FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor


 
 
LinkBack Thread Tools
 
Old 03-21-2008, 10:36 AM
"Valent Turkovic"
 
Default gconf alert

Hi.

I'm seeing lots of these alerts in rawhide.
Is this "normal" or is it a gnome or selinux issue or is my system problematic?

Valent.

--
http://kernelreloaded.blog385.com/
linux, blog, anime, spirituality, windsurf, wireless
registered as user #367004 with the Linux Counter, http://counter.li.org.
ICQ: 2125241, Skype: valent.turkovic

Summary:

SELinux is preventing the gconfd-2 from using potentially mislabeled files
(./saved_state.tmp).

Detailed Description:

[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]

SELinux has denied gconfd-2 access to potentially mislabeled file(s)
(./saved_state.tmp). This means that SELinux will not allow gconfd-2 to use
these files. It is common for users to edit files in their home directory or tmp
directories and then move (mv) them to system directories. The problem is that
the files end up with the wrong file context which confined applications are not
allowed to access.

Allowing Access:

If you want gconfd-2 to access this files, you need to relabel them using
restorecon -v './saved_state.tmp'. You might want to relabel the entire
directory using restorecon -R -v '.'.

Additional Information:

Source Context user_u:user_r:user_t:s0
Target Context user_ubject_r:admin_home_t:s0
Target Objects ./saved_state.tmp [ file ]
Source gconfd-2
Source Path /usr/libexec/gconfd-2
Port <Unknown>
Host valent.lan
Source RPM Packages GConf2-2.22.0-1.fc9
Target RPM Packages
Policy RPM selinux-policy-3.3.1-19.fc9
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Permissive
Plugin Name home_tmp_bad_labels
Host Name valent.lan
Platform Linux valent.lan 2.6.25-0.121.rc5.git4.fc9 #1 SMP
Fri Mar 14 23:14:20 EDT 2008 i686 i686
Alert Count 1
First Seen Fri 21 Mar 2008 12:31:12 PM CET
Last Seen Fri 21 Mar 2008 12:31:12 PM CET
Local ID 41418630-4541-4f2c-baa6-4cc6eec16d87
Line Numbers

Raw Audit Messages

host=valent.lan type=AVC msg=audit(1206099072.482:443): avc: denied { rename } for pid=13738 comm="gconfd-2" name="saved_state.tmp" dev=sda9 ino=865370 scontext=user_u:user_r:user_t:s0 tcontext=user_ubject_r:admin_home_t:s0 tclass=file

host=valent.lan type=SYSCALL msg=audit(1206099072.482:443): arch=40000003 syscall=38 success=yes exit=0 a0=9f59b20 a1=9f57118 a2=0 a3=5 items=0 ppid=1 pid=13738 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4 comm="gconfd-2" exe="/usr/libexec/gconfd-2" subj=user_u:user_r:user_t:s0 key=(null)


--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 03-21-2008, 10:20 PM
Daniel J Walsh
 
Default gconf alert

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Valent Turkovic wrote:
> Hi.
>
> I'm seeing lots of these alerts in rawhide.
> Is this "normal" or is it a gnome or selinux issue or is my system problematic?
>
> Valent.
>
>
>
> ------------------------------------------------------------------------
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Well you are logging in as root via XWindows which is not a good idea
and we do not plan to fix the policy for this. Since it is such a bad
idea, and would break any security we have tried to add to SELinux to
eliminate the AVC. You also setup the user to login via user_t?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkfkQtAACgkQrlYvE4MpobMhRACeJ9srkML85W xzUU6DVBtEPMS9
Uw0AoLqLWJUxIzTk79o7Tn4ybDSKRsE8
=z7RQ
-----END PGP SIGNATURE-----

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 03-22-2008, 09:17 AM
"Valent Turkovic"
 
Default gconf alert

On Sat, Mar 22, 2008 at 12:20 AM, Daniel J Walsh <dwalsh@redhat.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> Valent Turkovic wrote:
> > Hi.
> >
> > I'm seeing lots of these alerts in rawhide.
> > Is this "normal" or is it a gnome or selinux issue or is my system problematic?
> >
> > Valent.
> >
> >
> >
> > ------------------------------------------------------------------------
> >
> > --
> > fedora-selinux-list mailing list
> > fedora-selinux-list@redhat.com
> > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> Well you are logging in as root via XWindows which is not a good idea
> and we do not plan to fix the policy for this. Since it is such a bad
> idea, and would break any security we have tried to add to SELinux to
> eliminate the AVC. You also setup the user to login via user_t?
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.8 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
>
> iEYEARECAAYFAkfkQtAACgkQrlYvE4MpobMhRACeJ9srkML85W xzUU6DVBtEPMS9
> Uw0AoLqLWJUxIzTk79o7Tn4ybDSKRsE8
> =z7RQ
> -----END PGP SIGNATURE-----
>


I'm not logging in as root to gnome.

