F12: SeLinux denials on older Fedora version mounted filesystems
Daniel B. Thurman
dant at cdkkt.com
Fri Mar 5 18:29:14 UTC 2010
I reported this before, but got no response - perhaps because
I bundled several issues into one posting? If so, here is a separate
posting.
It appears that SeLinux examines all mounted filesystem but
in this case, SeLinux sees other Fedora versions and starts to
complain when it is not related to the current running OS that
is running. As you can see below, and running F12, it complains
about F11 (and in several places in the mounted F11 filesystem).
Many other complaints are similar for mounted Fedora versions
BELOW the current running OS (F12), such as F11, 10, 9, 8, ...
How does one get around this issue?
=============================================
Summary:
SELinux is preventing /usr/bin/updatedb "getattr" access to
/md/RF11D1/etc/poker-network.
Detailed Description:
SELinux denied access requested by updatedb.
/md/RF11D1/etc/poker-network may be
a mislabeled. /md/RF11D1/etc/poker-network default SELinux type is
default_t,
but its current type is unlabeled_t. Changing this file back to the default
type, may fix your problem.
File contexts can be assigned to a file in the following ways.
* Files created in a directory receive the file context of the parent
directory by default.
* The SELinux policy might override the default label inherited from the
parent directory by specifying a process running in context A which
creates
a file in a directory labeled B will instead create the file with
label C.
An example of this would be the dhcp client running with the
dhclient_t type
and creating a file in the directory /etc. This file would normally
receive
the etc_t type due to parental inheritance but instead the file is
labeled
with the net_conf_t type because the SELinux policy specifies this.
* Users can change the file context on a file using tools such as
chcon, or
restorecon.
This file could have been mislabeled either by user error, or if an normally
confined application was run under the wrong domain.
However, this might also indicate a bug in SELinux because the file
should not
have been labeled with this type.
If you believe this is a bug, please file a bug report against this package.
Allowing Access:
You can restore the default system context to this file by executing the
restorecon command. restorecon '/md/RF11D1/etc/poker-network', if this
file is a
directory, you can recursively restore using restorecon -R
'/md/RF11D1/etc/poker-network'.
Fix Command:
/sbin/restorecon '/md/RF11D1/etc/poker-network'
Additional Information:
Source Context system_u:system_r:locate_t:s0-s0:c0.c1023
Target Context system_u:object_r:unlabeled_t:s0
Target Objects /md/RF11D1/etc/poker-network [ dir ]
Source updatedb
Source Path /usr/bin/updatedb
Port <Unknown>
Host gold.cdkkt.com
Source RPM Packages mlocate-0.22.2-1.fc12
Target RPM Packages
Policy RPM selinux-policy-3.6.32-92.fc12
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Plugin Name restorecon
Host Name gold.cdkkt.com
Platform Linux gold.cdkkt.com
2.6.31.12-174.2.22.fc12.i686
#1 SMP Fri Feb 19 19:26:06 UTC 2010 i686 i686
Alert Count 4
First Seen Tue 02 Mar 2010 03:14:22 AM PST
Last Seen Fri 05 Mar 2010 03:15:44 AM PST
Local ID 98ffff35-e41b-4d4e-b3d3-d286a4916baf
Line Numbers
Raw Audit Messages
node=gold.cdkkt.com type=AVC msg=audit(1267787744.981:42770): avc:
denied { getattr } for pid=15175 comm="updatedb"
path="/md/RF11D1/etc/poker-network" dev=sda10 ino=413
scontext=system_u:system_r:locate_t:s0-s0:c0.c1023
tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir
node=gold.cdkkt.com type=SYSCALL msg=audit(1267787744.981:42770):
arch=40000003 syscall=196 success=no exit=-13 a0=a02bea9 a1=bfb343b0
a2=4c5ff4 a3=a02bea9 items=0 ppid=15169 pid=15175 auid=0 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=246
comm="updatedb" exe="/usr/bin/updatedb"
subj=system_u:system_r:locate_t:s0-s0:c0.c1023 key=(null)
More information about the selinux
mailing list