[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Error on relable for SELinux

Hash: SHA1

Les wrote:
> I need a SELinux person to explain this error for me.  It seems to occur
> when I try to print from the web.
> The suggested command "restorecon -v Par0 doesn't work because for one
> thing Par0 doesn't exist I think.  The error seems to be that something
> wants to relable sbin/udevd to par0, and since that didn't occur I
> suspect that the problem is not with Par0, but rather the /sbin/udevd.
> And since I think this is a system file, I am not sure it should be
> relabled anyway, without causing other problems.  At least that is my
> take.  Any ideas?
> 	Please help with detailed information.  I do not want to mess up my
> system, which seems to be working well except for this.
> Regards,
> Les H
> Here is the output from the SETroubleshoot window:
> Summary
>     SELinux is preventing /sbin/udevd (udev_t) "relabelto" to par0
> (device_t).
> Detailed Description
>     SELinux denied access requested by /sbin/udevd. It is not expected
> that this
>     access is required by /sbin/udevd and this access may signal an
> intrusion
>     attempt. It is also possible that the specific version or
> configuration of
>     the application is causing it to require additional access.
> Allowing Access
>     Sometimes labeling problems can cause SELinux denials.  You could
> try to
>     restore the default system file context for par0, restorecon -v par0
> If this
>     does not work, there is currently no automatic way to allow this
> access.
>     Instead,  you can generate a local policy module to allow this
> access - see
>     http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can
> disable
>     SELinux protection altogether. Disabling SELinux protection is not
>     recommended. Please file a
> http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
>     against this package.
> Additional Information        
> Source Context
> system_u:system_r:udev_t:SystemLow-SystemHigh
> Target Context                system_u:object_r:device_t
> Target Objects                par0 [ lnk_file ]
> Affected RPM Packages         udev-113-12.fc7 [application]
> Policy RPM                    selinux-policy-2.6.4-42.fc7
> Selinux Enabled               True
> Policy Type                   targeted
> MLS Enabled                   True
> Enforcing Mode                Permissive
> Plugin Name                   plugins.catchall_file
> Host Name                     localhost.localdomain
> Platform                      Linux localhost.localdomain
> #1 SMP
>                               Fri Sep 21 19:53:05 EDT 2007 i686 i686
> Alert Count                   5
> First Seen                    Sat 15 Sep 2007 12:20:19 PM PDT
> Last Seen                     Thu 27 Sep 2007 10:10:01 AM PDT
> Local ID                      3b8dfa9b-fb5a-489d-9750-ea5776718542
> Line Numbers                  
> Raw Audit Messages            
> avc: denied { relabelto } for comm="udevd" dev=tmpfs egid=0 euid=0
> exe="/sbin/udevd" exit=0 fsgid=0 fsuid=0 gid=0 items=0 name="par0"
> pid=3273
> scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 sgid=0
> subj=system_u:system_r:udev_t:s0-s0:c0.c1023 suid=0 tclass=lnk_file
> tcontext=system_u:object_r:device_t:s0 tty=(none) uid=0

This seems to be a bug.  It is indicating the udev is trying to relabel
a symbolic link  /dev/par0 to device_t.  It does not need to relabel the
 link since it will default to device_t.

You can eliminate this avc by executing

# grep udev_t /var/log/audit/audit.log | audit2allow -M myudev
# semodule -M myudev.pp

Please report this as a bug on udev and you can attach my comments.

I don't believe this bug would have caused a failure.  But you should
run in enforcing mode.
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]