FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 07-02-2008, 12:40 PM
"Frank Murphy"
 
Default gconf-2 creating > unlabelled_t files

Do I run "cp -P /usr/libexec/gconfd-2"
-----------------------------------------------------
Summary:

SELinux is preventing gconfd-2 from creating a file with a context of
unlabeled_t on a filesystem.

Detailed Description:

SELinux is preventing gconfd-2 from creating a file with a context of
unlabeled_t on a filesystem. Usually this happens when you ask the cp command to
maintain the context of a file when copying between file systems, "cp -a" for
example. Not all file contexts should be maintained between the file systems.
For example, a read-only file type like iso9660_t should not be placed on a r/w
system. "cp -P" might be a better solution, as this will adopt the default file
context for the destination.

Allowing Access:

Use a command like "cp -P" to preserve all permissions except SELinux context.

Additional Information:

Source Context unconfined_ubject_r:unlabeled_t:s0
Target Context system_ubject_r:fs_t:s0
Target Objects .testing.writeability [ filesystem ]
Source gconfd-2
Source Path /usr/libexec/gconfd-2
Port <Unknown>
Host frank-03
Source RPM Packages GConf2-2.22.0-1.fc9
Target RPM Packages
Policy RPM selinux-policy-3.3.1-72.fc9
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name filesystem_associate
Host Name frank-03
Platform Linux frank-03 2.6.25.6-55.fc9.i686 #1 SMP Tue Jun
10 16:27:49 EDT 2008 i686 i686
Alert Count 1
First Seen Wed 02 Jul 2008 12:06:53 IST
Last Seen Wed 02 Jul 2008 12:06:53 IST
Local ID 9af5a524-6e39-40da-a8f0-146b28ebee10
Line Numbers

Raw Audit Messages

host=frank-03 type=AVC msg=audit(1214996813.541:52): avc: denied {
associate } for pid=9827 comm="gconfd-2" name=".testing.writeability"
scontext=unconfined_ubject_r:unlabeled_t:s0
tcontext=system_ubject_r:fs_t:s0 tclass=filesystem

host=frank-03 type=SYSCALL msg=audit(1214996813.541:52): arch=40000003
syscall=5 success=no exit=-13 a0=8652d18 a1=41 a2=1c0 a3=8652d18
items=0 ppid=1 pid=9827 auid=500 uid=500 gid=500 euid=500 suid=500
fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="gconfd-2"
exe="/usr/libexec/gconfd-2"
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 07-03-2008, 06:58 PM
Daniel J Walsh
 
Default gconf-2 creating > unlabelled_t files

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Frank Murphy wrote:
> Do I run "cp -P /usr/libexec/gconfd-2"
> -----------------------------------------------------
> Summary:
>
> SELinux is preventing gconfd-2 from creating a file with a context of
> unlabeled_t on a filesystem.
>
> Detailed Description:
>
> SELinux is preventing gconfd-2 from creating a file with a context of
> unlabeled_t on a filesystem. Usually this happens when you ask the cp command to
> maintain the context of a file when copying between file systems, "cp -a" for
> example. Not all file contexts should be maintained between the file systems.
> For example, a read-only file type like iso9660_t should not be placed on a r/w
> system. "cp -P" might be a better solution, as this will adopt the default file
> context for the destination.
>
> Allowing Access:
>
> Use a command like "cp -P" to preserve all permissions except SELinux context.
>
> Additional Information:
>
> Source Context unconfined_ubject_r:unlabeled_t:s0
> Target Context system_ubject_r:fs_t:s0
> Target Objects .testing.writeability [ filesystem ]
> Source gconfd-2
> Source Path /usr/libexec/gconfd-2
> Port <Unknown>
> Host frank-03
> Source RPM Packages GConf2-2.22.0-1.fc9
> Target RPM Packages
> Policy RPM selinux-policy-3.3.1-72.fc9
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Enforcing
> Plugin Name filesystem_associate
> Host Name frank-03
> Platform Linux frank-03 2.6.25.6-55.fc9.i686 #1 SMP Tue Jun
> 10 16:27:49 EDT 2008 i686 i686
> Alert Count 1
> First Seen Wed 02 Jul 2008 12:06:53 IST
> Last Seen Wed 02 Jul 2008 12:06:53 IST
> Local ID 9af5a524-6e39-40da-a8f0-146b28ebee10
> Line Numbers
>
> Raw Audit Messages
>
> host=frank-03 type=AVC msg=audit(1214996813.541:52): avc: denied {
> associate } for pid=9827 comm="gconfd-2" name=".testing.writeability"
> scontext=unconfined_ubject_r:unlabeled_t:s0
> tcontext=system_ubject_r:fs_t:s0 tclass=filesystem
>
> host=frank-03 type=SYSCALL msg=audit(1214996813.541:52): arch=40000003
> syscall=5 success=no exit=-13 a0=8652d18 a1=41 a2=1c0 a3=8652d18
> items=0 ppid=1 pid=9827 auid=500 uid=500 gid=500 euid=500 suid=500
> fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="gconfd-2"
> exe="/usr/libexec/gconfd-2"
> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
restorecon -R -v ~/

Should fix this problem.

Also have you udpated to the latest selinux-policy package?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkhtIWYACgkQrlYvE4MpobPLOACdGdkv/sS07+C1pHZP5Da77GyR
Gd0AnAw75m+PFQvgIztoKC+idJ283KB8
=tLgb
-----END PGP SIGNATURE-----

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 

Thread Tools




All times are GMT. The time now is 01:45 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org