Exim policy issue
by Rahul Sundaram
Hi
Summary:
SELinux is preventing exim (exim_t) "read" to inotify (inotifyfs_t).
Detailed Description:
SELinux denied access requested by exim. It is not expected that this
access is
required by exim and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.
Allowing Access:
Sometimes labeling problems can cause SELinux denials. You could try to
restore
the default system file context for inotify,
restorecon -v 'inotify'
If this does not work, there is currently no automatic way to allow this
access.
Instead, you can generate a local policy module to allow this access -
see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
disable
SELinux protection altogether. Disabling SELinux protection is not
recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context system_u:system_r:exim_t:s0-s0:c0.c1023
Target Context system_u:object_r:inotifyfs_t:s0
Target Objects inotify [ dir ]
Source exim
Source Path /usr/sbin/exim
Port <Unknown>
Host localhost.localdomain
Source RPM Packages exim-4.69-5.fc10
Target RPM Packages
Policy RPM selinux-policy-3.5.1-4.fc10
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall_file
Host Name localhost.localdomain
Platform Linux localhost.localdomain
2.6.27-0.244.rc2.git1.fc10.i686 #1 SMP
Fri Aug 8
13:26:20 EDT 2008 i686 i686
Alert Count 3
First Seen Mon 11 Aug 2008 04:02:14 AM IST
Last Seen Wed 13 Aug 2008 04:02:11 AM IST
Local ID 746dedc0-e321-48a0-8649-29a02d459530
Line Numbers
Raw Audit Messages
host=localhost.localdomain type=AVC msg=audit(1218580331.174:832): avc:
denied { read } for pid=17565 comm="exim" path="inotify"
dev=inotifyfs ino=1 scontext=system_u:system_r:exim_t:s0-s0:c0.c1023
tcontext=system_u:object_r:inotifyfs_t:s0 tclass=dir
host=localhost.localdomain type=SYSCALL msg=audit(1218580331.174:832):
arch=40000003 syscall=11 success=yes exit=0 a0=b80d5424 a1=b9a93548
a2=bfbf5330 a3=1 items=0 ppid=1 pid=17565 auid=0 uid=93 gid=93 euid=0
suid=0 fsuid=0 egid=93 sgid=93 fsgid=93 tty=(none) ses=37 comm="exim"
exe="/usr/sbin/exim" subj=system_u:system_r:exim_t:s0-s0:c0.c1023 key=(null)
Rahul
15 years, 8 months
Re: system-config-selinux in rawhide
by Rahul Sundaram
Daniel J Walsh wrote:
> Rahul Sundaram wrote:
>
>> Hi,
>>
>> For some reason, system-config-selinux is taking a really long time just
>> to open up in rawhide.
>>
>>
> Seems to be working well for me?
>
I saw someone else complaining in the forum. So it's not just me. How do
i help you debug this issue?
Rahul
15 years, 8 months
system-config-services issue
by Rahul Sundaram
Hi,
In rawhide, I am running across this issue:
--
Summary:
SELinux is preventing the dbus-daemon-lau (system_dbusd_t) from executing
./system-config-services-mechanism.py.
Detailed Description:
SELinux has denied the dbus-daemon-lau from executing
./system-config-services-mechanism.py. If dbus-daemon-lau is supposed to
be able
to execute ./system-config-services-mechanism.py, this could be a labeling
problem. Most confined domains are allowed to execute files labeled
bin_t. So
you could change the labeling on this file to bin_t and retry the
application.
If this dbus-daemon-lau is not supposed to execute
./system-config-services-mechanism.py, this could signal a intrusion
attempt.
Allowing Access:
If you want to allow dbus-daemon-lau to execute
./system-config-services-mechanism.py: chcon -t bin_t
'./system-config-services-mechanism.py' If this fix works, please update the
file context on disk, with the following command: semanage fcontext -a
-t bin_t
'./system-config-services-mechanism.py' Please specify the full path to the
executable, Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this
selinux-policy
to make sure this becomes the default labeling.
