SELinux is preventing /usr/sbin/vbetool

Leo sdl.web at gmail.com
Fri Nov 16 18:22:36 UTC 2007


Dear all,

I am a little worried by the following alert. Any ideas?

Leo

================================
Summary
    SELinux is preventing /usr/sbin/vbetool (vbetool_t) "write" to
    /var/run/vbemode (var_run_t).

Detailed Description
    SELinux is preventing /usr/sbin/vbetool (vbetool_t) "write" to
    /var/run/vbemode (var_run_t). The SELinux type var_run_t, is a generic type
    for all files in the directory and very few processes (SELinux Domains) are
    allowed to write to this SELinux type.  This type of denial usual indicates
    a mislabeled file.  By default a file created in a directory has the gets
    the context of the parent directory, but SELinux policy has rules about the
    creation of directories, that say if a process running in one SELinux Domain
    (D1) creates a file in a directory with a particular SELinux File Context
    (F1) the file gets a different File Context (F2).  The policy usually allows
    the SELinux Domain (D1) the ability to write or append on (F2).  But if for
    some reason a file (/var/run/vbemode) was created with the wrong context,
    this domain will be denied.  The usual solution to this problem is to reset
    the file context on the target file, restorecon -v /var/run/vbemode.  If the
    file context does not change from var_run_t, then this is probably a bug in
    policy.  Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
    against the selinux-policy package. If it does change, you can try your
    application again to see if it works.  The file context could have been
    mislabeled by editing the file or moving the file from a different
    directory, if the file keeps getting mislabeled, check the init scripts to
    see if they are doing something to mislabel the file.

Allowing Access
    You can attempt to fix file context by executing restorecon -v
    /var/run/vbemode

    The following command will allow this access:
    restorecon /var/run/vbemode

Additional Information        

Source Context                system_u:system_r:vbetool_t:s0
Target Context                system_u:object_r:var_run_t:s0
Target Objects                /var/run/vbemode [ file ]
Affected RPM Packages         vbetool-0.7-2.fc8 [application]
Policy RPM                    selinux-policy-3.0.8-52.fc8
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.mislabeled_file
Host Name                     sl392.st-edmunds.cam.ac.uk
Platform                      Linux sl392.st-edmunds.cam.ac.uk 2.6.23.1-49.fc8
                              #1 SMP Thu Nov 8 21:41:26 EST 2007 i686 i686
Alert Count                   1
First Seen                    Fri 16 Nov 2007 03:34:55 GMT
Last Seen                     Fri 16 Nov 2007 03:36:19 GMT
Local ID                      3fe90cde-8d06-4978-b465-d0ee552dab05
Line Numbers                  

Raw Audit Messages            

avc: denied { write } for comm=vbetool dev=sda1 egid=0 euid=0
exe=/usr/sbin/vbetool exit=0 fsgid=0 fsuid=0 gid=0 items=0 path=/var/run/vbemode
pid=6413 scontext=system_u:system_r:vbetool_t:s0 sgid=0
subj=system_u:system_r:vbetool_t:s0 suid=0 tclass=file
tcontext=system_u:object_r:var_run_t:s0 tty=(none) uid=0


-- 
.:  Leo  :.  [ sdl.web AT gmail.com ]  .:  [ GPG Key: 9283AA3F ]  :.

          Use the best OS -- http://www.fedoraproject.org/




More information about the test mailing list