Bruno Wolff III wrote:
it's ready relabeling or if it's doing anything at all.
Open another terminal while it is running, and check the output of the
`top` command - this only works if you _can_ get to other terminals at
the same time, which I believe is not true in runlevel 1, or when
rebooting.
If you are doing an auto relabel you won't be able to login. The whole point
of doing the relabel at that point is that it is before init has started up
processes labelled incorrectly.
What you could do if you want to keep doing stuff through a relabel, is
change to permissive mode, run fixfiles restore /, reboot when its done, change
back to enforcing mode.
That process I think can still hit some corner cases where files might be
left incorrectly labelled. But you can run a verify afterwards to check.
Thanks for the help so far guys, and sorry for the lousy subject.
I booted into runlevel 1 and saw the relabel doing it's work.
Then I could actually boot my system and login again without having to
disable selinux as a kernel parameter. But selinux was still in
permissive mode.
The SELinux troubleshooter mentioned some alerts; denials and
potentially mislabeled files. So I switched to enforcing mode, and then
immediately all kinds of (more or less expected) problems start. The
system logs me out 10 seconds after being logged in.
So now I'm back in permissive mode.
So the next challenge is that I should 'make the troubleshooter happy'.
But this is the part where my selinux knowledge is falling short.
The attached file contains the troubleshooter alerts.
How do I create a local policy for these selinux denials? I don't know
what the complained files are for.
Regards,
Jeroen.
Summary
SELinux is preventing /usr/bin/ssh-agent (hotplug_t) "create" to ssh-
jASrzL3044 (samba_share_t).
Detailed Description
SELinux denied access requested by /usr/bin/ssh-agent. It is not expected
that this access is required by /usr/bin/ssh-agent and this access may
signal an intrusion attempt. It is also possible that the specific version
or configuration of the application is causing it to require additional
access.
Allowing Access
Sometimes labeling problems can cause SELinux denials. You could try to
restore the default system file context for ssh-jASrzL3044, restorecon -v
ssh-jASrzL3044 If this does not work, there is currently no automatic way to
allow this access. Instead, you can generate a local policy module to allow
this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385
Or you can disable SELinux protection altogether. Disabling SELinux
protection is not recommended. Please file a
http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.
Additional Information
Source Context user_u:system_r:hotplug_t
Target Context user_u:object_r:samba_share_t
Target Objects ssh-jASrzL3044 [ dir ]
Affected RPM Packages openssh-clients-4.5p1-6.fc7 [application]
Policy RPM selinux-policy-2.6.4-25.fc7
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Permissive
Plugin Name plugins.catchall_file
Host Name living.lankheet.com
Platform Linux living.lankheet.com 2.6.21-1.3228.fc7 #1 SMP
Tue Jun 12 15:37:31 EDT 2007 i686 i686
Alert Count 1
First Seen Wed 11 Jul 2007 09:39:12 PM CEST
Last Seen Wed 11 Jul 2007 09:39:12 PM CEST
Local ID cc8f5919-2565-4ebf-94dc-57038e4e2427
Line Numbers
Raw Audit Messages
avc: denied { create } for comm="ssh-agent" dev=dm-0 egid=500 euid=500
exe="/usr/bin/ssh-agent" exit=0 fsgid=500 fsuid=500 gid=500 items=0 name="ssh-
jASrzL3044" pid=3044 scontext=user_u:system_r:hotplug_t:s0 sgid=99
subj=user_u:system_r:hotplug_t:s0 suid=500 tclass=dir
tcontext=user_u:object_r:samba_share_t:s0 tty=(none) uid=500
�
Summary
SELinux is preventing /usr/bin/ssh-agent (hotplug_t) "create" to agent.3044
(samba_share_t).
Detailed Description
SELinux denied access requested by /usr/bin/ssh-agent. It is not expected
that this access is required by /usr/bin/ssh-agent and this access may
signal an intrusion attempt. It is also possible that the specific version
or configuration of the application is causing it to require additional
access.
Allowing Access
Sometimes labeling problems can cause SELinux denials. You could try to
restore the default system file context for agent.3044, restorecon -v
agent.3044 If this does not work, there is currently no automatic way to
allow this access. Instead, you can generate a local policy module to allow
this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385
Or you can disable SELinux protection altogether. Disabling SELinux
protection is not recommended. Please file a
http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.
Additional Information
Source Context user_u:system_r:hotplug_t
Target Context user_u:object_r:samba_share_t
Target Objects agent.3044 [ sock_file ]
Affected RPM Packages openssh-clients-4.5p1-6.fc7 [application]
Policy RPM selinux-policy-2.6.4-25.fc7
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Permissive
Plugin Name plugins.catchall_file
Host Name living.lankheet.com
Platform Linux living.lankheet.com 2.6.21-1.3228.fc7 #1 SMP
Tue Jun 12 15:37:31 EDT 2007 i686 i686
Alert Count 1
First Seen Wed 11 Jul 2007 09:39:12 PM CEST
Last Seen Wed 11 Jul 2007 09:39:12 PM CEST
Local ID a7ce378b-77d6-43bf-9517-5a123b442750
Line Numbers
Raw Audit Messages
avc: denied { create } for comm="ssh-agent" dev=dm-0 egid=500 euid=500
exe="/usr/bin/ssh-agent" exit=0 fsgid=500 fsuid=500 gid=500 items=0
name="agent.3044" pid=3044 scontext=user_u:system_r:hotplug_t:s0 sgid=99
subj=user_u:system_r:hotplug_t:s0 suid=500 tclass=sock_file
tcontext=user_u:object_r:samba_share_t:s0 tty=(none) uid=500
�
Summary
SELinux is preventing /usr/libexec/gconfd-2 (hotplug_t) "lock" to /tmp
/gconfd-jeroen/lock/0t1184182753ut773209u500p3160r1898720419k3216382600
(samba_share_t).