Additional Information:
Source Context
system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
Target Context system_u:object_r:usr_t:s0
Target Objects ./system-config-services-mechanism.py [ file ]
Source dbus-daemon-lau
Source Path /lib/dbus-1/dbus-daemon-launch-helper
Port <Unknown>
Host localhost.localdomain
Source RPM Packages dbus-1.2.1-7.fc10
Target RPM Packages
Policy RPM selinux-policy-3.5.1-4.fc10
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name execute
Host Name localhost.localdomain
Platform Linux localhost.localdomain
2.6.27-0.166.rc0.git8.fc10.i686 #1 SMP
Mon Jul 21
20:51:26 EDT 2008 i686 i686
Alert Count 2
First Seen Thu 07 Aug 2008 02:21:12 AM IST
Last Seen Thu 07 Aug 2008 04:01:06 AM IST
Local ID 8473c2be-dcfe-4f50-9db3-6f3dbd1d6025
Line Numbers
Raw Audit Messages
host=localhost.localdomain type=AVC msg=audit(1218061866.291:173): avc:
denied { execute } for pid=26453 comm="dbus-daemon-lau"
name="system-config-services-mechanism.py" dev=dm-1 ino=1474565
scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:usr_t:s0 tclass=file
host=localhost.localdomain type=SYSCALL msg=audit(1218061866.291:173):
arch=40000003 syscall=11 success=no exit=-13 a0=8816018 a1=8815d60
a2=8815008 a3=6c99bc items=0 ppid=26452 pid=26453 auid=4294967295 uid=0
gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
ses=4294967295 comm="dbus-daemon-lau"
exe="/lib/dbus-1/dbus-daemon-launch-helper"
subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 key=(null)
---
Rahul
15 years, 8 months
system-config-selinux in rawhide
by Rahul Sundaram
Hi,
For some reason, system-config-selinux is taking a really long time just
to open up in rawhide.
# rpm -qf /usr/bin/system-config-selinux
policycoreutils-gui-2.0.53-1.fc10.i386
Rahul
15 years, 8 months
linux-igd blocked by SELinux
by Daniel Fazekas
The linux-igd package in Fedora 9 doesn't seem to function at all in
its default configuration with SELinux enabled.
It's a UPnP IGD implementation which calls iptables to automatically
add requested port forwarding DNAT entries to the nat table's
PREROUTING chain, and the filter table's FORWARD chain.
Two runs through audit2allow made me a module which allows it to
function, however, I'm worried whether the automatically generated
rules are sensible, or if it's even normal that a Fedora 9 package by
default just wouldn't work at all with SELinux enforcing on. Thanks
for any insight.
The upnpd runs as root.
The package versions:
linux-igd-1.0-5.fc9.i386
selinux-policy-targeted-3.3.1-79.fc9.noarch
Audit messages:
type=1400 audit(1217802519.747:3819): avc: denied { read write }
for pid=7890 comm="iptables" path="socket:[133770]" dev=sockfs
ino=133770 scontext=unconfined_u:system_r:iptables_t:s0
tcontext=unconfined_u:system_r:initrc_t:s0 tclass=udp_socket
type=1400 audit(1217804575.392:3820): avc: denied { read write }
for pid=8058 comm="iptables" path="socket:[133769]" dev=sockfs
ino=133769 scontext=unconfined_u:system_r:iptables_t:s0
tcontext=unconfined_u:system_r:initrc_t:s0 tclass=tcp_socket
type=1401 audit(1217811758.594:3828): security_compute_sid: invalid
context unconfined_u:unconfined_r:insmod_t:s0-s0:c0.c1023 for
scontext=unconfined_u:unconfined_r:iptables_t:s0-s0:c0.c1023
tcontext=system_u:object_r:insmod_exec_t:s0 tclass=process
The auto-generated module which allows it to function:
module myupnpd 1.0.1;
require {
type iptables_t;
type initrc_t;
type insmod_t;
role unconfined_r;
class tcp_socket { read write };
class udp_socket { read write };
}
#============= ROLES ==============
role unconfined_r types insmod_t;
#============= iptables_t ==============
allow iptables_t initrc_t:tcp_socket { read write };
allow iptables_t initrc_t:udp_socket { read write };
15 years, 8 months
SELinux is preventing nspluginviewer ....
by Antonio Olivares
Dear all,
Now I know why playing Penalty_Fever caused a problem. The following is clear evidence :(
Summary:
SELinux is preventing nspluginviewer from changing a writable memory segment
executable.
Detailed Description:
The nspluginviewer application attempted to change the access protection of
memory (e.g., allocated using malloc). This is a potential security problem.
Applications should not be doing this. Applications are sometimes coded
incorrectly and request this permission. The SELinux Memory Protection Tests
(http://people.redhat.com/drepper/selinux-mem.html) web page explains how to
remove this requirement. If nspluginviewer does not work and you need it to
work, you can configure SELinux temporarily to allow this access until the
application is fixed. Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.
