Re: F7: SELinux feature or bug?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Bruno Wolff III wrote:
it's ready relabeling or if it's doing anything at all.
Open another terminal while it is running, and check the output of the
`top` command - this only works if you _can_ get to other terminals at
the same time, which I believe is not true in runlevel 1, or when
rebooting.

If you are doing an auto relabel you won't be able to login. The whole point
of doing the relabel at that point is that it is before init has started up
processes labelled incorrectly.

What you could do if you want to keep doing stuff through a relabel, is
change to permissive mode, run fixfiles restore /, reboot when its done, change
back to enforcing mode.

That process I think can still hit some corner cases where files might be
left incorrectly labelled. But you can run a verify afterwards to check.

Thanks for the help so far guys, and sorry for the lousy subject.

I booted into runlevel 1 and saw the relabel doing  it's work.
Then I could actually boot my system and login again without having to
disable selinux as a kernel parameter. But selinux was still in
permissive mode.
The SELinux troubleshooter mentioned some alerts; denials and
potentially mislabeled files. So I switched to enforcing mode, and then immediately all kinds of (more or less expected) problems start. The system logs me out 10 seconds after being logged in.
So now I'm back in permissive mode.
So the next challenge is that I should 'make the troubleshooter happy'.
But this is the part where my selinux knowledge is falling short.
The attached file contains the  troubleshooter alerts.
How do I create a local policy for these selinux denials? I don't know
what the complained files are for.

Regards,
Jeroen.

Summary
    SELinux is preventing /usr/bin/ssh-agent (hotplug_t) "create" to ssh-
    jASrzL3044 (samba_share_t).

Detailed Description
    SELinux denied access requested by /usr/bin/ssh-agent. It is not expected
    that this access is required by /usr/bin/ssh-agent and this access may
    signal an intrusion attempt. It is also possible that the specific version
    or configuration of the application is causing it to require additional
    access.

Allowing Access
    Sometimes labeling problems can cause SELinux denials.  You could try to
    restore the default system file context for ssh-jASrzL3044, restorecon -v
    ssh-jASrzL3044 If this does not work, there is currently no automatic way to
    allow this access. Instead,  you can generate a local policy module to allow
    this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385
    Or you can disable SELinux protection altogether. Disabling SELinux
    protection is not recommended. Please file a
    http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.

Additional Information        

Source Context                user_u:system_r:hotplug_t
Target Context                user_u:object_r:samba_share_t
Target Objects                ssh-jASrzL3044 [ dir ]
Affected RPM Packages         openssh-clients-4.5p1-6.fc7 [application]
Policy RPM                    selinux-policy-2.6.4-25.fc7
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   plugins.catchall_file
Host Name                     living.lankheet.com
Platform                      Linux living.lankheet.com 2.6.21-1.3228.fc7 #1 SMP
                              Tue Jun 12 15:37:31 EDT 2007 i686 i686
Alert Count                   1
First Seen                    Wed 11 Jul 2007 09:39:12 PM CEST
Last Seen                     Wed 11 Jul 2007 09:39:12 PM CEST
Local ID                      cc8f5919-2565-4ebf-94dc-57038e4e2427
Line Numbers                  

Raw Audit Messages            

avc: denied { create } for comm="ssh-agent" dev=dm-0 egid=500 euid=500
exe="/usr/bin/ssh-agent" exit=0 fsgid=500 fsuid=500 gid=500 items=0 name="ssh-
jASrzL3044" pid=3044 scontext=user_u:system_r:hotplug_t:s0 sgid=99
subj=user_u:system_r:hotplug_t:s0 suid=500 tclass=dir
tcontext=user_u:object_r:samba_share_t:s0 tty=(none) uid=500


Summary
    SELinux is preventing /usr/bin/ssh-agent (hotplug_t) "create" to agent.3044
    (samba_share_t).

Detailed Description
    SELinux denied access requested by /usr/bin/ssh-agent. It is not expected
    that this access is required by /usr/bin/ssh-agent and this access may
    signal an intrusion attempt. It is also possible that the specific version
    or configuration of the application is causing it to require additional
    access.

Allowing Access
    Sometimes labeling problems can cause SELinux denials.  You could try to
    restore the default system file context for agent.3044, restorecon -v
    agent.3044 If this does not work, there is currently no automatic way to
    allow this access. Instead,  you can generate a local policy module to allow
    this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385
    Or you can disable SELinux protection altogether. Disabling SELinux
    protection is not recommended. Please file a
    http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.

Additional Information        

Source Context                user_u:system_r:hotplug_t
Target Context                user_u:object_r:samba_share_t
Target Objects                agent.3044 [ sock_file ]
Affected RPM Packages         openssh-clients-4.5p1-6.fc7 [application]
Policy RPM                    selinux-policy-2.6.4-25.fc7
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   plugins.catchall_file
Host Name                     living.lankheet.com
Platform                      Linux living.lankheet.com 2.6.21-1.3228.fc7 #1 SMP
                              Tue Jun 12 15:37:31 EDT 2007 i686 i686
Alert Count                   1
First Seen                    Wed 11 Jul 2007 09:39:12 PM CEST
Last Seen                     Wed 11 Jul 2007 09:39:12 PM CEST
Local ID                      a7ce378b-77d6-43bf-9517-5a123b442750
Line Numbers                  

Raw Audit Messages            

avc: denied { create } for comm="ssh-agent" dev=dm-0 egid=500 euid=500
exe="/usr/bin/ssh-agent" exit=0 fsgid=500 fsuid=500 gid=500 items=0
name="agent.3044" pid=3044 scontext=user_u:system_r:hotplug_t:s0 sgid=99
subj=user_u:system_r:hotplug_t:s0 suid=500 tclass=sock_file
tcontext=user_u:object_r:samba_share_t:s0 tty=(none) uid=500


Summary
    SELinux is preventing /usr/libexec/gconfd-2 (hotplug_t) "lock" to /tmp
    /gconfd-jeroen/lock/0t1184182753ut773209u500p3160r1898720419k3216382600
    (samba_share_t).