Valent
.

--
http://kernelreloaded.blog385.com/
linux, blog, anime, spirituality, windsurf, wireless
registered as user #367004 with the Linux Counter, http://counter.li.org.
ICQ: 2125241, Skype: valent.turkovic

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 03-22-2008, 10:14 AM
Daniel J Walsh
 
Default gconf alert

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Valent Turkovic wrote:
> On Sat, Mar 22, 2008 at 12:20 AM, Daniel J Walsh <dwalsh@redhat.com> wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>>
>> Valent Turkovic wrote:
>> > Hi.
>> >
>> > I'm seeing lots of these alerts in rawhide.
>> > Is this "normal" or is it a gnome or selinux issue or is my system problematic?
>> >
>> > Valent.
>> >
>> >
>> >
>> > ------------------------------------------------------------------------
>> >
>> > --
>> > fedora-selinux-list mailing list
>> > fedora-selinux-list@redhat.com
>> > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>> Well you are logging in as root via XWindows which is not a good idea
>> and we do not plan to fix the policy for this. Since it is such a bad
>> idea, and would break any security we have tried to add to SELinux to
>> eliminate the AVC. You also setup the user to login via user_t?
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.8 (GNU/Linux)
>> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
>>
>> iEYEARECAAYFAkfkQtAACgkQrlYvE4MpobMhRACeJ9srkML85W xzUU6DVBtEPMS9
>> Uw0AoLqLWJUxIzTk79o7Tn4ybDSKRsE8
>> =z7RQ
>> -----END PGP SIGNATURE-----
>>
>
>
> I'm not logging in as root to gnome.
>
> Valent
> .
>
Well the AVC says

host=valent.lan type=AVC msg=audit(1206099072.482:443): avc: denied {
rename } for pid=13738 comm="gconfd-2" name="saved_state.tmp" dev=sda9
ino=865370 scontext=user_u:user_r:user_t:s0
tcontext=user_ubject_r:admin_home_t:s0 tclass=file

host=valent.lan type=SYSCALL msg=audit(1206099072.482:443):
arch=40000003 syscall=38 success=yes exit=0 a0=9f59b20 a1=9f57118 a2=0
a3=5 items=0 ppid=1 pid=13738 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=4 comm="gconfd-2"
exe="/usr/libexec/gconfd-2" subj=user_u:user_r:user_t:s0 key=(null)


admin_home_t is the label of /root

So either you have a labeling problem or you have gconfd-2 trying to
relabel saved_state.tmp which is labeled the root directory label
admin_home_t
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkfk6gAACgkQrlYvE4MpobMAXwCg2YpVaswVCQ VI7kSuOUk+CgDN
JWMAoIHx0BNqxOdbUKGsA1ruGBTlYvin
=F+6B
-----END PGP SIGNATURE-----

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 03-22-2008, 11:55 AM
"Valent Turkovic"
 
Default gconf alert

On Sat, Mar 22, 2008 at 12:14 PM, Daniel J Walsh <dwalsh@redhat.com> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Valent Turkovic wrote:
> > On Sat, Mar 22, 2008 at 12:20 AM, Daniel J Walsh <dwalsh@redhat.com> wrote:
> >> -----BEGIN PGP SIGNED MESSAGE-----
> >> Hash: SHA1
> >>
> >>
> >> Valent Turkovic wrote:
> >> > Hi.
> >> >
> >> > I'm seeing lots of these alerts in rawhide.
> >> > Is this "normal" or is it a gnome or selinux issue or is my system problematic?
> >> >
> >> > Valent.
> >> >
> >> >
> >> >
> >> > ------------------------------------------------------------------------
> >> >
> >> > --
> >> > fedora-selinux-list mailing list
> >> > fedora-selinux-list@redhat.com
> >> > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> >> Well you are logging in as root via XWindows which is not a good idea
> >> and we do not plan to fix the policy for this. Since it is such a bad
> >> idea, and would break any security we have tried to add to SELinux to
> >> eliminate the AVC. You also setup the user to login via user_t?
> >> -----BEGIN PGP SIGNATURE-----
> >> Version: GnuPG v1.4.8 (GNU/Linux)
> >> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
> >>
> >> iEYEARECAAYFAkfkQtAACgkQrlYvE4MpobMhRACeJ9srkML85W xzUU6DVBtEPMS9
> >> Uw0AoLqLWJUxIzTk79o7Tn4ybDSKRsE8
> >> =z7RQ
> >> -----END PGP SIGNATURE-----
> >>
> >
> >
> > I'm not logging in as root to gnome.
> >
> > Valent
> > .
> >
> Well the AVC says
>
> host=valent.lan type=AVC msg=audit(1206099072.482:443): avc: denied {
> rename } for pid=13738 comm="gconfd-2" name="saved_state.tmp" dev=sda9
> ino=865370 scontext=user_u:user_r:user_t:s0
> tcontext=user_ubject_r:admin_home_t:s0 tclass=file
>
> host=valent.lan type=SYSCALL msg=audit(1206099072.482:443):
> arch=40000003 syscall=38 success=yes exit=0 a0=9f59b20 a1=9f57118 a2=0
> a3=5 items=0 ppid=1 pid=13738 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0
> egid=0 sgid=0 fsgid=0 tty=(none) ses=4 comm="gconfd-2"
> exe="/usr/libexec/gconfd-2" subj=user_u:user_r:user_t:s0 key=(null)
>
>
> admin_home_t is the label of /root
>
> So either you have a labeling problem or you have gconfd-2 trying to
> relabel saved_state.tmp which is labeled the root directory label
> admin_home_t
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.8 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
>
> iEYEARECAAYFAkfk6gAACgkQrlYvE4MpobMAXwCg2YpVaswVCQ VI7kSuOUk+CgDN
> JWMAoIHx0BNqxOdbUKGsA1ruGBTlYvin
> =F+6B
> -----END PGP SIGNATURE-----
>


I relabeled my system 2 times in last few days and I'm not running as
gmome as root. I don't know why I'm seeing this alert and that is why
I'm sending you this email.

Valent.

--
http://kernelreloaded.blog385.com/
linux, blog, anime, spirituality, windsurf, wireless
registered as user #367004 with the Linux Counter, http://counter.li.org.
ICQ: 2125241, Skype: valent.turkovic

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 03-22-2008, 11:55 AM
"Valent Turkovic"
 