Allowing Access:
If you trust nspluginviewer to run correctly, you can change the context of the
executable to unconfined_execmem_exec_t. "chcon -t unconfined_execmem_exec_t
'/usr/bin/nspluginviewer'". You must also change the default file context files
on the system in order to preserve them even on a full relabel. "semanage
fcontext -a -t unconfined_execmem_exec_t '/usr/bin/nspluginviewer'"
Fix Command:
chcon -t unconfined_execmem_exec_t '/usr/bin/nspluginviewer'
Additional Information:
Source Context unconfined_u:unconfined_r:unconfined_t:SystemLow-
SystemHigh
Target Context unconfined_u:unconfined_r:unconfined_t:SystemLow-
SystemHigh
Target Objects None [ process ]
Source nspluginviewer
Source Path /usr/bin/nspluginviewer
Port <Unknown>
Host localhost.localdomain
Source RPM Packages kdebase-4.1.0-1.fc10
Target RPM Packages
Policy RPM selinux-policy-3.5.1-4.fc10
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name allow_execmem
Host Name localhost.localdomain
Platform Linux localhost.localdomain 2.6.26.1 #1 SMP Sat
Aug 2 21:36:01 CDT 2008 i686 i686
Alert Count 29
First Seen Sun 03 Aug 2008 12:55:21 PM CDT
Last Seen Sun 03 Aug 2008 12:55:21 PM CDT
Local ID 865503d3-baab-4dcd-adc0-47f8fff6ade6
Line Numbers
Raw Audit Messages
host=localhost.localdomain type=AVC msg=audit(1217786121.365:53): avc: denied { execmem } for pid=3262 comm="nspluginviewer" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process
host=localhost.localdomain type=SYSCALL msg=audit(1217786121.365:53): arch=40000003 syscall=125 success=no exit=-13 a0=b1aaa000 a1=1000 a2=5 a3=bfa32acc items=0 ppid=3222 pid=3262 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="nspluginviewer" exe="/usr/bin/nspluginviewer" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
This was an old bug and it returns to bite back :(
Is anybody else also encountering this problem?
Regards,
Antonio
15 years, 8 months
selinux and denied gconf errors
by Antonio Olivares
Dear all,
A group of selinux errors and denied avcs follows:
Summary:
SELinux is preventing updatedb (locate_t) "getattr" to /home/olivares/.gconfd
(unlabeled_t).
Detailed Description:
SELinux denied access requested by updatedb. It is not expected that this access
is required by updatedb and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.
Allowing Access:
Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for /home/olivares/.gconfd,
restorecon -v '/home/olivares/.gconfd'
If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context system_u:system_r:locate_t
Target Context system_u:object_r:unlabeled_t
Target Objects /home/olivares/.gconfd [ dir ]
Source updatedb
Source Path /usr/bin/updatedb
Port <Unknown>
Host localhost.localdomain
Source RPM Packages mlocate-0.21-1.fc10
Target RPM Packages
Policy RPM selinux-policy-3.5.1-3.fc10
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall_file
Host Name localhost.localdomain
Platform Linux localhost.localdomain
2.6.26-0.44.rc4.git2.fc10.i686 #1 SMP Thu May 29
13:44:38 EDT 2008 i686 i686
Alert Count 2
First Seen Wed 30 Jul 2008 09:26:20 PM CDT
Last Seen Thu 31 Jul 2008 01:31:21 PM CDT
Local ID 01cdf1be-4f1a-4058-bc41-81cc1c834598
Line Numbers
Raw Audit Messages
host=localhost.localdomain type=AVC msg=audit(1217529081.437:33): avc: denied { getattr } for pid=10222 comm="updatedb" path="/home/olivares/.gconfd" dev=dm-0 ino=476292 scontext=system_u:system_r:locate_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir
host=localhost.localdomain type=SYSCALL msg=audit(1217529081.437:33): arch=40000003 syscall=196 success=no exit=-13 a0=9893169 a1=bfcfd748 a2=c1cff4 a3=9893169 items=0 ppid=10216 pid=10222 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="updatedb" exe="/usr/bin/updatedb" subj=system_u:system_r:locate_t:s0 key=(null)
Summary:
SELinux is preventing updatedb (locate_t) "getattr" to /home/olivares/.gconf
(unlabeled_t).
Detailed Description:
SELinux denied access requested by updatedb. It is not expected that this access
is required by updatedb and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.
Allowing Access:
Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for /home/olivares/.gconf,
restorecon -v '/home/olivares/.gconf'
If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context system_u:system_r:locate_t
Target Context system_u:object_r:unlabeled_t
Target Objects /home/olivares/.gconf [ dir ]
Source updatedb
Source Path /usr/bin/updatedb
Port <Unknown>
Host localhost.localdomain
Source RPM Packages mlocate-0.21-1.fc10
Target RPM Packages
Policy RPM selinux-policy-3.5.1-3.fc10
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall_file
Host Name localhost.localdomain
Platform Linux localhost.localdomain
2.6.26-0.44.rc4.git2.fc10.i686 #1 SMP Thu May 29
13:44:38 EDT 2008 i686 i686
Alert Count 2
First Seen Wed 30 Jul 2008 09:26:20 PM CDT
Last Seen Thu 31 Jul 2008 01:31:21 PM CDT
Local ID 62d1f886-f58a-4fa3-8222-c3ba79bf4989
Line Numbers
Raw Audit Messages
host=localhost.localdomain type=AVC msg=audit(1217529081.436:32): avc: denied { getattr } for pid=10222 comm="updatedb" path="/home/olivares/.gconf" dev=dm-0 ino=476270 scontext=system_u:system_r:locate_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir
host=localhost.localdomain type=SYSCALL msg=audit(1217529081.436:32): arch=40000003 syscall=196 success=no exit=-13 a0=9892f89 a1=bfcfd748 a2=c1cff4 a3=9892f89 items=0 ppid=10216 pid=10222 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="updatedb" exe="/usr/bin/updatedb" subj=system_u:system_r:locate_t:s0 key=(null)
Summary:
SELinux is preventing updatedb (locate_t) "getattr" to
/home/olivares/.config/gtk-2.0 (unlabeled_t).
Detailed Description:
SELinux denied access requested by updatedb. It is not expected that this access
is required by updatedb and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.
Allowing Access:
Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for /home/olivares/.config/gtk-2.0,
restorecon -v '/home/olivares/.config/gtk-2.0'
If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context system_u:system_r:locate_t
Target Context system_u:object_r:unlabeled_t
Target Objects /home/olivares/.config/gtk-2.0 [ dir ]
Source updatedb
Source Path /usr/bin/updatedb
Port <Unknown>
Host localhost.localdomain
Source RPM Packages mlocate-0.21-1.fc10
Target RPM Packages
Policy RPM selinux-policy-3.5.1-3.fc10
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall_file
Host Name localhost.localdomain
Platform Linux localhost.localdomain
2.6.26-0.44.rc4.git2.fc10.i686 #1 SMP Thu May 29
13:44:38 EDT 2008 i686 i686
Alert Count 2
First Seen Wed 30 Jul 2008 09:26:19 PM CDT
Last Seen Thu 31 Jul 2008 01:31:21 PM CDT
Local ID e551c492-3193-4a8b-9885-2c0a9330caf8
Line Numbers
Raw Audit Messages
host=localhost.localdomain type=AVC msg=audit(1217529081.12:31): avc: denied { getattr } for pid=10222 comm="updatedb" path="/home/olivares/.config/gtk-2.0" dev=dm-0 ino=426550 scontext=system_u:system_r:locate_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir
host=localhost.localdomain type=SYSCALL msg=audit(1217529081.12:31): arch=40000003 syscall=196 success=no exit=-13 a0=9893509 a1=bfcfd5c8 a2=c1cff4 a3=9893509 items=0 ppid=10216 pid=10222 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="updatedb" exe="/usr/bin/updatedb" subj=system_u:system_r:locate_t:s0 key=(null)
Summary:
SELinux is preventing updatedb (locate_t) "getattr" to /root/.gconfd
(unlabeled_t).
Detailed Description:
SELinux denied access requested by updatedb. It is not expected that this access
is required by updatedb and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.
Allowing Access:
Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for /root/.gconfd,
restorecon -v '/root/.gconfd'
If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context system_u:system_r:locate_t
Target Context system_u:object_r:unlabeled_t
Target Objects /root/.gconfd [ dir ]
Source updatedb
Source Path /usr/bin/updatedb
Port <Unknown>
Host localhost.localdomain
Source RPM Packages mlocate-0.21-1.fc10
Target RPM Packages
Policy RPM selinux-policy-3.5.1-3.fc10
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall_file
Host Name localhost.localdomain
Platform Linux localhost.localdomain
2.6.26-0.44.rc4.git2.fc10.i686 #1 SMP Thu May 29
13:44:38 EDT 2008 i686 i686
Alert Count 2
First Seen Wed 30 Jul 2008 09:26:40 PM CDT
Last Seen Thu 31 Jul 2008 01:31:31 PM CDT
Local ID 9abda88c-0b21-4d95-914b-8a8e43658f2b
Line Numbers
Raw Audit Messages
host=localhost.localdomain type=AVC msg=audit(1217529091.176:37): avc: denied { getattr } for pid=10222 comm="updatedb" path="/root/.gconfd" dev=dm-0 ino=33243 scontext=system_u:system_r:locate_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir
host=localhost.localdomain type=SYSCALL msg=audit(1217529091.176:37): arch=40000003 syscall=196 success=no exit=-13 a0=9892f15 a1=bfcfd8c8 a2=c1cff4 a3=9892f15 items=0 ppid=10216 pid=10222 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="updatedb" exe="/usr/bin/updatedb" subj=system_u:system_r:locate_t:s0 key=(null)
Summary:
SELinux is preventing updatedb (locate_t) "getattr" to /root/.gnome2
(unlabeled_t).
Detailed Description:
SELinux denied access requested by updatedb. It is not expected that this access
is required by updatedb and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.
Allowing Access:
Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for /root/.gnome2,
restorecon -v '/root/.gnome2'
If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context system_u:system_r:locate_t
Target Context system_u:object_r:unlabeled_t
Target Objects /root/.gnome2 [ dir ]
Source updatedb
Source Path /usr/bin/updatedb
Port <Unknown>
Host localhost.localdomain
Source RPM Packages mlocate-0.21-1.fc10
Target RPM Packages
Policy RPM selinux-policy-3.5.1-3.fc10
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall_file
Host Name localhost.localdomain
Platform Linux localhost.localdomain
2.6.26-0.44.rc4.git2.fc10.i686 #1 SMP Thu May 29
13:44:38 EDT 2008 i686 i686
Alert Count 2
First Seen Wed 30 Jul 2008 09:26:40 PM CDT
Last Seen Thu 31 Jul 2008 01:31:31 PM CDT
Local ID 94a6e1e9-462b-4288-a2c9-9678abafa22c
Line Numbers
Raw Audit Messages
host=localhost.localdomain type=AVC msg=audit(1217529091.179:38): avc: denied { getattr } for pid=10222 comm="updatedb" path="/root/.gnome2" dev=dm-0 ino=33245 scontext=system_u:system_r:locate_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir
host=localhost.localdomain type=SYSCALL msg=audit(1217529091.179:38): arch=40000003 syscall=196 success=no exit=-13 a0=9892e95 a1=bfcfd8c8 a2=c1cff4 a3=9892e95 items=0 ppid=10216 pid=10222 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="updatedb" exe="/usr/bin/updatedb" subj=system_u:system_r:locate_t:s0 key=(null)
Summary:
SELinux is preventing updatedb (locate_t) "getattr" to /root/.gconf
(unlabeled_t).
Detailed Description:
SELinux denied access requested by updatedb. It is not expected that this access
is required by updatedb and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.
Allowing Access:
Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for /root/.gconf,
restorecon -v '/root/.gconf'
If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context system_u:system_r:locate_t
Target Context system_u:object_r:unlabeled_t
Target Objects /root/.gconf [ dir ]
Source updatedb
Source Path /usr/bin/updatedb
Port <Unknown>
Host localhost.localdomain
Source RPM Packages mlocate-0.21-1.fc10
Target RPM Packages
Policy RPM selinux-policy-3.5.1-3.fc10
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall_file
Host Name localhost.localdomain
Platform Linux localhost.localdomain
2.6.26-0.44.rc4.git2.fc10.i686 #1 SMP Thu May 29
13:44:38 EDT 2008 i686 i686
Alert Count 2
First Seen Wed 30 Jul 2008 09:26:40 PM CDT
Last Seen Thu 31 Jul 2008 01:31:31 PM CDT
Local ID 72df776e-7cd5-4444-bfd7-173e26d0814c
Line Numbers
Raw Audit Messages
host=localhost.localdomain type=AVC msg=audit(1217529091.174:36): avc: denied { getattr } for pid=10222 comm="updatedb" path="/root/.gconf" dev=dm-0 ino=33242 scontext=system_u:system_r:locate_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir
host=localhost.localdomain type=SYSCALL msg=audit(1217529091.174:36): arch=40000003 syscall=196 success=no exit=-13 a0=9892e21 a1=bfcfd8c8 a2=c1cff4 a3=9892e21 items=0 ppid=10216 pid=10222 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="updatedb" exe="/usr/bin/updatedb" subj=system_u:system_r:locate_t:s0 key=(null)
Summary:
SELinux is preventing updatedb (locate_t) "getattr" to /root/.config/gtk-2.0
(unlabeled_t).
