Upgrade and SELinux messages

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I upgraded from F8 to F10.  It appeared to go smoothly, but then I 
received the following SELinux errors:

/************************************************************************/
/************** first 

Summary:

SELinux is preventing dbus-daemon-lau (system_dbusd_t) "execute" to
./console-kit-daemon (consolekit_exec_t).

Detailed Description:

SELinux denied access requested by dbus-daemon-lau. It is not expected
that this access is required by dbus-daemon-lau and this access may
signal an intrusion attempt. It is also possible that the specific
version or configuration of the application is causing it to require
additional access. 

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to
restore
the default system file context for ./console-kit-daemon,

restorecon -v './console-kit-daemon'


Additional Information:

Source Context
system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
Target Context                system_u:object_r:consolekit_exec_t:s0
Target Objects                ./console-kit-daemon [ file ]
Source                        dbus-daemon-lau
Source Path                   /lib/dbus-1/dbus-daemon-launch-helper
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           dbus-1.2.4-1.fc10
Target RPM Packages           
Policy RPM                    selinux-policy-3.5.13-18.fc10
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall_file
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain
2.6.27.5-117.fc10.i686
                              #1 SMP Tue Nov 18 12:19:59 EST 2008 i686
i686
Alert Count                   35
First Seen                    Thu 15 Jan 2009 03:45:37 PM PST
Last Seen                     Thu 15 Jan 2009 03:47:19 PM PST
Local ID                      a0430578-0415-40c9-ac4e-b9f86d3b479c
Line Numbers                  

Raw Audit Messages            

node=localhost.localdomain type=AVC msg=audit(1232063239.982:58): avc:
denied  { execute } for  pid=3010 comm="dbus-daemon-lau"
name="console-kit-daemon" dev=dm-0 ino=54362144
scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:consolekit_exec_t:s0 tclass=file

node=localhost.localdomain type=SYSCALL msg=audit(1232063239.982:58):
arch=40000003 syscall=11 success=no exit=-13 a0=8f08e48 a1=8f08dc8
a2=8f08008 a3=2d09bc items=0 ppid=3009 pid=3010 auid=4294967295 uid=0
gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
ses=4294967295 comm="dbus-daemon-lau"
exe="/lib/dbus-1/dbus-daemon-launch-helper"
subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 key=(null)

###
### The restorecon mentioned returned an error that the file doesn't 
### exist.

/************************************************************************/
/************** second

Summary:

SELinux is preventing plymouthd from creating a file with a context of
unlabeled_t on a filesystem.

Detailed Description:

SELinux is preventing plymouthd from creating a file with a context of
unlabeled_t on a filesystem. Usually this happens when you ask the cp
command to
maintain the context of a file when copying between file systems, "cp
-a" for
example. Not all file contexts should be maintained between the file
systems.
For example, a read-only file type like iso9660_t should not be placed
on a r/w
system. "cp -P" might be a better solution, as this will adopt the
default file
context for the destination.

Allowing Access:

Use a command like "cp -P" to preserve all permissions except SELinux
context.

Additional Information:

Source Context                system_u:object_r:unlabeled_t:s0
Target Context                system_u:object_r:fs_t:s0
Target Objects                force-display-on-active-vt [ filesystem ]
Source                        plymouthd
Source Path                   <Unknown>
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.5.13-18.fc10
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   filesystem_associate
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain
2.6.27.5-117.fc10.i686
                              #1 SMP Tue Nov 18 12:19:59 EST 2008 i686
i686
Alert Count                   1
First Seen                    Thu 15 Jan 2009 03:45:42 PM PST
Last Seen                     Thu 15 Jan 2009 03:45:42 PM PST
Local ID                      261d767c-245b-4bde-9110-8436b63fab76
Line Numbers                  

Raw Audit Messages            

node=localhost.localdomain type=AVC msg=audit(1232063142.547:14): avc:
denied  { associate } for  pid=611 comm="plymouthd"
name="force-display-on-active-vt"
scontext=system_u:object_r:unlabeled_t:s0
tcontext=system_u:object_r:fs_t:s0 tclass=filesystem

###
### Whatever cp was occuring was not initiated by me.  I suspect that 
### something in the reboot process precipiated this error.

/************************************************************************/
/************** third

Summary:

SELinux is preventing python (cupsd_config_t) "read" to <Unknown>
(sysctl_t).

Detailed Description:

SELinux denied access requested by python. It is not expected that this
access
is required by python and this access may signal an intrusion attempt.
It is
also possible that the specific version or configuration of the
application is
causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to
restore
the default system file context for <Unknown>,

restorecon -v '<Unknown>'

If this does not work, there is currently no automatic way to allow this
access.
Instead, you can generate a local policy module to allow this access -
see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
disable
SELinux protection altogether. Disabling SELinux protection is not
recommended.
Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:cupsd_config_t:s0
Target Context                system_u:object_r:sysctl_t:s0
Target Objects                None [ file ]
Source                        python
Source Path                   /usr/bin/python
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           python-2.5.2-1.fc10
Target RPM Packages           
Policy RPM                    selinux-policy-3.5.13-18.fc10
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall_file
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain
2.6.27.5-117.fc10.i686
                              #1 SMP Tue Nov 18 12:19:59 EST 2008 i686
i686
Alert Count                   2
First Seen                    Thu 15 Jan 2009 03:45:42 PM PST
Last Seen                     Thu 15 Jan 2009 03:45:42 PM PST
Local ID                      10abdbb3-bb69-4afd-ae68-30827c2ed132
Line Numbers                  

Raw Audit Messages            

node=localhost.localdomain type=AVC msg=audit(1232063142.898:17): avc:
denied  { read } for  pid=2572 comm="python"
scontext=system_u:system_r:cupsd_config_t:s0
tcontext=system_u:object_r:sysctl_t:s0 tclass=file

node=localhost.localdomain type=SYSCALL msg=audit(1232063142.898:17):
arch=40000003 syscall=5 success=no exit=-13 a0=7aef38 a1=0 a2=1b6 a3=0
items=0 ppid=2402 pid=2572 auid=4294967295 uid=0 gid=0 euid=0 suid=0
fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="python"
exe="/usr/bin/python" subj=system_u:system_r:cupsd_config_t:s0
key=(null)

###
### Again this was not initiated by me directly.  I suspect that it was
### generated by the OS during preload or bootup.

/************************************************************************/
/************** fourth


Summary:

SELinux is preventing smartd (fsdaemon_t) "create" fsdaemon_t.

Detailed Description:

SELinux denied access requested by smartd. It is not expected that this
access
is required by smartd and this access may signal an intrusion attempt.
It is
also possible that the specific version or configuration of the
application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
disable
SELinux protection altogether. Disabling SELinux protection is not
recommended.
Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:fsdaemon_t:s0
Target Context                system_u:system_r:fsdaemon_t:s0
Target Objects                None [ netlink_route_socket ]
Source                        smartd
Source Path                   /usr/sbin/smartd
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           smartmontools-5.38-7.fc10
Target RPM Packages           
Policy RPM                    selinux-policy-3.5.13-18.fc10
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain
2.6.27.5-117.fc10.i686
                              #1 SMP Tue Nov 18 12:19:59 EST 2008 i686
i686
Alert Count                   1
First Seen                    Thu 15 Jan 2009 03:45:41 PM PST
Last Seen                     Thu 15 Jan 2009 03:45:41 PM PST
Local ID                      63da56b0-2e3a-4b9c-bce7-d507e4081b93
Line Numbers                  

Raw Audit Messages            

node=localhost.localdomain type=AVC msg=audit(1232063141.902:13): avc:
denied  { create } for  pid=2562 comm="smartd"
scontext=system_u:system_r:fsdaemon_t:s0
tcontext=system_u:system_r:fsdaemon_t:s0 tclass=netlink_route_socket

node=localhost.localdomain type=SYSCALL msg=audit(1232063141.902:13):
arch=40000003 syscall=102 success=no exit=-13 a0=1 a1=bfe0e9ac a2=3e5ff4
a3=0 items=0 ppid=2561 pid=2562 auid=4294967295 uid=0 gid=0 euid=0
suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
comm="smartd" exe="/usr/sbin/smartd"
subj=system_u:system_r:fsdaemon_t:s0 key=(null)

###
### I don't think I had smartd running before the upgrade.  
### but it is probably a good idea to run it.

None of these seem to be preventing me from using the system (haven't
tried printing yet).

I'll check the archives to see if anyone has solutions to these, but I
thought that they should go into the record.  

Prior to the upgrade I was running F8.  I just downloaded F10, made a
disk (two actually, the first didn't burn correctly), and then ran the
upgrade process.  My emails were imported correctly and now I am just
starting the update process.

No worries on these, but since this is the place for advice, can anyone
offer any?

OOPS, SELinux is preventing me from opening my Windows disk in Linux.
But while it tells me it is preventing the access, no alert is being
generated.  No information on how to fix it.

Ditto for the FAT32 formatted backup disk.  This has disaster potential.

I'll try the trick of "touch ./relable"
     I. 

Regards,
Les H





-- 
fedora-list mailing list
fedora[email protected]
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux