_t, cert_t, user_tmpfs_type, proc_net_t, etc_t, cert_type, selinux_config_t, cgroup_t, sysfs_t, tmpfs_t, var_t, abrt_var_run_t, config_home_t, bin_t, boot_t, init_var_run_t, init_t, var_run_t, setrans_var_run_t, root_t, user_home_dir_t, device_t, tmp_t, usr_t, locale_t, var_t, sssd_public_t, etc_t, user_tmp_t, cupsd_etc_t, proc_t, sysfs_t, postfix_etc_t, device_t, tmp_t, tmp_t, var_t, sysctl_t, abrt_t, bin_t, etc_t, base_ro_file_type, unlabeled_t, lib_t, man_t, likewise_var_lib_t, mnt_t, user_tmp_t, alsa_etc_rw_t, proc_t, proc_type, public_content_rw_t, public_content_t, cgroup_t, root_t, sysfs_t, tmpfs_t, tmp_t, usr_t, var_t, sysctl_kernel_t, etc_mail_t, config_home_t, bin_t, cert_t, unconfined_dbusd_t, sysctl_vm_overcommit_t, init_t, cpu_online_t, mandb_cache_t, root_t, user_fonts_t, system_cronjob_var_lib_t, thumb_t, tmp_t, usr_t, var_t, mqueue_spool_t, krb5_conf_t, systemd_logind_sessions_t, policykit_var_lib_t, user_tmp_t, telepathy_data_home_t, semanage_store_t, cfengine_var_lib_t, telepathy_cache_home_t, systemd_unit_file_type, filesystem_type, user_fonts_t, user_home_t, cache_home_t, data_home_t, textrel_shlib_t, nx_server_var_lib_t, sysctl_type, device_t, devpts_t, var_spool_t, etc_t, cache_home_t, nscd_var_run_t, nslcd_var_run_t, data_home_t, sandbox_file_t, samba_var_t, proc_t, var_lib_t, var_run_t, smbd_var_run_t, user_fonts_config_t, cgroup_t, rpm_script_tmp_t, src_t, sysfs_t, tmpfs_t, sssd_var_lib_t, var_log_t, sysctl_type, modules_object_t, sysctl_t, avahi_var_run_t, home_root_t, bin_t, security_t, init_var_run_t, lib_t, samba_etc_t, mnt_t, var_lib_t, var_run_t, net_conf_t, systemd_unit_file_type, virt_var_run_t, usr_t, var_t, abrt_var_run_t, security_t, security_t, domain, rpm_log_t, default_t, var_run_t, var_log_t, unconfined_t, abrt_var_run_t, krb5_host_rcache_t, sysctl_kernel_t, sysfs_t, device_t, var_t, var_t, proc_t, sysctl_t, bin_t, security_t, mozilla_plugin_rw_t, nscd_var_run_t, pcscd_var_run_t, var_run_t, var_run_t, mozilla_plugin_t. Then execute: restorecon -v '/run/media/kecskebak/KINGSTON-8' ***** Plugin catchall (5.04 confidence) suggests *************************** If you believe that dolphin should be allowed getattr access on the KINGSTON-8 directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep dolphin /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Context system_u:object_r:file_t:s0 Target Objects /run/media/kecskebak/KINGSTON-8 [ dir ] Source dolphin Source Path /usr/bin/dolphin Port <Unknown> Host (removed) Source RPM Packages kde-runtime-4.9.3-1.fc18.x86_64 Target RPM Packages Policy RPM selinux-policy-3.11.1-59.fc18.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 3.6.7-5.fc18.x86_64 #1 SMP Tue Nov 20 19:40:08 UTC 2012 x86_64 x86_64 Alert Count 19 First Seen 2012-12-05 08:59:52 CET Last Seen 2012-12-05 09:04:16 CET Local ID c0b34adc-f238-4b6a-af88-ba4e42e4cbd3 Raw Audit Messages type=AVC msg=audit(1354694656.284:454): avc: denied { getattr } for pid=2979 comm="kioclient" path="/run/media/kecskebak/KINGSTON-8" dev="sde1" ino=2 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=dir type=SYSCALL msg=audit(1354694656.284:454): arch=x86_64 syscall=stat success=no exit=EACCES a0=d1e2c8 a1=7fffbedb3390 a2=7fffbedb3390 a3=7fffbedb2fe0 items=0 ppid=1217 pid=2979 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=1 comm=kioclient exe=/usr/bin/kioclient subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) Hash: dolphin,unconfined_t,file_t,dir,getattr audit2allow audit2allow -R Additional info: hashmarkername: setroubleshoot kernel: 3.6.7-5.fc18.x86_64 type: libreport
Dave, what does # grep "Failed to set security context" /var/log/messages
Just tried it - it returns nothing. BTW: thanks for looking into this so quickly Miroslav!
Ok, did you try to downgrade to -50.fc18 release?
Not that I know of. I am using a clean install of Fedora 18 KDE Beta on a real hard drive. There is nothing else - no other OS-es on the computer. I've only updated when prompted to by Apper with the updates it suggests.
BTW: Just checked with Apper and it says my system is completely up to date.
Fixed in selinux-policy-3.11.1-60.fc18.noarch
Fixed selinux policy was waiting for me to update this morning - I can confirm that I can now plug-in my USB sticks and Dolphin lets me use them. Many, many, thanks for your quick work fixing this Daniel and Miroslav. All the best, Dave
selinux-policy-3.11.1-62.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-62.fc18
Package selinux-policy-3.11.1-62.fc18: * should fix your issue, * was pushed to the Fedora 18 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-62.fc18' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-20203/selinux-policy-3.11.1-62.fc18 then log in and leave karma (feedback).
selinux-policy-3.11.1-66.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-66.fc18
selinux-policy-3.11.1-66.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.