Detailed Description
SELinux denied access requested by /usr/libexec/gconfd-2. It is not expected
that this access is required by /usr/libexec/gconfd-2 and this access may
signal an intrusion attempt. It is also possible that the specific version
or configuration of the application is causing it to require additional
access.
Allowing Access
Sometimes labeling problems can cause SELinux denials. You could try to
restore the default system file context for /tmp/gconfd-
jeroen/lock/0t1184182753ut773209u500p3160r1898720419k3216382600, restorecon
-v /tmp/gconfd-
jeroen/lock/0t1184182753ut773209u500p3160r1898720419k3216382600 If this does
not work, there is currently no automatic way to allow this access. Instead,
you can generate a local policy module to allow this access - see
http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable
SELinux protection altogether. Disabling SELinux protection is not
recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
against this package.
Additional Information
Source Context user_u:system_r:hotplug_t
Target Context user_u:object_r:samba_share_t
Target Objects /tmp/gconfd-jeroen/lock/0t1184182753ut773209u500p3
160r1898720419k3216382600 [ file ]
Affected RPM Packages GConf2-2.18.0.1-2.fc7 [application]
Policy RPM selinux-policy-2.6.4-25.fc7
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Permissive
Plugin Name plugins.catchall_file
Host Name living.lankheet.com
Platform Linux living.lankheet.com 2.6.21-1.3228.fc7 #1 SMP
Tue Jun 12 15:37:31 EDT 2007 i686 i686
Alert Count 1
First Seen Wed 11 Jul 2007 09:39:13 PM CEST
Last Seen Wed 11 Jul 2007 09:39:13 PM CEST
Local ID 3860f0ee-0ce5-45b2-a737-b6397da8d623
Line Numbers
Raw Audit Messages
avc: denied { lock } for comm="gconfd-2" dev=dm-0 egid=500 euid=500
exe="/usr/libexec/gconfd-2" exit=0 fsgid=500 fsuid=500 gid=500 items=0
name="0t1184182753ut773209u500p3160r1898720419k3216382600" path="/tmp/gconfd-
jeroen/lock/0t1184182753ut773209u500p3160r1898720419k3216382600" pid=3160
scontext=user_u:system_r:hotplug_t:s0 sgid=500 subj=user_u:system_r:hotplug_t:s0
suid=500 tclass=file tcontext=user_u:object_r:samba_share_t:s0 tty=(none)
uid=500
�
Summary
SELinux is preventing /usr/libexec/gconfd-2 (hotplug_t) "link" to
0t1184182753ut773209u500p3160r1898720419k3216382600 (samba_share_t).
Detailed Description
SELinux denied access requested by /usr/libexec/gconfd-2. It is not expected
that this access is required by /usr/libexec/gconfd-2 and this access may
signal an intrusion attempt. It is also possible that the specific version
or configuration of the application is causing it to require additional
access.
Allowing Access
Sometimes labeling problems can cause SELinux denials. You could try to
restore the default system file context for
0t1184182753ut773209u500p3160r1898720419k3216382600, restorecon -v
0t1184182753ut773209u500p3160r1898720419k3216382600 If this does not work,
there is currently no automatic way to allow this access. Instead, you can
generate a local policy module to allow this access - see
http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable
SELinux protection altogether. Disabling SELinux protection is not
recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
against this package.
Additional Information
Source Context user_u:system_r:hotplug_t
Target Context user_u:object_r:samba_share_t
Target Objects 0t1184182753ut773209u500p3160r1898720419k321638260
0 [ file ]
Affected RPM Packages GConf2-2.18.0.1-2.fc7 [application]
Policy RPM selinux-policy-2.6.4-25.fc7
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Permissive
Plugin Name plugins.catchall_file
Host Name living.lankheet.com
Platform Linux living.lankheet.com 2.6.21-1.3228.fc7 #1 SMP
Tue Jun 12 15:37:31 EDT 2007 i686 i686
Alert Count 1
First Seen Wed 11 Jul 2007 09:39:13 PM CEST
Last Seen Wed 11 Jul 2007 09:39:13 PM CEST
Local ID 2f6ba3ad-76fe-4e2b-9d83-0ed36b110d2f
Line Numbers
Raw Audit Messages
avc: denied { link } for comm="gconfd-2" dev=dm-0 egid=500 euid=500
exe="/usr/libexec/gconfd-2" exit=0 fsgid=500 fsuid=500 gid=500 items=0
name="0t1184182753ut773209u500p3160r1898720419k3216382600" pid=3160
scontext=user_u:system_r:hotplug_t:s0 sgid=500 subj=user_u:system_r:hotplug_t:s0
suid=500 tclass=file tcontext=user_u:object_r:samba_share_t:s0 tty=(none)
uid=500
�
Summary
SELinux is preventing /usr/libexec/gconfd-2 (hotplug_t) "unlink" to
0t1184182753ut773209u500p3160r1898720419k3216382600 (samba_share_t).