Detailed Description
    SELinux denied access requested by /usr/libexec/gconfd-2. It is not expected
    that this access is required by /usr/libexec/gconfd-2 and this access may
    signal an intrusion attempt. It is also possible that the specific version
    or configuration of the application is causing it to require additional
    access.

Allowing Access
    Sometimes labeling problems can cause SELinux denials.  You could try to
    restore the default system file context for /tmp/gconfd-
    jeroen/lock/0t1184182753ut773209u500p3160r1898720419k3216382600, restorecon
    -v /tmp/gconfd-
    jeroen/lock/0t1184182753ut773209u500p3160r1898720419k3216382600 If this does
    not work, there is currently no automatic way to allow this access. Instead,
    you can generate a local policy module to allow this access - see
    http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable
    SELinux protection altogether. Disabling SELinux protection is not
    recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
    against this package.

Additional Information        

Source Context                user_u:system_r:hotplug_t
Target Context                user_u:object_r:samba_share_t
Target Objects                /tmp/gconfd-jeroen/lock/0t1184182753ut773209u500p3
                              160r1898720419k3216382600 [ file ]
Affected RPM Packages         GConf2-2.18.0.1-2.fc7 [application]
Policy RPM                    selinux-policy-2.6.4-25.fc7
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   plugins.catchall_file
Host Name                     living.lankheet.com
Platform                      Linux living.lankheet.com 2.6.21-1.3228.fc7 #1 SMP
                              Tue Jun 12 15:37:31 EDT 2007 i686 i686
Alert Count                   1
First Seen                    Wed 11 Jul 2007 09:39:13 PM CEST
Last Seen                     Wed 11 Jul 2007 09:39:13 PM CEST
Local ID                      3860f0ee-0ce5-45b2-a737-b6397da8d623
Line Numbers                  

Raw Audit Messages            

avc: denied { lock } for comm="gconfd-2" dev=dm-0 egid=500 euid=500
exe="/usr/libexec/gconfd-2" exit=0 fsgid=500 fsuid=500 gid=500 items=0
name="0t1184182753ut773209u500p3160r1898720419k3216382600" path="/tmp/gconfd-
jeroen/lock/0t1184182753ut773209u500p3160r1898720419k3216382600" pid=3160
scontext=user_u:system_r:hotplug_t:s0 sgid=500 subj=user_u:system_r:hotplug_t:s0
suid=500 tclass=file tcontext=user_u:object_r:samba_share_t:s0 tty=(none)
uid=500


Summary
    SELinux is preventing /usr/libexec/gconfd-2 (hotplug_t) "link" to
    0t1184182753ut773209u500p3160r1898720419k3216382600 (samba_share_t).

Detailed Description
    SELinux denied access requested by /usr/libexec/gconfd-2. It is not expected
    that this access is required by /usr/libexec/gconfd-2 and this access may
    signal an intrusion attempt. It is also possible that the specific version
    or configuration of the application is causing it to require additional
    access.

Allowing Access
    Sometimes labeling problems can cause SELinux denials.  You could try to
    restore the default system file context for
    0t1184182753ut773209u500p3160r1898720419k3216382600, restorecon -v
    0t1184182753ut773209u500p3160r1898720419k3216382600 If this does not work,
    there is currently no automatic way to allow this access. Instead,  you can
    generate a local policy module to allow this access - see
    http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable
    SELinux protection altogether. Disabling SELinux protection is not
    recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
    against this package.

Additional Information        

Source Context                user_u:system_r:hotplug_t
Target Context                user_u:object_r:samba_share_t
Target Objects                0t1184182753ut773209u500p3160r1898720419k321638260
                              0 [ file ]
Affected RPM Packages         GConf2-2.18.0.1-2.fc7 [application]
Policy RPM                    selinux-policy-2.6.4-25.fc7
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   plugins.catchall_file
Host Name                     living.lankheet.com
Platform                      Linux living.lankheet.com 2.6.21-1.3228.fc7 #1 SMP
                              Tue Jun 12 15:37:31 EDT 2007 i686 i686
Alert Count                   1
First Seen                    Wed 11 Jul 2007 09:39:13 PM CEST
Last Seen                     Wed 11 Jul 2007 09:39:13 PM CEST
Local ID                      2f6ba3ad-76fe-4e2b-9d83-0ed36b110d2f
Line Numbers                  

Raw Audit Messages            

avc: denied { link } for comm="gconfd-2" dev=dm-0 egid=500 euid=500
exe="/usr/libexec/gconfd-2" exit=0 fsgid=500 fsuid=500 gid=500 items=0
name="0t1184182753ut773209u500p3160r1898720419k3216382600" pid=3160
scontext=user_u:system_r:hotplug_t:s0 sgid=500 subj=user_u:system_r:hotplug_t:s0
suid=500 tclass=file tcontext=user_u:object_r:samba_share_t:s0 tty=(none)
uid=500


Summary
    SELinux is preventing /usr/libexec/gconfd-2 (hotplug_t) "unlink" to
    0t1184182753ut773209u500p3160r1898720419k3216382600 (samba_share_t).