Default gconf alert

On Sat, Mar 22, 2008 at 12:14 PM, Daniel J Walsh <dwalsh@redhat.com> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Valent Turkovic wrote:
> > On Sat, Mar 22, 2008 at 12:20 AM, Daniel J Walsh <dwalsh@redhat.com> wrote:
> >> -----BEGIN PGP SIGNED MESSAGE-----
> >> Hash: SHA1
> >>
> >>
> >> Valent Turkovic wrote:
> >> > Hi.
> >> >
> >> > I'm seeing lots of these alerts in rawhide.
> >> > Is this "normal" or is it a gnome or selinux issue or is my system problematic?
> >> >
> >> > Valent.
> >> >
> >> >
> >> >
> >> > ------------------------------------------------------------------------
> >> >
> >> > --
> >> > fedora-selinux-list mailing list
> >> > fedora-selinux-list@redhat.com
> >> > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> >> Well you are logging in as root via XWindows which is not a good idea
> >> and we do not plan to fix the policy for this. Since it is such a bad
> >> idea, and would break any security we have tried to add to SELinux to
> >> eliminate the AVC. You also setup the user to login via user_t?
> >> -----BEGIN PGP SIGNATURE-----
> >> Version: GnuPG v1.4.8 (GNU/Linux)
> >> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
> >>
> >> iEYEARECAAYFAkfkQtAACgkQrlYvE4MpobMhRACeJ9srkML85W xzUU6DVBtEPMS9
> >> Uw0AoLqLWJUxIzTk79o7Tn4ybDSKRsE8
> >> =z7RQ
> >> -----END PGP SIGNATURE-----
> >>
> >
> >
> > I'm not logging in as root to gnome.
> >
> > Valent
> > .
> >
> Well the AVC says
>
> host=valent.lan type=AVC msg=audit(1206099072.482:443): avc: denied {
> rename } for pid=13738 comm="gconfd-2" name="saved_state.tmp" dev=sda9
> ino=865370 scontext=user_u:user_r:user_t:s0
> tcontext=user_ubject_r:admin_home_t:s0 tclass=file
>
> host=valent.lan type=SYSCALL msg=audit(1206099072.482:443):
> arch=40000003 syscall=38 success=yes exit=0 a0=9f59b20 a1=9f57118 a2=0
> a3=5 items=0 ppid=1 pid=13738 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0
> egid=0 sgid=0 fsgid=0 tty=(none) ses=4 comm="gconfd-2"
> exe="/usr/libexec/gconfd-2" subj=user_u:user_r:user_t:s0 key=(null)
>
>
> admin_home_t is the label of /root
>
> So either you have a labeling problem or you have gconfd-2 trying to
> relabel saved_state.tmp which is labeled the root directory label
> admin_home_t
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.8 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
>
> iEYEARECAAYFAkfk6gAACgkQrlYvE4MpobMAXwCg2YpVaswVCQ VI7kSuOUk+CgDN
> JWMAoIHx0BNqxOdbUKGsA1ruGBTlYvin
> =F+6B
> -----END PGP SIGNATURE-----
>


I relabeled my system 2 times in last few days and I'm not running as
gmome as root. I don't know why I'm seeing this alert and that is why
I'm sending you this email.

Valent.

--
http://kernelreloaded.blog385.com/
linux, blog, anime, spirituality, windsurf, wireless
registered as user #367004 with the Linux Counter, http://counter.li.org.
ICQ: 2125241, Skype: valent.turkovic

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 03-22-2008, 11:55 AM
"Valent Turkovic"
 
Default gconf alert

On Sat, Mar 22, 2008 at 1:55 PM, Valent Turkovic
<valent.turkovic@gmail.com> wrote:
>
> On Sat, Mar 22, 2008 at 12:14 PM, Daniel J Walsh <dwalsh@redhat.com> wrote:
> >
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > Valent Turkovic wrote:
> > > On Sat, Mar 22, 2008 at 12:20 AM, Daniel J Walsh <dwalsh@redhat.com> wrote:
> > >> -----BEGIN PGP SIGNED MESSAGE-----
> > >> Hash: SHA1
> > >>
> > >>
> > >> Valent Turkovic wrote:
> > >> > Hi.
> > >> >
> > >> > I'm seeing lots of these alerts in rawhide.
> > >> > Is this "normal" or is it a gnome or selinux issue or is my system problematic?
> > >> >
> > >> > Valent.
> > >> >
> > >> >
> > >> >
> > >> > ------------------------------------------------------------------------
> > >> >
> > >> > --
> > >> > fedora-selinux-list mailing list
> > >> > fedora-selinux-list@redhat.com
> > >> > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> > >> Well you are logging in as root via XWindows which is not a good idea
> > >> and we do not plan to fix the policy for this. Since it is such a bad
> > >> idea, and would break any security we have tried to add to SELinux to
> > >> eliminate the AVC. You also setup the user to login via user_t?
> > >> -----BEGIN PGP SIGNATURE-----
> > >> Version: GnuPG v1.4.8 (GNU/Linux)
> > >> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
> > >>
> > >> iEYEARECAAYFAkfkQtAACgkQrlYvE4MpobMhRACeJ9srkML85W xzUU6DVBtEPMS9
> > >> Uw0AoLqLWJUxIzTk79o7Tn4ybDSKRsE8
> > >> =z7RQ
> > >> -----END PGP SIGNATURE-----
> > >>
> > >
> > >
> > > I'm not logging in as root to gnome.
> > >
> > > Valent
> > > .
> > >
> > Well the AVC says
> >
> > host=valent.lan type=AVC msg=audit(1206099072.482:443): avc: denied {
> > rename } for pid=13738 comm="gconfd-2" name="saved_state.tmp" dev=sda9
> > ino=865370 scontext=user_u:user_r:user_t:s0
> > tcontext=user_ubject_r:admin_home_t:s0 tclass=file
> >
> > host=valent.lan type=SYSCALL msg=audit(1206099072.482:443):
> > arch=40000003 syscall=38 success=yes exit=0 a0=9f59b20 a1=9f57118 a2=0
> > a3=5 items=0 ppid=1 pid=13738 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0
> > egid=0 sgid=0 fsgid=0 tty=(none) ses=4 comm="gconfd-2"
> > exe="/usr/libexec/gconfd-2" subj=user_u:user_r:user_t:s0 key=(null)
> >
> >
> > admin_home_t is the label of /root
> >
> > So either you have a labeling problem or you have gconfd-2 trying to
> > relabel saved_state.tmp which is labeled the root directory label
> > admin_home_t
> >
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.4.8 (GNU/Linux)
> > Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
> >
> > iEYEARECAAYFAkfk6gAACgkQrlYvE4MpobMAXwCg2YpVaswVCQ VI7kSuOUk+CgDN
> > JWMAoIHx0BNqxOdbUKGsA1ruGBTlYvin
> > =F+6B
> > -----END PGP SIGNATURE-----
> >
>
>
> I relabeled my system 2 times in last few days and I'm not running as
> gmome as root. I don't know why I'm seeing this alert and that is why
> I'm sending you this email.
>
>
>
> Valent.
>
> --
> http://kernelreloaded.blog385.com/
> linux, blog, anime, spirituality, windsurf, wireless
> registered as user #367004 with the Linux Counter, http://counter.li.org.
> ICQ: 2125241, Skype: valent.turkovic
>