Detailed Description:
SELinux denied access requested by updatedb. It is not expected that this access
is required by updatedb and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.
Allowing Access:
Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for /root/.config/gtk-2.0,
restorecon -v '/root/.config/gtk-2.0'
If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context system_u:system_r:locate_t
Target Context system_u:object_r:unlabeled_t
Target Objects /root/.config/gtk-2.0 [ dir ]
Source updatedb
Source Path /usr/bin/updatedb
Port <Unknown>
Host localhost.localdomain
Source RPM Packages mlocate-0.21-1.fc10
Target RPM Packages
Policy RPM selinux-policy-3.5.1-3.fc10
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall_file
Host Name localhost.localdomain
Platform Linux localhost.localdomain
2.6.26-0.44.rc4.git2.fc10.i686 #1 SMP Thu May 29
13:44:38 EDT 2008 i686 i686
Alert Count 2
First Seen Wed 30 Jul 2008 09:26:40 PM CDT
Last Seen Thu 31 Jul 2008 01:31:31 PM CDT
Local ID fe2c17eb-dbce-4a97-9cb8-77588b788ab7
Line Numbers
Raw Audit Messages
host=localhost.localdomain type=AVC msg=audit(1217529091.123:35): avc: denied { getattr } for pid=10222 comm="updatedb" path="/root/.config/gtk-2.0" dev=dm-0 ino=35023 scontext=system_u:system_r:locate_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir
host=localhost.localdomain type=SYSCALL msg=audit(1217529091.123:35): arch=40000003 syscall=196 success=no exit=-13 a0=98930d1 a1=bfcfd748 a2=c1cff4 a3=98930d1 items=0 ppid=10216 pid=10222 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="updatedb" exe="/usr/bin/updatedb" subj=system_u:system_r:locate_t:s0 key=(null)
Thanks in Advance,
Antonio
15 years, 8 months
Re: fedora-selinux-list Digest, Vol 54, Issue 1
by Antonio Olivares
> Easiest is:
>
> touch /.autorelabel; reboot
>
> You also might fix all/most of these with
>
> restorecon -R -v /home /root
>
> -Eric
> ------------------------------
Eric,
I tried the restorecon command first, but it failed, I still got flood of selinux denials. The first one, I did and it appears to have cured the mess :)
touch /.autorelabel; reboot
Regards,
Antonio
15 years, 9 months
Re: Can't export samba share
by Steve Blackwell
> On Fri, Jul 25, 2008 at 7:27 PM, Steve Blackwell <zephod(a)cfl.rr.com>
> wrote:
>> I've been out of town for a few days but there were no new postings
>> while I was away and I still don't have a solution for this.
>>
>
> Might I suggest posting the AVC's so that everyone can see what is
> going on.\
I'm going to give it one more day and after that I'm going to have to
turn selinux off.
This is from audit.log:
type=AVC msg=audit(1217030414.315:34): avc: denied { read } for
pid=7099 comm="smbd" name="/" dev=sdb1 ino=5
scontext=system_u:system_r:smbd_t:s0
tcontext=system_u:object_r:fusefs_t:s0 tclass=dir
type=SYSCALL
msg=audit(1217030414.315:34): arch=40000003 syscall=5 success=no
exit=-13 a0=b926ff00 a1=98800 a2=379d9c a3=b9293478 items=0 ppid=2649
pid=7099 auid=4294967295 uid=501 gid=0 euid=501 suid=0 fsuid=501
egid=501 sgid=0 fsgid=501 tty=(none) ses=4294967295 comm="smbd"
exe="/usr/sbin/smbd" subj=system_u:system_r:smbd_t:s0 key=(null)
type=AVC msg=audit(1217030414.317:35): avc: denied { read } for
pid=7099 comm="smbd" name="/" dev=sdb1 ino=5
scontext=system_u:system_r:smbd_t:s0
tcontext=system_u:object_r:fusefs_t:s0 tclass=dir
Steve
15 years, 9 months