Detailed Description
    SELinux denied access requested by /usr/libexec/gconfd-2. It is not expected
    that this access is required by /usr/libexec/gconfd-2 and this access may
    signal an intrusion attempt. It is also possible that the specific version
    or configuration of the application is causing it to require additional
    access.

Allowing Access
    Sometimes labeling problems can cause SELinux denials.  You could try to
    restore the default system file context for
    0t1184182753ut773209u500p3160r1898720419k3216382600, restorecon -v
    0t1184182753ut773209u500p3160r1898720419k3216382600 If this does not work,
    there is currently no automatic way to allow this access. Instead,  you can
    generate a local policy module to allow this access - see
    http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable
    SELinux protection altogether. Disabling SELinux protection is not
    recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
    against this package.

Additional Information        

Source Context                user_u:system_r:hotplug_t
Target Context                user_u:object_r:samba_share_t
Target Objects                0t1184182753ut773209u500p3160r1898720419k321638260
                              0 [ file ]
Affected RPM Packages         GConf2-2.18.0.1-2.fc7 [application]
Policy RPM                    selinux-policy-2.6.4-25.fc7
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   plugins.catchall_file
Host Name                     living.lankheet.com
Platform                      Linux living.lankheet.com 2.6.21-1.3228.fc7 #1 SMP
                              Tue Jun 12 15:37:31 EDT 2007 i686 i686
Alert Count                   1
First Seen                    Wed 11 Jul 2007 09:39:13 PM CEST
Last Seen                     Wed 11 Jul 2007 09:39:13 PM CEST
Local ID                      8366a58e-046d-454d-8959-e26277109dc5
Line Numbers                  

Raw Audit Messages            

avc: denied { unlink } for comm="gconfd-2" dev=dm-0 egid=500 euid=500
exe="/usr/libexec/gconfd-2" exit=0 fsgid=500 fsuid=500 gid=500 items=0
name="0t1184182753ut773209u500p3160r1898720419k3216382600" pid=3160
scontext=user_u:system_r:hotplug_t:s0 sgid=500 subj=user_u:system_r:hotplug_t:s0
suid=500 tclass=file tcontext=user_u:object_r:samba_share_t:s0 tty=(none)
uid=500


Summary
    SELinux is preventing /usr/bin/gnome-session (hotplug_t) "connectto" to /tmp
    /orbit-jeroen/linc-c58-0-39af5a27bc7a6 (hotplug_t).

Detailed Description
    SELinux denied access requested by /usr/bin/gnome-session. It is not
    expected that this access is required by /usr/bin/gnome-session and this
    access may signal an intrusion attempt. It is also possible that the
    specific version or configuration of the application is causing it to
    require additional access.

Allowing Access
    You can generate a local policy module to allow this access - see
    http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable
    SELinux protection altogether. Disabling SELinux protection is not
    recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
    against this package.

Additional Information        

Source Context                user_u:system_r:hotplug_t
Target Context                user_u:system_r:hotplug_t
Target Objects                /tmp/orbit-jeroen/linc-c58-0-39af5a27bc7a6 [
                              unix_stream_socket ]
Affected RPM Packages         gnome-session-2.18.3-1.fc7 [application]
Policy RPM                    selinux-policy-2.6.4-25.fc7
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   plugins.catchall
Host Name                     living.lankheet.com
Platform                      Linux living.lankheet.com 2.6.21-1.3228.fc7 #1 SMP
                              Tue Jun 12 15:37:31 EDT 2007 i686 i686
Alert Count                   1
First Seen                    Wed 11 Jul 2007 09:39:13 PM CEST
Last Seen                     Wed 11 Jul 2007 09:39:13 PM CEST
Local ID                      0a8f0c20-d75e-4215-afba-5fe8d2e5cecf
Line Numbers                  

Raw Audit Messages            

avc: denied { connectto } for comm="gnome-session" dev=dm-0 egid=500 euid=500
exe="/usr/bin/gnome-session" exit=0 fsgid=500 fsuid=500 gid=500 items=0
name="linc-c58-0-39af5a27bc7a6" path="/tmp/orbit-
jeroen/linc-c58-0-39af5a27bc7a6" pid=3044 scontext=user_u:system_r:hotplug_t:s0
sgid=500 subj=user_u:system_r:hotplug_t:s0 suid=500 tclass=unix_stream_socket
tcontext=user_u:system_r:hotplug_t:s0 tty=(none) uid=500


Summary
    SELinux is preventing access to files with the label, file_t.

Detailed Description
    SELinux permission checks on files labeled file_t are being denied.  file_t
    is the context the SELinux kernel gives to files that do not have a label.
    This indicates a serious labeling problem. No files on an SELinux box should
    ever be labeled file_t. If you have just added a new disk drive to the
    system you can relabel it using the restorecon command.  Otherwise you
    should relabel the entire files system.

