Johan Vromans <jvromans(a)squirrel.nl> writes:
Bruno Wolff III <bruno(a)wolff.to> writes:
> Going back through the thread, I see that at least one of the tests that
> failed you indicated was done with 034. Perhaps some F14 package also got
> updated that affected this.
>
> If you see the problem happen again, please let us know.
I'll run some more tests...
Respin with repos fedora and fedora-updates, selinux enforced, yields
two AVC denials. Messages attached.
TBC,
Johan
--- 1 ---
Summary:
SELinux is preventing access to files with the label, file_t.
Detailed Description:
SELinux permission checks on files labeled file_t are being denied. file_t is
the context the SELinux kernel gives to files that do not have a label. This
indicates a serious labeling problem. No files on an SELinux box should ever be
labeled file_t. If you have just added a disk drive to the system you can
relabel it using the restorecon command. For example if you saved the home
directory from a previous installation that did not use SELinux, 'restorecon -R
-v /home' will fix the labels. Otherwise you should relabel the entire file
system.
Allowing Access:
You can execute the following command as root to relabel your computer system:
"touch /.autorelabel; reboot"
Additional Information:
Source Context system_u:system_r:NetworkManager_t:s0
Target Context system_u:object_r:file_t:s0
Target Objects network [ file ]
Source NetworkManager
Source Path /usr/sbin/NetworkManager
Port <Unknown>
Host localhost.localdomain
Source RPM Packages NetworkManager-0.8.1-6.git20100831.fc13
Target RPM Packages
Policy RPM selinux-policy-3.7.19-57.fc13
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Plugin Name file
Host Name localhost.localdomain
Platform Linux localhost.localdomain 2.6.34.7-56.fc13.i686
#1 SMP Wed Sep 15 03:33:58 UTC 2010 i686 i686
Alert Count 2
First Seen Tue 28 Sep 2010 07:28:17 AM EDT
Last Seen Tue 28 Sep 2010 07:28:17 AM EDT
Local ID 05243d80-2406-4557-bef4-f0fc31fa42e0
Line Numbers
Raw Audit Messages
node=localhost.localdomain type=AVC msg=audit(1285673297.979:7): avc: denied { read }
for pid=923 comm="NetworkManager" name="network" dev=dm-0 ino=64332
scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:file_t:s0
tclass=file
node=localhost.localdomain type=SYSCALL msg=audit(1285673297.979:7): arch=40000003
syscall=5 success=no exit=-13 a0=5102b3 a1=0 a2=365a3d a3=5102b3 items=0 ppid=1 pid=923
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
ses=4294967295 comm="NetworkManager" exe="/usr/sbin/NetworkManager"
subj=system_u:system_r:NetworkManager_t:s0 key=(null)
--- 2 ---
Summary:
SELinux is preventing access to files with the label, file_t.
Detailed Description:
SELinux permission checks on files labeled file_t are being denied. file_t is
the context the SELinux kernel gives to files that do not have a label. This
indicates a serious labeling problem. No files on an SELinux box should ever be
labeled file_t. If you have just added a disk drive to the system you can
relabel it using the restorecon command. For example if you saved the home
directory from a previous installation that did not use SELinux, 'restorecon -R
-v /home' will fix the labels. Otherwise you should relabel the entire file
system.
Allowing Access:
You can execute the following command as root to relabel your computer system:
"touch /.autorelabel; reboot"
Additional Information:
Source Context system_u:system_r:abrt_t:s0-s0:c0.c1023
Target Context system_u:object_r:file_t:s0
Target Objects macros.imgcreate [ file ]
Source abrtd
Source Path /usr/sbin/abrtd
Port <Unknown>
Host localhost.localdomain
Source RPM Packages abrt-1.1.13-2.fc13
Target RPM Packages
Policy RPM selinux-policy-3.7.19-57.fc13
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Plugin Name file
Host Name localhost.localdomain
Platform Linux localhost.localdomain 2.6.34.7-56.fc13.i686
#1 SMP Wed Sep 15 03:33:58 UTC 2010 i686 i686
Alert Count 1
First Seen Tue 28 Sep 2010 07:28:31 AM EDT
Last Seen Tue 28 Sep 2010 07:28:31 AM EDT
Local ID cc2455d2-70e7-4202-9b8a-33957ef0b981
Line Numbers
Raw Audit Messages
node=localhost.localdomain type=AVC msg=audit(1285673311.432:9): avc: denied { read }
for pid=1143 comm="abrtd" name="macros.imgcreate" dev=dm-0 ino=64333
scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0
tclass=file
node=localhost.localdomain type=SYSCALL msg=audit(1285673311.432:9): arch=40000003
syscall=5 success=no exit=-13 a0=8ceab98 a1=8000 a2=1b6 a3=1a75e8 items=0 ppid=1142
pid=1143 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) ses=4294967295 comm="abrtd" exe="/usr/sbin/abrtd"
subj=system_u:system_r:abrt_t:s0-s0:c0.c1023 key=(null)
--- ---