FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 01-16-2008, 03:41 PM
Antonio Olivares
 
Default SELinux is preventing access to files with the label, file_t.

Is anybody else seeing this?

I have seen it before. I have not added other
disks/drives. I do not know what file_t is?

I ask why should I do this:

"touch /.autorelabel; reboot"
?

It takes a big while. I have already allowed a stack
from new firefox3.0 beta.

[root@localhost ~]# chcon -t unconfined_execmem_exec_t
/usr/lib/firefox-3.0b3pre/firefox

because it complains as well.

Thanks,

Antonio

Summary:

SELinux is preventing access to files with the label,
file_t.

Detailed Description:

SELinux permission checks on files labeled file_t are
being denied. file_t is
the context the SELinux kernel gives to files that do
not have a label. This
indicates a serious labeling problem. No files on an
SELinux box should ever be
labeled file_t. If you have just added a new disk
drive to the system you can
relabel it using the restorecon command. Otherwise you
should relabel the entire
files system.

Allowing Access:

You can execute the following command as root to
relabel your computer system:
"touch /.autorelabel; reboot"

Additional Information:

Source Context
system_u:system_r:tmpreaper_t
Target Context system_ubject_r:file_t
Target Objects
/tmp/virtual-olivares.p28akz [ dir ]
Source
tmpwatch(/usr/sbin/tmpwatch)
Port <Unknown>
Host localhost
Source RPM Packages
Target RPM Packages
Policy RPM
selinux-policy-3.2.5-12.fc9
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name file
Host Name localhost
Platform Linux localhost
2.6.24-0.150.rc7.git4.fc9 #1 SMP
Sat Jan 12 11:44:09 EST
2008 i686 athlon
Alert Count 1
First Seen Wed 16 Jan 2008 08:48:19
AM CST
Last Seen Wed 16 Jan 2008 08:48:19
AM CST
Local ID
ac67f7f5-25da-43ef-8f11-682504e2a274
Line Numbers

Raw Audit Messages

host=localhost type=AVC msg=audit(1200494899.124:38):
avc: denied { getattr } for pid=3073
comm="tmpwatch" path="/tmp/virtual-olivares.p28akz"
dev=dm-0 ino=31391794
scontext=system_u:system_r:tmpreaper_t:s0
tcontext=system_ubject_r:file_t:s0 tclass=dir

host=localhost type=SYSCALL
msg=audit(1200494899.124:38): arch=40000003
syscall=196 success=no exit=-13 a0=99f65bb a1=bfc24780
a2=5feff4 a3=99f6008 items=0 ppid=3071 pid=3073
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) comm="tmpwatch"
exe="/usr/sbin/tmpwatch"
subj=system_u:system_r:tmpreaper_t:s0 key=(null)





__________________________________________________ __________________________________
Be a better friend, newshound, and
know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 01-17-2008, 04:42 PM
Daniel J Walsh
 
Default SELinux is preventing access to files with the label, file_t.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Till Maas wrote:
> On Wed January 16 2008, Antonio Olivares wrote:
>
>> I have seen it before. I have not added other
>> disks/drives. I do not know what file_t is?
>
> file_t is the type/context of files that are not really labeled.
>
>> I ask why should I do this:
>>
>> "touch /.autorelabel; reboot"
>> ?
>
> These should apply the correct context on all files, maybe in you case running
> restorecon (man restorecon) is enough, too. This does not require a reboot.
> But I do not know more about this issue.
>
> Regards,
> Till
>
Yes file_t means you have a file with no label on it. If you are adding
a new disk drive with existing files, you can end up with this, or if
you turn on SELinux on a machine that did not have it before, this can
happen. (Although when Fedora boots it is supposed to realize SELinux
is turned no and the machine needs to be labeled.)

touch /.autorelabel; reboot
will relabel the entire machine.

But if you are just adding a new disk you could just execute

restorecon -R -v PATHTOMOUNTPOINT

And that will fix it.

You can also mount the disk using context=system_ubject_r:TYPE_t:s0
and not add labels at all.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkePk48ACgkQrlYvE4MpobPfLQCffGROjw2lUE TDIlET1vj//PkY
VQsAn23zFdSm0TYnR4CmEmKG8WEwVVIY
=vMDe
-----END PGP SIGNATURE-----

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 

Thread Tools




All times are GMT. The time now is 01:32 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org