Allowing Access
    You can execute the following command as root to relabel your computer
    system: "touch /.autorelabel; reboot"

Additional Information        

Source Context                user_u:system_r:hotplug_t
Target Context                system_u:object_r:file_t
Target Objects                /home/jeroen/.gconfd/saved_state [ file ]
Affected RPM Packages         GConf2-2.18.0.1-2.fc7 [application]
Policy RPM                    selinux-policy-2.6.4-25.fc7
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   plugins.file
Host Name                     living.lankheet.com
Platform                      Linux living.lankheet.com 2.6.21-1.3228.fc7 #1 SMP
                              Tue Jun 12 15:37:31 EDT 2007 i686 i686
Alert Count                   1
First Seen                    Wed 11 Jul 2007 09:39:13 PM CEST
Last Seen                     Wed 11 Jul 2007 09:39:13 PM CEST
Local ID                      c339b7f3-f95e-421e-bad8-0160e715e1bc
Line Numbers                  

Raw Audit Messages            

avc: denied { getattr } for comm="gconfd-2" dev=dm-0 egid=500 euid=500
exe="/usr/libexec/gconfd-2" exit=0 fsgid=500 fsuid=500 gid=500 items=0
name="saved_state" path="/home/jeroen/.gconfd/saved_state" pid=3160
scontext=user_u:system_r:hotplug_t:s0 sgid=500 subj=user_u:system_r:hotplug_t:s0
suid=500 tclass=file tcontext=system_u:object_r:file_t:s0 tty=(none) uid=500


Summary
    SELinux is preventing access to files with the label, file_t.

Detailed Description
    SELinux permission checks on files labeled file_t are being denied.  file_t
    is the context the SELinux kernel gives to files that do not have a label.
    This indicates a serious labeling problem. No files on an SELinux box should
    ever be labeled file_t. If you have just added a new disk drive to the
    system you can relabel it using the restorecon command.  Otherwise you
    should relabel the entire files system.

Allowing Access
    You can execute the following command as root to relabel your computer
    system: "touch /.autorelabel; reboot"

Additional Information        

Source Context                user_u:system_r:hotplug_t
Target Context                system_u:object_r:file_t
Target Objects                saved_state [ file ]
Affected RPM Packages         GConf2-2.18.0.1-2.fc7 [application]
Policy RPM                    selinux-policy-2.6.4-25.fc7
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   plugins.file
Host Name                     living.lankheet.com
Platform                      Linux living.lankheet.com 2.6.21-1.3228.fc7 #1 SMP
                              Tue Jun 12 15:37:31 EDT 2007 i686 i686
Alert Count                   1
First Seen                    Wed 11 Jul 2007 09:39:13 PM CEST
Last Seen                     Wed 11 Jul 2007 09:39:13 PM CEST
Local ID                      f5740b4c-e432-4625-b471-854cc0544b97
Line Numbers                  

Raw Audit Messages            

avc: denied { append } for comm="gconfd-2" dev=dm-0 egid=500 euid=500
exe="/usr/libexec/gconfd-2" exit=14 fsgid=500 fsuid=500 gid=500 items=0
name="saved_state" pid=3160 scontext=user_u:system_r:hotplug_t:s0 sgid=500
subj=user_u:system_r:hotplug_t:s0 suid=500 tclass=file
tcontext=system_u:object_r:file_t:s0 tty=(none) uid=500


Summary
    SELinux is preventing access to files with the label, file_t.

Detailed Description
    SELinux permission checks on files labeled file_t are being denied.  file_t
    is the context the SELinux kernel gives to files that do not have a label.
    This indicates a serious labeling problem. No files on an SELinux box should
    ever be labeled file_t. If you have just added a new disk drive to the
    system you can relabel it using the restorecon command.  Otherwise you
    should relabel the entire files system.

Allowing Access
    You can execute the following command as root to relabel your computer
    system: "touch /.autorelabel; reboot"

Additional Information        

Source Context                user_u:system_r:hotplug_t
Target Context                system_u:object_r:file_t
Target Objects                saved_state [ file ]
Affected RPM Packages         GConf2-2.18.0.1-2.fc7 [application]
Policy RPM                    selinux-policy-2.6.4-25.fc7
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   plugins.file
Host Name                     living.lankheet.com
Platform                      Linux living.lankheet.com 2.6.21-1.3228.fc7 #1 SMP
                              Tue Jun 12 15:37:31 EDT 2007 i686 i686
Alert Count                   1
First Seen                    Wed 11 Jul 2007 09:39:13 PM CEST
Last Seen                     Wed 11 Jul 2007 09:39:13 PM CEST
Local ID                      31ae1a2a-21cf-42db-93ac-65d3ca96bbe3
Line Numbers                  

Raw Audit Messages            

avc: denied { read } for comm="gconfd-2" dev=dm-0 egid=500 euid=500
exe="/usr/libexec/gconfd-2" exit=6 fsgid=500 fsuid=500 gid=500 items=0
name="saved_state" pid=3160 scontext=user_u:system_r:hotplug_t:s0 sgid=500
subj=user_u:system_r:hotplug_t:s0 suid=500 tclass=file
tcontext=system_u:object_r:file_t:s0 tty=(none) uid=500


Summary
    SELinux is preventing /usr/libexec/gconfd-2 (hotplug_t) "create" to
    0t1184182753ut773209u500p3160r1898720419k3216382600 (samba_share_t).

Detailed Description
    SELinux denied access requested by /usr/libexec/gconfd-2. It is not expected
    that this access is required by /usr/libexec/gconfd-2 and this access may
    signal an intrusion attempt. It is also possible that the specific version
    or configuration of the application is causing it to require additional
    access.

Allowing Access
    Sometimes labeling problems can cause SELinux denials.  You could try to
    restore the default system file context for
    0t1184182753ut773209u500p3160r1898720419k3216382600, restorecon -v
    0t1184182753ut773209u500p3160r1898720419k3216382600 If this does not work,
    there is currently no automatic way to allow this access. Instead,  you can
    generate a local policy module to allow this access - see
    http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable
    SELinux protection altogether. Disabling SELinux protection is not
    recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
    against this package.

