Re: SELinux is preventing access to files with the label, file_t.

"Andrew Farris" <lordmorgul@xxxxxxxxx> · Tue, 4 Mar 2008 20:25:04 -0800

On Tue, Mar 4, 2008 at 6:12 PM, Antonio Olivares
<olivares14031@xxxxxxxxx> wrote:
>  Hope the file does not come back :)

I went ahead and switched my setup to use tmpfs as well, and cleared
out /tmp completely then logged back in.  I have no problems with
file_t in tmp yet, but I do in my home.  Here is what showed up.  I
didn't realize the files I posted before were partially here in my
home causing these denials.

Summary:

SELinux is preventing access to files with the label, file_t.

host=cirithungol type=AVC msg=audit(1204690113.416:341): avc:  denied
{ read } for  pid=16945 comm="npviewer.bin" name=".Xauthority"
dev=sdb2 ino=3742
scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023
tcontext=system_u:object_r:file_t:s0 tclass=file

host=cirithungol type=SYSCALL msg=audit(1204690113.416:341):
arch=40000003 syscall=33 success=no exit=-13 a0=bfa3afb9 a1=4
a2=b1d9f0 a3=bfa3afb9 items=0 ppid=16931 pid=16945 auid=500 uid=500
gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500
tty=(none) ses=1 comm="npviewer.bin"
exe="/usr/lib/nspluginwrapper/npviewer.bin"
subj=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 key=(null)

Summary:

SELinux is preventing access to files with the label, file_t.

host=cirithungol type=AVC msg=audit(1204689737.53:325): avc:  denied
{ read } for  pid=16233 comm="ck-get-x11-serv" name=".Xauthority"
dev=sdb2 ino=3742
scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023
tcontext=system_u:object_r:file_t:s0 tclass=file

host=cirithungol type=SYSCALL msg=audit(1204689737.53:325):
arch=40000003 syscall=33 success=no exit=-13 a0=bfd33fa6 a1=4
a2=b1d9f0 a3=bfd33fa6 items=0 ppid=16232 pid=16233 auid=4294967295
uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500
fsgid=500 tty=(none) ses=4294967295 comm="ck-get-x11-serv"
exe="/usr/libexec/ck-get-x11-server-pid"
subj=system_u:system_r:consolekit_t:s0-s0:c0.c1023 key=(null)

It turns out ~/.Xauthority is labeled file_t, so is
~/.xsession-errors.  I've just deleted both and going to see if they
get labeled right when I login again.  These should be user_home_t I
would assume...

'ls -lRz ~ | grep file_t' showed hundreds of files labeled file_t.
Going to go relabel everything again and see if they persist.

-- 
Andrew Farris <lordmorgul@xxxxxxxxx> www.lordmorgul.net
 gpg 0xC99B1DF3 fingerprint CDEC 6FAD BA27 40DF 707E A2E0 F0F6 E622 C99B 1DF3
No one now has, and no one will ever again get, the big picture. - Daniel Geer
----
                                                    ----

-- 
fedora-test-list mailing list
fedora-test-list@xxxxxxxxxx
To unsubscribe: 
https://www.redhat.com/mailman/listinfo/fedora-test-list