Detailed Description
SELinux denied access requested by /usr/libexec/gconfd-2. It is not expected
that this access is required by /usr/libexec/gconfd-2 and this access may
signal an intrusion attempt. It is also possible that the specific version
or configuration of the application is causing it to require additional
access.
Allowing Access
Sometimes labeling problems can cause SELinux denials. You could try to
restore the default system file context for
0t1184182753ut773209u500p3160r1898720419k3216382600, restorecon -v
0t1184182753ut773209u500p3160r1898720419k3216382600 If this does not work,
there is currently no automatic way to allow this access. Instead, you can
generate a local policy module to allow this access - see
http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable
SELinux protection altogether. Disabling SELinux protection is not
recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
against this package.
Additional Information
Source Context user_u:system_r:hotplug_t
Target Context user_u:object_r:samba_share_t
Target Objects 0t1184182753ut773209u500p3160r1898720419k321638260
0 [ file ]
Affected RPM Packages GConf2-2.18.0.1-2.fc7 [application]
Policy RPM selinux-policy-2.6.4-25.fc7
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Permissive
Plugin Name plugins.catchall_file
Host Name living.lankheet.com
Platform Linux living.lankheet.com 2.6.21-1.3228.fc7 #1 SMP
Tue Jun 12 15:37:31 EDT 2007 i686 i686
Alert Count 1
First Seen Wed 11 Jul 2007 09:39:13 PM CEST
Last Seen Wed 11 Jul 2007 09:39:13 PM CEST
Local ID 8366a58e-046d-454d-8959-e26277109dc5
Line Numbers
Raw Audit Messages
avc: denied { unlink } for comm="gconfd-2" dev=dm-0 egid=500 euid=500
exe="/usr/libexec/gconfd-2" exit=0 fsgid=500 fsuid=500 gid=500 items=0
name="0t1184182753ut773209u500p3160r1898720419k3216382600" pid=3160
scontext=user_u:system_r:hotplug_t:s0 sgid=500 subj=user_u:system_r:hotplug_t:s0
suid=500 tclass=file tcontext=user_u:object_r:samba_share_t:s0 tty=(none)
uid=500
�
Summary
SELinux is preventing /usr/bin/gnome-session (hotplug_t) "connectto" to /tmp
/orbit-jeroen/linc-c58-0-39af5a27bc7a6 (hotplug_t).
Detailed Description
SELinux denied access requested by /usr/bin/gnome-session. It is not
expected that this access is required by /usr/bin/gnome-session and this
access may signal an intrusion attempt. It is also possible that the
specific version or configuration of the application is causing it to
require additional access.
Allowing Access
You can generate a local policy module to allow this access - see
http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable
SELinux protection altogether. Disabling SELinux protection is not
recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
against this package.
Additional Information
Source Context user_u:system_r:hotplug_t
Target Context user_u:system_r:hotplug_t
Target Objects /tmp/orbit-jeroen/linc-c58-0-39af5a27bc7a6 [
unix_stream_socket ]
Affected RPM Packages gnome-session-2.18.3-1.fc7 [application]
Policy RPM selinux-policy-2.6.4-25.fc7
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Permissive
Plugin Name plugins.catchall
Host Name living.lankheet.com
Platform Linux living.lankheet.com 2.6.21-1.3228.fc7 #1 SMP
Tue Jun 12 15:37:31 EDT 2007 i686 i686
Alert Count 1
First Seen Wed 11 Jul 2007 09:39:13 PM CEST
Last Seen Wed 11 Jul 2007 09:39:13 PM CEST
Local ID 0a8f0c20-d75e-4215-afba-5fe8d2e5cecf
Line Numbers
Raw Audit Messages
avc: denied { connectto } for comm="gnome-session" dev=dm-0 egid=500 euid=500
exe="/usr/bin/gnome-session" exit=0 fsgid=500 fsuid=500 gid=500 items=0
name="linc-c58-0-39af5a27bc7a6" path="/tmp/orbit-
jeroen/linc-c58-0-39af5a27bc7a6" pid=3044 scontext=user_u:system_r:hotplug_t:s0
sgid=500 subj=user_u:system_r:hotplug_t:s0 suid=500 tclass=unix_stream_socket
tcontext=user_u:system_r:hotplug_t:s0 tty=(none) uid=500
�
Summary
SELinux is preventing access to files with the label, file_t.
Detailed Description
SELinux permission checks on files labeled file_t are being denied. file_t
is the context the SELinux kernel gives to files that do not have a label.
This indicates a serious labeling problem. No files on an SELinux box should
ever be labeled file_t. If you have just added a new disk drive to the
system you can relabel it using the restorecon command. Otherwise you
should relabel the entire files system.
Allowing Access
You can execute the following command as root to relabel your computer
system: "touch /.autorelabel; reboot"
Additional Information
Source Context user_u:system_r:hotplug_t
Target Context system_u:object_r:file_t
Target Objects /home/jeroen/.gconfd/saved_state [ file ]
Affected RPM Packages GConf2-2.18.0.1-2.fc7 [application]
Policy RPM selinux-policy-2.6.4-25.fc7
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Permissive
Plugin Name plugins.file
Host Name living.lankheet.com
Platform Linux living.lankheet.com 2.6.21-1.3228.fc7 #1 SMP
Tue Jun 12 15:37:31 EDT 2007 i686 i686
Alert Count 1
First Seen Wed 11 Jul 2007 09:39:13 PM CEST
Last Seen Wed 11 Jul 2007 09:39:13 PM CEST
Local ID c339b7f3-f95e-421e-bad8-0160e715e1bc
Line Numbers
Raw Audit Messages
avc: denied { getattr } for comm="gconfd-2" dev=dm-0 egid=500 euid=500
exe="/usr/libexec/gconfd-2" exit=0 fsgid=500 fsuid=500 gid=500 items=0
name="saved_state" path="/home/jeroen/.gconfd/saved_state" pid=3160
scontext=user_u:system_r:hotplug_t:s0 sgid=500 subj=user_u:system_r:hotplug_t:s0
suid=500 tclass=file tcontext=system_u:object_r:file_t:s0 tty=(none) uid=500
�
Summary
SELinux is preventing access to files with the label, file_t.
Detailed Description
SELinux permission checks on files labeled file_t are being denied. file_t
is the context the SELinux kernel gives to files that do not have a label.
This indicates a serious labeling problem. No files on an SELinux box should
ever be labeled file_t. If you have just added a new disk drive to the
system you can relabel it using the restorecon command. Otherwise you
should relabel the entire files system.
Allowing Access
You can execute the following command as root to relabel your computer
system: "touch /.autorelabel; reboot"
Additional Information
Source Context user_u:system_r:hotplug_t
Target Context system_u:object_r:file_t
Target Objects saved_state [ file ]
Affected RPM Packages GConf2-2.18.0.1-2.fc7 [application]
Policy RPM selinux-policy-2.6.4-25.fc7
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Permissive
Plugin Name plugins.file
Host Name living.lankheet.com
Platform Linux living.lankheet.com 2.6.21-1.3228.fc7 #1 SMP
Tue Jun 12 15:37:31 EDT 2007 i686 i686
Alert Count 1
First Seen Wed 11 Jul 2007 09:39:13 PM CEST
Last Seen Wed 11 Jul 2007 09:39:13 PM CEST
Local ID f5740b4c-e432-4625-b471-854cc0544b97
Line Numbers
Raw Audit Messages
avc: denied { append } for comm="gconfd-2" dev=dm-0 egid=500 euid=500
exe="/usr/libexec/gconfd-2" exit=14 fsgid=500 fsuid=500 gid=500 items=0
name="saved_state" pid=3160 scontext=user_u:system_r:hotplug_t:s0 sgid=500
subj=user_u:system_r:hotplug_t:s0 suid=500 tclass=file
tcontext=system_u:object_r:file_t:s0 tty=(none) uid=500
�
Summary
SELinux is preventing access to files with the label, file_t.
Detailed Description
SELinux permission checks on files labeled file_t are being denied. file_t
is the context the SELinux kernel gives to files that do not have a label.
This indicates a serious labeling problem. No files on an SELinux box should
ever be labeled file_t. If you have just added a new disk drive to the
system you can relabel it using the restorecon command. Otherwise you
should relabel the entire files system.
Allowing Access
You can execute the following command as root to relabel your computer
system: "touch /.autorelabel; reboot"
Additional Information
Source Context user_u:system_r:hotplug_t
Target Context system_u:object_r:file_t
Target Objects saved_state [ file ]
Affected RPM Packages GConf2-2.18.0.1-2.fc7 [application]
Policy RPM selinux-policy-2.6.4-25.fc7
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Permissive
Plugin Name plugins.file
Host Name living.lankheet.com
Platform Linux living.lankheet.com 2.6.21-1.3228.fc7 #1 SMP
Tue Jun 12 15:37:31 EDT 2007 i686 i686
Alert Count 1
First Seen Wed 11 Jul 2007 09:39:13 PM CEST
Last Seen Wed 11 Jul 2007 09:39:13 PM CEST
Local ID 31ae1a2a-21cf-42db-93ac-65d3ca96bbe3
Line Numbers
Raw Audit Messages
avc: denied { read } for comm="gconfd-2" dev=dm-0 egid=500 euid=500
exe="/usr/libexec/gconfd-2" exit=6 fsgid=500 fsuid=500 gid=500 items=0
name="saved_state" pid=3160 scontext=user_u:system_r:hotplug_t:s0 sgid=500
subj=user_u:system_r:hotplug_t:s0 suid=500 tclass=file
tcontext=system_u:object_r:file_t:s0 tty=(none) uid=500
�
Summary
SELinux is preventing /usr/libexec/gconfd-2 (hotplug_t) "create" to
0t1184182753ut773209u500p3160r1898720419k3216382600 (samba_share_t).
Detailed Description
SELinux denied access requested by /usr/libexec/gconfd-2. It is not expected
that this access is required by /usr/libexec/gconfd-2 and this access may
signal an intrusion attempt. It is also possible that the specific version
or configuration of the application is causing it to require additional
access.
Allowing Access
Sometimes labeling problems can cause SELinux denials. You could try to
restore the default system file context for
0t1184182753ut773209u500p3160r1898720419k3216382600, restorecon -v
0t1184182753ut773209u500p3160r1898720419k3216382600 If this does not work,
there is currently no automatic way to allow this access. Instead, you can
generate a local policy module to allow this access - see
http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable
SELinux protection altogether. Disabling SELinux protection is not
recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
against this package.
Additional Information
Source Context user_u:system_r:hotplug_t
Target Context user_u:object_r:samba_share_t
Target Objects 0t1184182753ut773209u500p3160r1898720419k321638260
0 [ file ]
Affected RPM Packages GConf2-2.18.0.1-2.fc7 [application]
Policy RPM selinux-policy-2.6.4-25.fc7
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Permissive
Plugin Name plugins.catchall_file
Host Name living.lankheet.com
Platform Linux living.lankheet.com 2.6.21-1.3228.fc7 #1 SMP
Tue Jun 12 15:37:31 EDT 2007 i686 i686
Alert Count 1
First Seen Wed 11 Jul 2007 09:39:13 PM CEST
Last Seen Wed 11 Jul 2007 09:39:13 PM CEST
Local ID a51cc833-dfbc-4d15-af92-75fa18b1ef6a
Line Numbers
Raw Audit Messages
avc: denied { create } for comm="gconfd-2" egid=500 euid=500
exe="/usr/libexec/gconfd-2" exit=13 fsgid=500 fsuid=500 gid=500 items=0
name="0t1184182753ut773209u500p3160r1898720419k3216382600" pid=3160
scontext=user_u:system_r:hotplug_t:s0 sgid=500 subj=user_u:system_r:hotplug_t:s0
suid=500 tclass=file tcontext=user_u:object_r:samba_share_t:s0 tty=(none)
uid=500
�
Summary
SELinux is preventing /usr/libexec/gconfd-2 (hotplug_t) "write" to /tmp
/gconfd-jeroen/lock/0t1184182753ut773209u500p3160r1898720419k3216382600
(deleted) (samba_share_t).
Detailed Description
SELinux denied access requested by /usr/libexec/gconfd-2. It is not expected
that this access is required by /usr/libexec/gconfd-2 and this access may
signal an intrusion attempt. It is also possible that the specific version
or configuration of the application is causing it to require additional
access.
Allowing Access
Sometimes labeling problems can cause SELinux denials. You could try to
restore the default system file context for /tmp/gconfd-
jeroen/lock/0t1184182753ut773209u500p3160r1898720419k3216382600 (deleted),
restorecon -v /tmp/gconfd-
jeroen/lock/0t1184182753ut773209u500p3160r1898720419k3216382600 (deleted) If
this does not work, there is currently no automatic way to allow this
access. Instead, you can generate a local policy module to allow this
access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you
can disable SELinux protection altogether. Disabling SELinux protection is
not recommended. Please file a
http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.
Additional Information
Source Context user_u:system_r:hotplug_t
Target Context user_u:object_r:samba_share_t
Target Objects /tmp/gconfd-jeroen/lock/0t1184182753ut773209u500p3
160r1898720419k3216382600 (deleted) [ file ]
Affected RPM Packages GConf2-2.18.0.1-2.fc7 [application]
Policy RPM selinux-policy-2.6.4-25.fc7
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Permissive
Plugin Name plugins.catchall_file
Host Name living.lankheet.com
Platform Linux living.lankheet.com 2.6.21-1.3228.fc7 #1 SMP
Tue Jun 12 15:37:31 EDT 2007 i686 i686
Alert Count 1
First Seen Wed 11 Jul 2007 09:39:13 PM CEST
Last Seen Wed 11 Jul 2007 09:39:13 PM CEST
Local ID 43c80050-c84a-41d4-8710-27af12989f70
Line Numbers
Raw Audit Messages
avc: denied { write } for comm="gconfd-2" dev=dm-0 egid=500 euid=500
exe="/usr/libexec/gconfd-2" exit=5 fsgid=500 fsuid=500 gid=500 items=0
name="0t1184182753ut773209u500p3160r1898720419k3216382600" path=2F746D702F67636F
6E66642D6A65726F656E2F6C6F636B2F307431313834313832373533757437373332303975353030
703331363072313839383732303431396B33323136333832363030202864656C6574656429
pid=3160 scontext=user_u:system_r:hotplug_t:s0 sgid=500
subj=user_u:system_r:hotplug_t:s0 suid=500 tclass=file
tcontext=user_u:object_r:samba_share_t:s0 tty=(none) uid=500
�
Summary
SELinux is preventing /usr/libexec/gconf-sanity-check-2 (hotplug_t) "unlink"
to linc-c59-0-59aed03f1175c (samba_share_t).
Detailed Description
SELinux denied access requested by /usr/libexec/gconf-sanity-check-2. It is
not expected that this access is required by /usr/libexec/gconf-sanity-
check-2 and this access may signal an intrusion attempt. It is also possible
that the specific version or configuration of the application is causing it
to require additional access.
Allowing Access
Sometimes labeling problems can cause SELinux denials. You could try to
restore the default system file context for linc-c59-0-59aed03f1175c,
restorecon -v linc-c59-0-59aed03f1175c If this does not work, there is
currently no automatic way to allow this access. Instead, you can generate
a local policy module to allow this access - see
http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable
SELinux protection altogether. Disabling SELinux protection is not
recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
against this package.
Additional Information
Source Context user_u:system_r:hotplug_t
Target Context user_u:object_r:samba_share_t
Target Objects linc-c59-0-59aed03f1175c [ sock_file ]
Affected RPM Packages GConf2-gtk-2.18.0.1-2.fc7 [application]
Policy RPM selinux-policy-2.6.4-25.fc7
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Permissive
Plugin Name plugins.catchall_file
Host Name living.lankheet.com
Platform Linux living.lankheet.com 2.6.21-1.3228.fc7 #1 SMP
Tue Jun 12 15:37:31 EDT 2007 i686 i686
Alert Count 1
First Seen Wed 11 Jul 2007 09:39:14 PM CEST
Last Seen Wed 11 Jul 2007 09:39:14 PM CEST
Local ID 487b5ccc-0e79-46c6-9f0f-b6dbc926873e
Line Numbers
Raw Audit Messages
avc: denied { unlink } for comm="gconf-sanity-ch" dev=dm-0 egid=500 euid=500
exe="/usr/libexec/gconf-sanity-check-2" exit=0 fsgid=500 fsuid=500 gid=500
items=0 name="linc-c59-0-59aed03f1175c" pid=3161
scontext=user_u:system_r:hotplug_t:s0 sgid=500 subj=user_u:system_r:hotplug_t:s0
suid=500 tclass=sock_file tcontext=user_u:object_r:samba_share_t:s0 tty=(none)
uid=500
�
Summary
SELinux is preventing /usr/libexec/gconf-sanity-check-2 (hotplug_t)
"remove_name" to gconf-test-locking-file-H819UT (samba_share_t).
Detailed Description
SELinux denied access requested by /usr/libexec/gconf-sanity-check-2. It is
not expected that this access is required by /usr/libexec/gconf-sanity-
check-2 and this access may signal an intrusion attempt. It is also possible
that the specific version or configuration of the application is causing it
to require additional access.
Allowing Access
Sometimes labeling problems can cause SELinux denials. You could try to
restore the default system file context for gconf-test-locking-file-H819UT,
restorecon -v gconf-test-locking-file-H819UT If this does not work, there is
currently no automatic way to allow this access. Instead, you can generate
a local policy module to allow this access - see
http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable
SELinux protection altogether. Disabling SELinux protection is not
recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
against this package.
Additional Information
Source Context user_u:system_r:hotplug_t
Target Context system_u:object_r:samba_share_t
Target Objects gconf-test-locking-file-H819UT [ dir ]
Affected RPM Packages GConf2-gtk-2.18.0.1-2.fc7 [application]
Policy RPM selinux-policy-2.6.4-25.fc7
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Permissive
Plugin Name plugins.catchall_file
Host Name living.lankheet.com
Platform Linux living.lankheet.com 2.6.21-1.3228.fc7 #1 SMP
Tue Jun 12 15:37:31 EDT 2007 i686 i686
Alert Count 1
First Seen Wed 11 Jul 2007 09:39:14 PM CEST
Last Seen Wed 11 Jul 2007 09:39:14 PM CEST
Local ID ded02b25-5b70-44c6-9ef8-b9834a7bfd0b
Line Numbers
Raw Audit Messages
avc: denied { remove_name } for comm="gconf-sanity-ch" dev=dm-0 egid=500
euid=500 exe="/usr/libexec/gconf-sanity-check-2" exit=0 fsgid=500 fsuid=500
gid=500 items=0 name="gconf-test-locking-file-H819UT" pid=3161
scontext=user_u:system_r:hotplug_t:s0 sgid=500 subj=user_u:system_r:hotplug_t:s0
suid=500 tclass=dir tcontext=system_u:object_r:samba_share_t:s0 tty=(none)
uid=500
�
Summary
SELinux is preventing access to files with the label, file_t.
Detailed Description
SELinux permission checks on files labeled file_t are being denied. file_t
is the context the SELinux kernel gives to files that do not have a label.
This indicates a serious labeling problem. No files on an SELinux box should
ever be labeled file_t. If you have just added a new disk drive to the
system you can relabel it using the restorecon command. Otherwise you
should relabel the entire files system.
Allowing Access
You can execute the following command as root to relabel your computer
system: "touch /.autorelabel; reboot"
Additional Information
Source Context user_u:system_r:hotplug_t
Target Context system_u:object_r:file_t
Target Objects .gtk-bookmarks [ file ]
Affected RPM Packages xdg-user-dirs-gtk-0.5-1.fc7 [application]
Policy RPM selinux-policy-2.6.4-25.fc7
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Permissive
Plugin Name plugins.file
Host Name living.lankheet.com
Platform Linux living.lankheet.com 2.6.21-1.3228.fc7 #1 SMP
Tue Jun 12 15:37:31 EDT 2007 i686 i686
Alert Count 1
First Seen Wed 11 Jul 2007 09:39:17 PM CEST
Last Seen Wed 11 Jul 2007 09:39:17 PM CEST
Local ID ee98b859-0d82-4b0e-b7e3-5c5c8b930e61
Line Numbers
Raw Audit Messages
avc: denied { unlink } for comm="xdg-user-dirs-g" dev=dm-0 egid=500 euid=500
exe="/usr/bin/xdg-user-dirs-gtk-update" exit=0 fsgid=500 fsuid=500 gid=500
items=0 name=".gtk-bookmarks" pid=3188 scontext=user_u:system_r:hotplug_t:s0
sgid=500 subj=user_u:system_r:hotplug_t:s0 suid=500 tclass=file
tcontext=system_u:object_r:file_t:s0 tty=(none) uid=500
�
Summary
SELinux is preventing /usr/bin/gnome-volume-manager (hotplug_t)
"remove_name" to linc-c76-0-1bfa9bbb3e55f (samba_share_t).