Additional Information        

Source Context                user_u:system_r:hotplug_t
Target Context                user_u:object_r:samba_share_t
Target Objects                0t1184182753ut773209u500p3160r1898720419k321638260
                              0 [ file ]
Affected RPM Packages         GConf2-2.18.0.1-2.fc7 [application]
Policy RPM                    selinux-policy-2.6.4-25.fc7
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   plugins.catchall_file
Host Name                     living.lankheet.com
Platform                      Linux living.lankheet.com 2.6.21-1.3228.fc7 #1 SMP
                              Tue Jun 12 15:37:31 EDT 2007 i686 i686
Alert Count                   1
First Seen                    Wed 11 Jul 2007 09:39:13 PM CEST
Last Seen                     Wed 11 Jul 2007 09:39:13 PM CEST
Local ID                      a51cc833-dfbc-4d15-af92-75fa18b1ef6a
Line Numbers                  

Raw Audit Messages            

avc: denied { create } for comm="gconfd-2" egid=500 euid=500
exe="/usr/libexec/gconfd-2" exit=13 fsgid=500 fsuid=500 gid=500 items=0
name="0t1184182753ut773209u500p3160r1898720419k3216382600" pid=3160
scontext=user_u:system_r:hotplug_t:s0 sgid=500 subj=user_u:system_r:hotplug_t:s0
suid=500 tclass=file tcontext=user_u:object_r:samba_share_t:s0 tty=(none)
uid=500


Summary
    SELinux is preventing /usr/libexec/gconfd-2 (hotplug_t) "write" to /tmp
    /gconfd-jeroen/lock/0t1184182753ut773209u500p3160r1898720419k3216382600
    (deleted) (samba_share_t).

Detailed Description
    SELinux denied access requested by /usr/libexec/gconfd-2. It is not expected
    that this access is required by /usr/libexec/gconfd-2 and this access may
    signal an intrusion attempt. It is also possible that the specific version
    or configuration of the application is causing it to require additional
    access.

Allowing Access
    Sometimes labeling problems can cause SELinux denials.  You could try to
    restore the default system file context for /tmp/gconfd-
    jeroen/lock/0t1184182753ut773209u500p3160r1898720419k3216382600 (deleted),
    restorecon -v /tmp/gconfd-
    jeroen/lock/0t1184182753ut773209u500p3160r1898720419k3216382600 (deleted) If
    this does not work, there is currently no automatic way to allow this
    access. Instead,  you can generate a local policy module to allow this
    access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you
    can disable SELinux protection altogether. Disabling SELinux protection is
    not recommended. Please file a
    http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.

Additional Information        

Source Context                user_u:system_r:hotplug_t
Target Context                user_u:object_r:samba_share_t
Target Objects                /tmp/gconfd-jeroen/lock/0t1184182753ut773209u500p3
                              160r1898720419k3216382600 (deleted) [ file ]
Affected RPM Packages         GConf2-2.18.0.1-2.fc7 [application]
Policy RPM                    selinux-policy-2.6.4-25.fc7
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   plugins.catchall_file
Host Name                     living.lankheet.com
Platform                      Linux living.lankheet.com 2.6.21-1.3228.fc7 #1 SMP
                              Tue Jun 12 15:37:31 EDT 2007 i686 i686
Alert Count                   1
First Seen                    Wed 11 Jul 2007 09:39:13 PM CEST
Last Seen                     Wed 11 Jul 2007 09:39:13 PM CEST
Local ID                      43c80050-c84a-41d4-8710-27af12989f70
Line Numbers                  

Raw Audit Messages            

avc: denied { write } for comm="gconfd-2" dev=dm-0 egid=500 euid=500
exe="/usr/libexec/gconfd-2" exit=5 fsgid=500 fsuid=500 gid=500 items=0
name="0t1184182753ut773209u500p3160r1898720419k3216382600" path=2F746D702F67636F
6E66642D6A65726F656E2F6C6F636B2F307431313834313832373533757437373332303975353030
703331363072313839383732303431396B33323136333832363030202864656C6574656429
pid=3160 scontext=user_u:system_r:hotplug_t:s0 sgid=500
subj=user_u:system_r:hotplug_t:s0 suid=500 tclass=file
tcontext=user_u:object_r:samba_share_t:s0 tty=(none) uid=500


Summary
    SELinux is preventing /usr/libexec/gconf-sanity-check-2 (hotplug_t) "unlink"
    to linc-c59-0-59aed03f1175c (samba_share_t).

Detailed Description
    SELinux denied access requested by /usr/libexec/gconf-sanity-check-2. It is
    not expected that this access is required by /usr/libexec/gconf-sanity-
    check-2 and this access may signal an intrusion attempt. It is also possible
    that the specific version or configuration of the application is causing it
    to require additional access.

Allowing Access
    Sometimes labeling problems can cause SELinux denials.  You could try to
    restore the default system file context for linc-c59-0-59aed03f1175c,
    restorecon -v linc-c59-0-59aed03f1175c If this does not work, there is
    currently no automatic way to allow this access. Instead,  you can generate
    a local policy module to allow this access - see
    http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable
    SELinux protection altogether. Disabling SELinux protection is not
    recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
    against this package.