I'm seeing it in F8 and also in F9 Beta
.

--
http://kernelreloaded.blog385.com/
linux, blog, anime, spirituality, windsurf, wireless
registered as user #367004 with the Linux Counter, http://counter.li.org.
ICQ: 2125241, Skype: valent.turkovic

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 03-22-2008, 11:59 AM
"Valent Turkovic"
 
Default gconf alert

Here are the latest ones from F8.

I'll reboot to F9 beta and send those also.

Valent.

--
http://kernelreloaded.blog385.com/
linux, blog, anime, spirituality, windsurf, wireless
registered as user #367004 with the Linux Counter, http://counter.li.org.
ICQ: 2125241, Skype: valent.turkovic

Summary:

SELinux is preventing gconfd-2 from creating a file with a context of
unlabeled_t on a filesystem.

Detailed Description:

[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]

SELinux is preventing gconfd-2 from creating a file with a context of
unlabeled_t on a filesystem. Usually this happens when you ask the cp command to
maintain the context of a file when copying between file systems, "cp -a" for
example. Not all file contexts should be maintained between the file systems.
For example, a read-only file type like iso9660_t should not be placed on a r/w
system. "cp -P" might be a better solution, as this will adopt the default file
context for the destination.

Allowing Access:

Use a command like "cp -P" to preserve all permissions except SELinux context.

Additional Information:

Source Context unconfined_ubject_r:unlabeled_t:s0
Target Context system_ubject_r:fs_t:s0
Target Objects saved_state.tmp [ filesystem ]
Source gconfd-2
Source Path /usr/libexec/gconfd-2
Port <Unknown>
Host valent.oswireless
Source RPM Packages GConf2-2.20.1-1.fc8
Target RPM Packages
Policy RPM selinux-policy-3.0.8-93.fc8
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Permissive
Plugin Name filesystem_associate
Host Name valent.oswireless
Platform Linux valent.oswireless 2.6.24.3-34.fc8 #1 SMP Wed
Mar 12 18:17:20 EDT 2008 i686 i686
Alert Count 1
First Seen Sat 22 Mar 2008 08:55:28 AM CET
Last Seen Sat 22 Mar 2008 08:55:28 AM CET
Local ID a99f93ec-fbdf-4beb-a85c-fc340a1a687b
Line Numbers

Raw Audit Messages

host=valent.oswireless type=AVC msg=audit(1206172528.330:148): avc: denied { associate } for pid=2571 comm="gconfd-2" name="saved_state.tmp" scontext=unconfined_ubject_r:unlabeled_t:s0 tcontext=system_ubject_r:fs_t:s0 tclass=filesystem

host=valent.oswireless type=SYSCALL msg=audit(1206172528.330:148): arch=40000003 syscall=5 success=yes exit=62 a0=8ee47d0 a1=241 a2=1c0 a3=8c8e130 items=0 ppid=1 pid=2571 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) comm="gconfd-2" exe="/usr/libexec/gconfd-2" subj=unconfined_u:system_r:unconfined_t:s0-s0:c0.c1023 key=(null)



Summary:

SELinux is preventing gconfd-2 from creating a file with a context of
unlabeled_t on a filesystem.

Detailed Description:

[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]

SELinux is preventing gconfd-2 from creating a file with a context of
unlabeled_t on a filesystem. Usually this happens when you ask the cp command to
maintain the context of a file when copying between file systems, "cp -a" for
example. Not all file contexts should be maintained between the file systems.
For example, a read-only file type like iso9660_t should not be placed on a r/w
system. "cp -P" might be a better solution, as this will adopt the default file
context for the destination.

Allowing Access:

Use a command like "cp -P" to preserve all permissions except SELinux context.

Additional Information:

Source Context unconfined_ubject_r:unlabeled_t:s0
Target Context system_ubject_r:fs_t:s0
Target Objects %gconf.xml.new [ filesystem ]
Source gconfd-2
Source Path /usr/libexec/gconfd-2
Port <Unknown>
Host valent.oswireless
Source RPM Packages GConf2-2.20.1-1.fc8
Target RPM Packages
Policy RPM selinux-policy-3.0.8-93.fc8
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Permissive
Plugin Name filesystem_associate
Host Name valent.oswireless
Platform Linux valent.oswireless 2.6.24.3-34.fc8 #1 SMP Wed
Mar 12 18:17:20 EDT 2008 i686 i686
Alert Count 4
First Seen Fri 21 Mar 2008 09:25:05 PM CET
Last Seen Sat 22 Mar 2008 11:29:00 AM CET
Local ID 59be503c-e098-4c10-9e91-d226a159ebdb
Line Numbers

Raw Audit Messages

host=valent.oswireless type=AVC msg=audit(1206181740.396:176): avc: denied { associate } for pid=2571 comm="gconfd-2" name="%gconf.xml.new" scontext=unconfined_ubject_r:unlabeled_t:s0 tcontext=system_ubject_r:fs_t:s0 tclass=filesystem

host=valent.oswireless type=SYSCALL msg=audit(1206181740.396:176): arch=40000003 syscall=5 success=yes exit=64 a0=8ee4c78 a1=41 a2=180 a3=8ec1d30 items=0 ppid=1 pid=2571 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) comm="gconfd-2" exe="/usr/libexec/gconfd-2" subj=unconfined_u:system_r:unconfined_t:s0-s0:c0.c1023 key=(null)


--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 03-23-2008, 04:11 AM
Andrew Farris
 
Default gconf alert

Valent Turkovic wrote:

Here are the latest ones from F8.

I'll reboot to F9 beta and send those also.

Valent.


Can you try logging in via startx rather than GDM and see if it keeps happening?
I'd be interested to know. My recent problem with GDM logging my user in as
bootloader_t has just disappeared and I'm not sure why (although there was a
policy and gdm version update, so it could have been fixed accidentally).


--
Andrew Farris <lordmorgul@gmail.com> www.lordmorgul.net
gpg 0xC99B1DF3 fingerprint CDEC 6FAD BA27 40DF 707E A2E0 F0F6 E622 C99B 1DF3
No one now has, and no one will ever again get, the big picture. - Daniel Geer
---- ----

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 03-23-2008, 10:34 AM
Daniel J Walsh
 
Default gconf alert

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Valent Turkovic wrote:
> Here are the latest ones from F8.
>
> I'll reboot to F9 beta and send those also.
>
> Valent.
>
>
>
> ------------------------------------------------------------------------
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
I believe you have some stuff out in /tmp that is causing this. /tmp is
not cleaned up on a relabel.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkfmQEEACgkQrlYvE4MpobPYdQCfT49WOHkI/znmW+6RyXTM+GbO
v04AoNqxXJCrT36PwV0t63ZZBXv7tknB
=b2o1
-----END PGP SIGNATURE-----

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 

Thread Tools




All times are GMT. The time now is 01:14 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org