SELinux is preventing /usr/sbin/vbetool
Leo
sdl.web at gmail.com
Fri Nov 16 18:22:36 UTC 2007
Dear all,
I am a little worried by the following alert. Any ideas?
Leo
================================
Summary
SELinux is preventing /usr/sbin/vbetool (vbetool_t) "write" to
/var/run/vbemode (var_run_t).
Detailed Description
SELinux is preventing /usr/sbin/vbetool (vbetool_t) "write" to
/var/run/vbemode (var_run_t). The SELinux type var_run_t, is a generic type
for all files in the directory and very few processes (SELinux Domains) are
allowed to write to this SELinux type. This type of denial usual indicates
a mislabeled file. By default a file created in a directory has the gets
the context of the parent directory, but SELinux policy has rules about the
creation of directories, that say if a process running in one SELinux Domain
(D1) creates a file in a directory with a particular SELinux File Context
(F1) the file gets a different File Context (F2). The policy usually allows
the SELinux Domain (D1) the ability to write or append on (F2). But if for
some reason a file (/var/run/vbemode) was created with the wrong context,
this domain will be denied. The usual solution to this problem is to reset
the file context on the target file, restorecon -v /var/run/vbemode. If the
file context does not change from var_run_t, then this is probably a bug in
policy. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
against the selinux-policy package. If it does change, you can try your
application again to see if it works. The file context could have been
mislabeled by editing the file or moving the file from a different
directory, if the file keeps getting mislabeled, check the init scripts to
see if they are doing something to mislabel the file.
Allowing Access
You can attempt to fix file context by executing restorecon -v
/var/run/vbemode
The following command will allow this access:
restorecon /var/run/vbemode
Additional Information
Source Context system_u:system_r:vbetool_t:s0
Target Context system_u:object_r:var_run_t:s0
Target Objects /var/run/vbemode [ file ]
Affected RPM Packages vbetool-0.7-2.fc8 [application]
Policy RPM selinux-policy-3.0.8-52.fc8
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name plugins.mislabeled_file
Host Name sl392.st-edmunds.cam.ac.uk
Platform Linux sl392.st-edmunds.cam.ac.uk 2.6.23.1-49.fc8
#1 SMP Thu Nov 8 21:41:26 EST 2007 i686 i686
Alert Count 1
First Seen Fri 16 Nov 2007 03:34:55 GMT
Last Seen Fri 16 Nov 2007 03:36:19 GMT
Local ID 3fe90cde-8d06-4978-b465-d0ee552dab05
Line Numbers
Raw Audit Messages
avc: denied { write } for comm=vbetool dev=sda1 egid=0 euid=0
exe=/usr/sbin/vbetool exit=0 fsgid=0 fsuid=0 gid=0 items=0 path=/var/run/vbemode
pid=6413 scontext=system_u:system_r:vbetool_t:s0 sgid=0
subj=system_u:system_r:vbetool_t:s0 suid=0 tclass=file
tcontext=system_u:object_r:var_run_t:s0 tty=(none) uid=0
--
.: Leo :. [ sdl.web AT gmail.com ] .: [ GPG Key: 9283AA3F ] :.
Use the best OS -- http://www.fedoraproject.org/
More information about the test
mailing list