Additional Information        

Source Context                user_u:system_r:hotplug_t
Target Context                user_u:object_r:samba_share_t
Target Objects                linc-c59-0-59aed03f1175c [ sock_file ]
Affected RPM Packages         GConf2-gtk-2.18.0.1-2.fc7 [application]
Policy RPM                    selinux-policy-2.6.4-25.fc7
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   plugins.catchall_file
Host Name                     living.lankheet.com
Platform                      Linux living.lankheet.com 2.6.21-1.3228.fc7 #1 SMP
                              Tue Jun 12 15:37:31 EDT 2007 i686 i686
Alert Count                   1
First Seen                    Wed 11 Jul 2007 09:39:14 PM CEST
Last Seen                     Wed 11 Jul 2007 09:39:14 PM CEST
Local ID                      487b5ccc-0e79-46c6-9f0f-b6dbc926873e
Line Numbers                  

Raw Audit Messages            

avc: denied { unlink } for comm="gconf-sanity-ch" dev=dm-0 egid=500 euid=500
exe="/usr/libexec/gconf-sanity-check-2" exit=0 fsgid=500 fsuid=500 gid=500
items=0 name="linc-c59-0-59aed03f1175c" pid=3161
scontext=user_u:system_r:hotplug_t:s0 sgid=500 subj=user_u:system_r:hotplug_t:s0
suid=500 tclass=sock_file tcontext=user_u:object_r:samba_share_t:s0 tty=(none)
uid=500


Summary
    SELinux is preventing /usr/libexec/gconf-sanity-check-2 (hotplug_t)
    "remove_name" to gconf-test-locking-file-H819UT (samba_share_t).

Detailed Description
    SELinux denied access requested by /usr/libexec/gconf-sanity-check-2. It is
    not expected that this access is required by /usr/libexec/gconf-sanity-
    check-2 and this access may signal an intrusion attempt. It is also possible
    that the specific version or configuration of the application is causing it
    to require additional access.

Allowing Access
    Sometimes labeling problems can cause SELinux denials.  You could try to
    restore the default system file context for gconf-test-locking-file-H819UT,
    restorecon -v gconf-test-locking-file-H819UT If this does not work, there is
    currently no automatic way to allow this access. Instead,  you can generate
    a local policy module to allow this access - see
    http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable
    SELinux protection altogether. Disabling SELinux protection is not
    recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
    against this package.

Additional Information        

Source Context                user_u:system_r:hotplug_t
Target Context                system_u:object_r:samba_share_t
Target Objects                gconf-test-locking-file-H819UT [ dir ]
Affected RPM Packages         GConf2-gtk-2.18.0.1-2.fc7 [application]
Policy RPM                    selinux-policy-2.6.4-25.fc7
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   plugins.catchall_file
Host Name                     living.lankheet.com
Platform                      Linux living.lankheet.com 2.6.21-1.3228.fc7 #1 SMP
                              Tue Jun 12 15:37:31 EDT 2007 i686 i686
Alert Count                   1
First Seen                    Wed 11 Jul 2007 09:39:14 PM CEST
Last Seen                     Wed 11 Jul 2007 09:39:14 PM CEST
Local ID                      ded02b25-5b70-44c6-9ef8-b9834a7bfd0b
Line Numbers                  

Raw Audit Messages            

avc: denied { remove_name } for comm="gconf-sanity-ch" dev=dm-0 egid=500
euid=500 exe="/usr/libexec/gconf-sanity-check-2" exit=0 fsgid=500 fsuid=500
gid=500 items=0 name="gconf-test-locking-file-H819UT" pid=3161
scontext=user_u:system_r:hotplug_t:s0 sgid=500 subj=user_u:system_r:hotplug_t:s0
suid=500 tclass=dir tcontext=system_u:object_r:samba_share_t:s0 tty=(none)
uid=500


Summary
    SELinux is preventing access to files with the label, file_t.

Detailed Description
    SELinux permission checks on files labeled file_t are being denied.  file_t
    is the context the SELinux kernel gives to files that do not have a label.
    This indicates a serious labeling problem. No files on an SELinux box should
    ever be labeled file_t. If you have just added a new disk drive to the
    system you can relabel it using the restorecon command.  Otherwise you
    should relabel the entire files system.

Allowing Access
    You can execute the following command as root to relabel your computer
    system: "touch /.autorelabel; reboot"

Additional Information        

Source Context                user_u:system_r:hotplug_t
Target Context                system_u:object_r:file_t
Target Objects                .gtk-bookmarks [ file ]
Affected RPM Packages         xdg-user-dirs-gtk-0.5-1.fc7 [application]
Policy RPM                    selinux-policy-2.6.4-25.fc7
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   plugins.file
Host Name                     living.lankheet.com
Platform                      Linux living.lankheet.com 2.6.21-1.3228.fc7 #1 SMP
                              Tue Jun 12 15:37:31 EDT 2007 i686 i686
Alert Count                   1
First Seen                    Wed 11 Jul 2007 09:39:17 PM CEST
Last Seen                     Wed 11 Jul 2007 09:39:17 PM CEST
Local ID                      ee98b859-0d82-4b0e-b7e3-5c5c8b930e61
Line Numbers                  

Raw Audit Messages            

avc: denied { unlink } for comm="xdg-user-dirs-g" dev=dm-0 egid=500 euid=500
exe="/usr/bin/xdg-user-dirs-gtk-update" exit=0 fsgid=500 fsuid=500 gid=500
items=0 name=".gtk-bookmarks" pid=3188 scontext=user_u:system_r:hotplug_t:s0
sgid=500 subj=user_u:system_r:hotplug_t:s0 suid=500 tclass=file
tcontext=system_u:object_r:file_t:s0 tty=(none) uid=500


Summary
    SELinux is preventing /usr/bin/gnome-volume-manager (hotplug_t)
    "remove_name" to linc-c76-0-1bfa9bbb3e55f (samba_share_t).

Detailed Description
    SELinux denied access requested by /usr/bin/gnome-volume-manager. It is not
    expected that this access is required by /usr/bin/gnome-volume-manager and
    this access may signal an intrusion attempt. It is also possible that the
    specific version or configuration of the application is causing it to
    require additional access.

Allowing Access
    Sometimes labeling problems can cause SELinux denials.  You could try to
    restore the default system file context for linc-c76-0-1bfa9bbb3e55f,
    restorecon -v linc-c76-0-1bfa9bbb3e55f If this does not work, there is
    currently no automatic way to allow this access. Instead,  you can generate
    a local policy module to allow this access - see
    http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable
    SELinux protection altogether. Disabling SELinux protection is not
    recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
    against this package.

Additional Information        

Source Context                user_u:system_r:hotplug_t
Target Context                user_u:object_r:samba_share_t
Target Objects                linc-c76-0-1bfa9bbb3e55f [ dir ]
Affected RPM Packages         gnome-volume-manager-2.17.0-7.fc7 [application]
Policy RPM                    selinux-policy-2.6.4-25.fc7
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   plugins.catchall_file
Host Name                     living.lankheet.com
Platform                      Linux living.lankheet.com 2.6.21-1.3228.fc7 #1 SMP
                              Tue Jun 12 15:37:31 EDT 2007 i686 i686
Alert Count                   1
First Seen                    Wed 11 Jul 2007 09:39:18 PM CEST
Last Seen                     Wed 11 Jul 2007 09:39:18 PM CEST
Local ID                      89cada9f-6067-45a0-9e60-550a273b1e4e
Line Numbers                  

Raw Audit Messages            

avc: denied { remove_name } for comm="gnome-volume-ma" dev=dm-0 egid=500
euid=500 exe="/usr/bin/gnome-volume-manager" exit=0 fsgid=500 fsuid=500 gid=500
items=0 name="linc-c76-0-1bfa9bbb3e55f" pid=3206
scontext=user_u:system_r:hotplug_t:s0 sgid=500 subj=user_u:system_r:hotplug_t:s0
suid=500 tclass=dir tcontext=user_u:object_r:samba_share_t:s0 tty=(none) uid=500


Summary
    SELinux is preventing /usr/bin/krb5-auth-dialog (hotplug_t) "add_name" to
    linc-c77-0-1bfa9bbbd8cea (samba_share_t).

Detailed Description
    SELinux denied access requested by /usr/bin/krb5-auth-dialog. It is not
    expected that this access is required by /usr/bin/krb5-auth-dialog and this
    access may signal an intrusion attempt. It is also possible that the
    specific version or configuration of the application is causing it to
    require additional access.

Allowing Access
    Sometimes labeling problems can cause SELinux denials.  You could try to
    restore the default system file context for linc-c77-0-1bfa9bbbd8cea,
    restorecon -v linc-c77-0-1bfa9bbbd8cea If this does not work, there is
    currently no automatic way to allow this access. Instead,  you can generate
    a local policy module to allow this access - see
    http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable
    SELinux protection altogether. Disabling SELinux protection is not
    recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
    against this package.

Additional Information        

Source Context                user_u:system_r:hotplug_t
Target Context                user_u:object_r:samba_share_t
Target Objects                linc-c77-0-1bfa9bbbd8cea [ dir ]
Affected RPM Packages         krb5-auth-dialog-0.7-2 [application]
Policy RPM                    selinux-policy-2.6.4-25.fc7
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   plugins.catchall_file
Host Name                     living.lankheet.com
Platform                      Linux living.lankheet.com 2.6.21-1.3228.fc7 #1 SMP
                              Tue Jun 12 15:37:31 EDT 2007 i686 i686
Alert Count                   1
First Seen                    Wed 11 Jul 2007 09:39:18 PM CEST
Last Seen                     Wed 11 Jul 2007 09:39:18 PM CEST
Local ID                      6f4b0812-b33a-4c46-88dc-bc788c2ea5ba
Line Numbers                  

Raw Audit Messages            

avc: denied { add_name } for comm="krb5-auth-dialo" egid=500 euid=500
exe="/usr/bin/krb5-auth-dialog" exit=0 fsgid=500 fsuid=500 gid=500 items=0
name="linc-c77-0-1bfa9bbbd8cea" pid=3191 scontext=user_u:system_r:hotplug_t:s0
sgid=500 subj=user_u:system_r:hotplug_t:s0 suid=500 tclass=dir
tcontext=user_u:object_r:samba_share_t:s0 tty=(none) uid=500


Summary
    SELinux is preventing /usr/libexec/mapping-daemon (hotplug_t) "create" to
    virtual-jeroen.H0vMIQ (samba_share_t).

Detailed Description
    SELinux denied access requested by /usr/libexec/mapping-daemon. It is not
    expected that this access is required by /usr/libexec/mapping-daemon and
    this access may signal an intrusion attempt. It is also possible that the
    specific version or configuration of the application is causing it to
    require additional access.

Allowing Access
    Sometimes labeling problems can cause SELinux denials.  You could try to
    restore the default system file context for virtual-jeroen.H0vMIQ,
    restorecon -v virtual-jeroen.H0vMIQ If this does not work, there is
    currently no automatic way to allow this access. Instead,  you can generate
    a local policy module to allow this access - see
    http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable
    SELinux protection altogether. Disabling SELinux protection is not
    recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
    against this package.

