Bug 969943 - SELinux is preventing /usr/bin/cp from 'associate' accesses on the filesystem pstore.
Summary: SELinux is preventing /usr/bin/cp from 'associate' accesses on the filesystem...
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy   
(Show other bugs)
Version: 19
Hardware: i686 Unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
Whiteboard: abrt_hash:c8f68e8b74b6926744522506b36...
Depends On:
TreeView+ depends on / blocked
Reported: 2013-06-03 06:35 UTC by klaus
Modified: 2013-06-24 11:55 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2013-06-24 11:55:51 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description klaus 2013-06-03 06:35:46 UTC
Description of problem:
Did create a backup to copy essential system data there, using command
cp -a /sys /run/media/klaus/Bigdisk2/Backup_Fedora19
that did render lots of error messages at shell prompt
and did call Selinux to alarm, preventing /usr/bin/cp from 'associate' accesses on the filesystem pstore.
Think that Selinux preventing 'associate' accesses to filesystem is well done
but error messages to cp -a sys disturbing. 
Want to get this to solution quick.
SELinux is preventing /usr/bin/cp from 'associate' accesses on the filesystem pstore.

*****  Plugin catchall (100. confidence) suggests  ***************************

If sie denken, dass es cp standardmässig erlaubt sein sollte, associate Zugriff auf pstore filesystem zu erhalten.
Then sie sollten dies als Fehler melden.
Um diesen Zugriff zu erlauben, können Sie ein lokales Richtlinien-Modul erstellen.
zugriff jetzt erlauben, indem Sie die nachfolgenden Befehle ausführen:
# grep cp /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:object_r:pstorefs_t:s0
Target Context                system_u:object_r:fs_t:s0
Target Objects                pstore [ filesystem ]
Source                        cp
Source Path                   /usr/bin/cp
Port                          <Unbekannt>
Host                          (removed)
Source RPM Packages           coreutils-8.21-11.fc19.i686
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-47.fc19.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.9.4-300.fc19.i686.PAE #1 SMP Fri
                              May 24 23:19:44 UTC 2013 i686 i686
Alert Count                   1
First Seen                    2013-06-03 07:51:44 CEST
Last Seen                     2013-06-03 07:51:44 CEST
Local ID                      53cf1390-ed0c-4559-b022-58ea2dc1e0a3

Raw Audit Messages
type=AVC msg=audit(1370238704.595:540): avc:  denied  { associate } for  pid=2578 comm="cp" name="pstore" scontext=system_u:object_r:pstorefs_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem

type=SYSCALL msg=audit(1370238704.595:540): arch=i386 syscall=mkdir success=no exit=EACCES a0=94c4190 a1=1c0 a2=8069000 a3=0 items=0 ppid=2376 pid=2578 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=1 tty=pts0 comm=cp exe=/usr/bin/cp subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)

Hash: cp,pstorefs_t,fs_t,filesystem,associate

Additional info:
reporter:       libreport-2.1.4
hashmarkername: setroubleshoot
kernel:         3.9.4-300.fc19.i686.PAE
type:           libreport

Comment 1 Daniel Walsh 2013-06-08 10:20:18 UTC
Basically cp -a is attempting to preserve SELinux labels from /sys to a file system, and policy says that these labeles like pstorefs_t is not allowed to be written on a real file system.

Use -p instead and you should work fine.

Note You need to log in before you can comment on or make changes to this bug.