Detailed Description
SELinux denied access requested by /usr/bin/gnome-volume-manager. It is not
expected that this access is required by /usr/bin/gnome-volume-manager and
this access may signal an intrusion attempt. It is also possible that the
specific version or configuration of the application is causing it to
require additional access.
Allowing Access
Sometimes labeling problems can cause SELinux denials. You could try to
restore the default system file context for linc-c76-0-1bfa9bbb3e55f,
restorecon -v linc-c76-0-1bfa9bbb3e55f If this does not work, there is
currently no automatic way to allow this access. Instead, you can generate
a local policy module to allow this access - see
http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable
SELinux protection altogether. Disabling SELinux protection is not
recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
against this package.
Additional Information
Source Context user_u:system_r:hotplug_t
Target Context user_u:object_r:samba_share_t
Target Objects linc-c76-0-1bfa9bbb3e55f [ dir ]
Affected RPM Packages gnome-volume-manager-2.17.0-7.fc7 [application]
Policy RPM selinux-policy-2.6.4-25.fc7
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Permissive
Plugin Name plugins.catchall_file
Host Name living.lankheet.com
Platform Linux living.lankheet.com 2.6.21-1.3228.fc7 #1 SMP
Tue Jun 12 15:37:31 EDT 2007 i686 i686
Alert Count 1
First Seen Wed 11 Jul 2007 09:39:18 PM CEST
Last Seen Wed 11 Jul 2007 09:39:18 PM CEST
Local ID 89cada9f-6067-45a0-9e60-550a273b1e4e
Line Numbers
Raw Audit Messages
avc: denied { remove_name } for comm="gnome-volume-ma" dev=dm-0 egid=500
euid=500 exe="/usr/bin/gnome-volume-manager" exit=0 fsgid=500 fsuid=500 gid=500
items=0 name="linc-c76-0-1bfa9bbb3e55f" pid=3206
scontext=user_u:system_r:hotplug_t:s0 sgid=500 subj=user_u:system_r:hotplug_t:s0
suid=500 tclass=dir tcontext=user_u:object_r:samba_share_t:s0 tty=(none) uid=500
�
Summary
SELinux is preventing /usr/bin/krb5-auth-dialog (hotplug_t) "add_name" to
linc-c77-0-1bfa9bbbd8cea (samba_share_t).
Detailed Description
SELinux denied access requested by /usr/bin/krb5-auth-dialog. It is not
expected that this access is required by /usr/bin/krb5-auth-dialog and this
access may signal an intrusion attempt. It is also possible that the
specific version or configuration of the application is causing it to
require additional access.
Allowing Access
Sometimes labeling problems can cause SELinux denials. You could try to
restore the default system file context for linc-c77-0-1bfa9bbbd8cea,
restorecon -v linc-c77-0-1bfa9bbbd8cea If this does not work, there is
currently no automatic way to allow this access. Instead, you can generate
a local policy module to allow this access - see
http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable
SELinux protection altogether. Disabling SELinux protection is not
recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
against this package.
Additional Information
Source Context user_u:system_r:hotplug_t
Target Context user_u:object_r:samba_share_t
Target Objects linc-c77-0-1bfa9bbbd8cea [ dir ]
Affected RPM Packages krb5-auth-dialog-0.7-2 [application]
Policy RPM selinux-policy-2.6.4-25.fc7
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Permissive
Plugin Name plugins.catchall_file
Host Name living.lankheet.com
Platform Linux living.lankheet.com 2.6.21-1.3228.fc7 #1 SMP
Tue Jun 12 15:37:31 EDT 2007 i686 i686
Alert Count 1
First Seen Wed 11 Jul 2007 09:39:18 PM CEST
Last Seen Wed 11 Jul 2007 09:39:18 PM CEST
Local ID 6f4b0812-b33a-4c46-88dc-bc788c2ea5ba
Line Numbers
Raw Audit Messages
avc: denied { add_name } for comm="krb5-auth-dialo" egid=500 euid=500
exe="/usr/bin/krb5-auth-dialog" exit=0 fsgid=500 fsuid=500 gid=500 items=0
name="linc-c77-0-1bfa9bbbd8cea" pid=3191 scontext=user_u:system_r:hotplug_t:s0
sgid=500 subj=user_u:system_r:hotplug_t:s0 suid=500 tclass=dir
tcontext=user_u:object_r:samba_share_t:s0 tty=(none) uid=500
�
Summary
SELinux is preventing /usr/libexec/mapping-daemon (hotplug_t) "create" to
virtual-jeroen.H0vMIQ (samba_share_t).
Detailed Description
SELinux denied access requested by /usr/libexec/mapping-daemon. It is not
expected that this access is required by /usr/libexec/mapping-daemon and
this access may signal an intrusion attempt. It is also possible that the
specific version or configuration of the application is causing it to
require additional access.
Allowing Access
Sometimes labeling problems can cause SELinux denials. You could try to
restore the default system file context for virtual-jeroen.H0vMIQ,
restorecon -v virtual-jeroen.H0vMIQ If this does not work, there is
currently no automatic way to allow this access. Instead, you can generate
a local policy module to allow this access - see
http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable
SELinux protection altogether. Disabling SELinux protection is not
recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
against this package.
Additional Information
Source Context user_u:system_r:hotplug_t
Target Context user_u:object_r:samba_share_t
Target Objects virtual-jeroen.H0vMIQ [ dir ]
Affected RPM Packages nautilus-cd-burner-2.18.2-1.fc7 [application]
Policy RPM selinux-policy-2.6.4-25.fc7
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Permissive
Plugin Name plugins.catchall_file
Host Name living.lankheet.com
Platform Linux living.lankheet.com 2.6.21-1.3228.fc7 #1 SMP
Tue Jun 12 15:37:31 EDT 2007 i686 i686
Alert Count 1
First Seen Wed 11 Jul 2007 09:39:21 PM CEST
Last Seen Wed 11 Jul 2007 09:39:21 PM CEST
Local ID bd128ecf-0ef0-4a9b-9019-06b8d3cf3efc
Line Numbers
Raw Audit Messages
avc: denied { create } for comm="mapping-daemon" egid=500 euid=500
exe="/usr/libexec/mapping-daemon" exit=0 fsgid=500 fsuid=500 gid=500 items=0
name="virtual-jeroen.H0vMIQ" pid=3242 scontext=user_u:system_r:hotplug_t:s0
sgid=500 subj=user_u:system_r:hotplug_t:s0 suid=500 tclass=dir
tcontext=user_u:object_r:samba_share_t:s0 tty=(none) uid=500
�
Summary
SELinux is preventing access to files with the label, file_t.
Detailed Description
SELinux permission checks on files labeled file_t are being denied. file_t
is the context the SELinux kernel gives to files that do not have a label.
This indicates a serious labeling problem. No files on an SELinux box should
ever be labeled file_t. If you have just added a new disk drive to the
system you can relabel it using the restorecon command. Otherwise you
should relabel the entire files system.
Allowing Access
You can execute the following command as root to relabel your computer
system: "touch /.autorelabel; reboot"
Additional Information
Source Context user_u:system_r:hotplug_t
Target Context system_u:object_r:file_t
Target Objects saved_state [ file ]
Affected RPM Packages GConf2-2.18.0.1-2.fc7 [application]
Policy RPM selinux-policy-2.6.4-25.fc7
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Permissive
Plugin Name plugins.file
Host Name living.lankheet.com
Platform Linux living.lankheet.com 2.6.21-1.3228.fc7 #1 SMP
Tue Jun 12 15:37:31 EDT 2007 i686 i686
Alert Count 1
First Seen Wed 11 Jul 2007 09:39:43 PM CEST
Last Seen Wed 11 Jul 2007 09:39:43 PM CEST
Local ID 66ff25df-6268-463f-8630-901e8cb4babd
Line Numbers
Raw Audit Messages
avc: denied { rename } for comm="gconfd-2" dev=dm-0 egid=500 euid=500
exe="/usr/libexec/gconfd-2" exit=0 fsgid=500 fsuid=500 gid=500 items=0
name="saved_state" pid=3160 scontext=user_u:system_r:hotplug_t:s0 sgid=500
subj=user_u:system_r:hotplug_t:s0 suid=500 tclass=file
tcontext=system_u:object_r:file_t:s0 tty=(none) uid=500
�
Summary
SELinux is preventing the /usr/libexec/gconfd-2 from using potentially
mislabeled files (saved_state.tmp).
Detailed Description
SELinux has denied /usr/libexec/gconfd-2 access to potentially mislabeled
file(s) (saved_state.tmp). This means that SELinux will not allow
/usr/libexec/gconfd-2 to use these files. It is common for users to edit
files in their home directory or tmp directories and then move (mv) them to
system directories. The problem is that the files end up with the wrong
file context which confined applications are not allowed to access.
Allowing Access
If you want /usr/libexec/gconfd-2 to access this files, you need to relabel
them using restorecon -v saved_state.tmp. You might want to relabel the
entire directory using restorecon -R -v .
Additional Information
Source Context user_u:system_r:hotplug_t
Target Context user_u:object_r:user_home_t
Target Objects saved_state.tmp [ file ]
Affected RPM Packages GConf2-2.18.0.1-2.fc7 [application]
Policy RPM selinux-policy-2.6.4-25.fc7
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Permissive
Plugin Name plugins.home_tmp_bad_labels
Host Name living.lankheet.com
Platform Linux living.lankheet.com 2.6.21-1.3228.fc7 #1 SMP
Tue Jun 12 15:37:31 EDT 2007 i686 i686
Alert Count 1
First Seen Wed 11 Jul 2007 09:39:43 PM CEST
Last Seen Wed 11 Jul 2007 09:39:43 PM CEST
Local ID 0d59b62d-1bed-40f3-b0f8-18a3888128a4
Line Numbers
Raw Audit Messages
avc: denied { rename } for comm="gconfd-2" dev=dm-0 egid=500 euid=500
exe="/usr/libexec/gconfd-2" exit=0 fsgid=500 fsuid=500 gid=500 items=0
name="saved_state.tmp" pid=3160 scontext=user_u:system_r:hotplug_t:s0 sgid=500
subj=user_u:system_r:hotplug_t:s0 suid=500 tclass=file
tcontext=user_u:object_r:user_home_t:s0 tty=(none) uid=500