Additional Information        

Source Context                user_u:system_r:hotplug_t
Target Context                user_u:object_r:samba_share_t
Target Objects                virtual-jeroen.H0vMIQ [ dir ]
Affected RPM Packages         nautilus-cd-burner-2.18.2-1.fc7 [application]
Policy RPM                    selinux-policy-2.6.4-25.fc7
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   plugins.catchall_file
Host Name                     living.lankheet.com
Platform                      Linux living.lankheet.com 2.6.21-1.3228.fc7 #1 SMP
                              Tue Jun 12 15:37:31 EDT 2007 i686 i686
Alert Count                   1
First Seen                    Wed 11 Jul 2007 09:39:21 PM CEST
Last Seen                     Wed 11 Jul 2007 09:39:21 PM CEST
Local ID                      bd128ecf-0ef0-4a9b-9019-06b8d3cf3efc
Line Numbers                  

Raw Audit Messages            

avc: denied { create } for comm="mapping-daemon" egid=500 euid=500
exe="/usr/libexec/mapping-daemon" exit=0 fsgid=500 fsuid=500 gid=500 items=0
name="virtual-jeroen.H0vMIQ" pid=3242 scontext=user_u:system_r:hotplug_t:s0
sgid=500 subj=user_u:system_r:hotplug_t:s0 suid=500 tclass=dir
tcontext=user_u:object_r:samba_share_t:s0 tty=(none) uid=500


Summary
    SELinux is preventing access to files with the label, file_t.

Detailed Description
    SELinux permission checks on files labeled file_t are being denied.  file_t
    is the context the SELinux kernel gives to files that do not have a label.
    This indicates a serious labeling problem. No files on an SELinux box should
    ever be labeled file_t. If you have just added a new disk drive to the
    system you can relabel it using the restorecon command.  Otherwise you
    should relabel the entire files system.

Allowing Access
    You can execute the following command as root to relabel your computer
    system: "touch /.autorelabel; reboot"

Additional Information        

Source Context                user_u:system_r:hotplug_t
Target Context                system_u:object_r:file_t
Target Objects                saved_state [ file ]
Affected RPM Packages         GConf2-2.18.0.1-2.fc7 [application]
Policy RPM                    selinux-policy-2.6.4-25.fc7
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   plugins.file
Host Name                     living.lankheet.com
Platform                      Linux living.lankheet.com 2.6.21-1.3228.fc7 #1 SMP
                              Tue Jun 12 15:37:31 EDT 2007 i686 i686
Alert Count                   1
First Seen                    Wed 11 Jul 2007 09:39:43 PM CEST
Last Seen                     Wed 11 Jul 2007 09:39:43 PM CEST
Local ID                      66ff25df-6268-463f-8630-901e8cb4babd
Line Numbers                  

Raw Audit Messages            

avc: denied { rename } for comm="gconfd-2" dev=dm-0 egid=500 euid=500
exe="/usr/libexec/gconfd-2" exit=0 fsgid=500 fsuid=500 gid=500 items=0
name="saved_state" pid=3160 scontext=user_u:system_r:hotplug_t:s0 sgid=500
subj=user_u:system_r:hotplug_t:s0 suid=500 tclass=file
tcontext=system_u:object_r:file_t:s0 tty=(none) uid=500


Summary
    SELinux is preventing the /usr/libexec/gconfd-2 from using potentially
    mislabeled files (saved_state.tmp).

Detailed Description
    SELinux has denied /usr/libexec/gconfd-2 access to potentially mislabeled
    file(s) (saved_state.tmp).  This means that SELinux will not allow
    /usr/libexec/gconfd-2 to use these files.  It is common for users to edit
    files in their home directory or tmp directories and then move (mv) them to
    system directories.  The problem is that the files end up with the wrong
    file context which confined applications are not allowed to access.

Allowing Access
    If you want /usr/libexec/gconfd-2 to access this files, you need to relabel
    them using restorecon -v saved_state.tmp.  You might want to relabel the
    entire directory using restorecon -R -v .

Additional Information        

Source Context                user_u:system_r:hotplug_t
Target Context                user_u:object_r:user_home_t
Target Objects                saved_state.tmp [ file ]
Affected RPM Packages         GConf2-2.18.0.1-2.fc7 [application]
Policy RPM                    selinux-policy-2.6.4-25.fc7
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   plugins.home_tmp_bad_labels
Host Name                     living.lankheet.com
Platform                      Linux living.lankheet.com 2.6.21-1.3228.fc7 #1 SMP
                              Tue Jun 12 15:37:31 EDT 2007 i686 i686
Alert Count                   1
First Seen                    Wed 11 Jul 2007 09:39:43 PM CEST
Last Seen                     Wed 11 Jul 2007 09:39:43 PM CEST
Local ID                      0d59b62d-1bed-40f3-b0f8-18a3888128a4
Line Numbers                  

Raw Audit Messages            

avc: denied { rename } for comm="gconfd-2" dev=dm-0 egid=500 euid=500
exe="/usr/libexec/gconfd-2" exit=0 fsgid=500 fsuid=500 gid=500 items=0
name="saved_state.tmp" pid=3160 scontext=user_u:system_r:hotplug_t:s0 sgid=500
subj=user_u:system_r:hotplug_t:s0 suid=500 tclass=file
tcontext=user_u:object_r:user_home_t:s0 tty=(none) uid=500


-- 
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux