SELinux message

Daniel J Walsh dwalsh at redhat.com
Fri Jun 1 18:47:45 UTC 2007


A.J. Bonnema wrote:
> Hi all,
>
> This morning I got several of the following message:
>
> Raw Audit Messages
>
> avc: denied { search } for comm="procmail" dev=sdb6 egid=0 euid=0
> exe="/usr/bin/procmail" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 
> name="root"
> pid=4585 scontext=system_u:system_r:procmail_t:s0 sgid=0
> subj=system_u:system_r:procmail_t:s0 suid=0 tclass=dir
> tcontext=system_u:object_r:default_t:s0 tty=(none) uid=0
>
>
> It looks like procmail is trying to do *something*. I would just like 
> to find out what it is that procmail is trying to do. So I could see 
> whether it is legitemate.
> I do assume procmail knows what it is doing, but before I relable the 
> system (as indicated in the explanation) I would just like to know: 
> shouldn't the SELinux be fitted to procmail in some way?
> Is there a way I can get this accomplished i.e. can I report this to 
> procmail as a bug?
>
> Guus Bonnema -- happily running FC7 since this morning --
>
> P.S. I include the complete message, maybe it helps.
>
>
> ============ Explanatory message ======================
>
> Summary
>     SELinux is preventing access to files with the default label, 
> default_t.
>
> Detailed Description
>     SELinux permission checks on files labeled default_t are being 
> denied.
>     These files/directories have the default label on them.  This can 
> indicate a
>     labeling problem, especially if the files being referred to  are 
> not top
>     level directories. Any files/directories under standard system 
> directories,
>     /usr, /var. /dev, /tmp, ..., should not be labeled with the 
> default label.
>     The default label is for files/directories which do not have a 
> label on a
>     parent directory. So if you create a new directory in / you might
>     legitimately get this label.
>
> Allowing Access
>     If you want a confined domain to use these files you will probably 
> need to
>     relabel the file/directory with chcon. In some cases it is just 
> easier to
>     relabel the system, to relabel execute: "touch /.autorelabel; reboot"
>
> Additional Information
>
> Source Context                system_u:system_r:procmail_t
> Target Context                system_u:object_r:default_t
> Target Objects                root [ dir ]
> Affected RPM Packages         procmail-3.22-19.fc7
>                               [application]filesystem-2.4.6-1.fc7 
> [target]
> Policy RPM                    selinux-policy-2.6.4-8.fc7
> Selinux Enabled               True
> Policy Type                   targeted
> MLS Enabled                   True
> Enforcing Mode                Enforcing
> Plugin Name                   plugins.default
> Host Name                     athene.abonnema.xs4all.nl
> Platform                      Linux athene.abonnema.xs4all.nl 
> 2.6.21-1.3194.fc7
>                               #1 SMP Wed May 23 22:47:07 EDT 2007 
> x86_64 x86_64
> Alert Count                   2
> First Seen                    Fri 01 Jun 2007 02:22:25 PM CEST
> Last Seen                     Fri 01 Jun 2007 02:54:17 PM CEST
> Local ID                      789f2a56-fe70-440b-83a6-d85bc17715ae
> Line Numbers
>
> Raw Audit Messages
>
> avc: denied { search } for comm="procmail" dev=sdb6 egid=0 euid=0
> exe="/usr/bin/procmail" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 
> name="root"
> pid=4585 scontext=system_u:system_r:procmail_t:s0 sgid=0
> subj=system_u:system_r:procmail_t:s0 suid=0 tclass=dir
> tcontext=system_u:object_r:default_t:s0 tty=(none) uid=0
>
>
restorecon -R -v /root

Should be fixed by the first update release.




More information about the fedora-list mailing list