Upgrade and SELinux messages
Les
hlhowell at pacbell.net
Fri Jan 16 00:13:24 UTC 2009
I upgraded from F8 to F10. It appeared to go smoothly, but then I
received the following SELinux errors:
/************************************************************************/
/************** first
Summary:
SELinux is preventing dbus-daemon-lau (system_dbusd_t) "execute" to
./console-kit-daemon (consolekit_exec_t).
Detailed Description:
SELinux denied access requested by dbus-daemon-lau. It is not expected
that this access is required by dbus-daemon-lau and this access may
signal an intrusion attempt. It is also possible that the specific
version or configuration of the application is causing it to require
additional access.
Allowing Access:
Sometimes labeling problems can cause SELinux denials. You could try to
restore
the default system file context for ./console-kit-daemon,
restorecon -v './console-kit-daemon'
Additional Information:
Source Context
system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
Target Context system_u:object_r:consolekit_exec_t:s0
Target Objects ./console-kit-daemon [ file ]
Source dbus-daemon-lau
Source Path /lib/dbus-1/dbus-daemon-launch-helper
Port <Unknown>
Host localhost.localdomain
Source RPM Packages dbus-1.2.4-1.fc10
Target RPM Packages
Policy RPM selinux-policy-3.5.13-18.fc10
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall_file
Host Name localhost.localdomain
Platform Linux localhost.localdomain
2.6.27.5-117.fc10.i686
#1 SMP Tue Nov 18 12:19:59 EST 2008 i686
i686
Alert Count 35
First Seen Thu 15 Jan 2009 03:45:37 PM PST
Last Seen Thu 15 Jan 2009 03:47:19 PM PST
Local ID a0430578-0415-40c9-ac4e-b9f86d3b479c
Line Numbers
Raw Audit Messages
node=localhost.localdomain type=AVC msg=audit(1232063239.982:58): avc:
denied { execute } for pid=3010 comm="dbus-daemon-lau"
name="console-kit-daemon" dev=dm-0 ino=54362144
scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:consolekit_exec_t:s0 tclass=file
node=localhost.localdomain type=SYSCALL msg=audit(1232063239.982:58):
arch=40000003 syscall=11 success=no exit=-13 a0=8f08e48 a1=8f08dc8
a2=8f08008 a3=2d09bc items=0 ppid=3009 pid=3010 auid=4294967295 uid=0
gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
ses=4294967295 comm="dbus-daemon-lau"
exe="/lib/dbus-1/dbus-daemon-launch-helper"
subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 key=(null)
###
### The restorecon mentioned returned an error that the file doesn't
### exist.
/************************************************************************/
/************** second
Summary:
SELinux is preventing plymouthd from creating a file with a context of
unlabeled_t on a filesystem.
Detailed Description:
SELinux is preventing plymouthd from creating a file with a context of
unlabeled_t on a filesystem. Usually this happens when you ask the cp
command to
maintain the context of a file when copying between file systems, "cp
-a" for
example. Not all file contexts should be maintained between the file
systems.
For example, a read-only file type like iso9660_t should not be placed
on a r/w
system. "cp -P" might be a better solution, as this will adopt the
default file
context for the destination.
Allowing Access:
Use a command like "cp -P" to preserve all permissions except SELinux
context.
Additional Information:
Source Context system_u:object_r:unlabeled_t:s0
Target Context system_u:object_r:fs_t:s0
Target Objects force-display-on-active-vt [ filesystem ]
Source plymouthd
Source Path <Unknown>
Port <Unknown>
Host localhost.localdomain
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.5.13-18.fc10
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name filesystem_associate
Host Name localhost.localdomain
Platform Linux localhost.localdomain
2.6.27.5-117.fc10.i686
#1 SMP Tue Nov 18 12:19:59 EST 2008 i686
i686
Alert Count 1
First Seen Thu 15 Jan 2009 03:45:42 PM PST
Last Seen Thu 15 Jan 2009 03:45:42 PM PST
Local ID 261d767c-245b-4bde-9110-8436b63fab76
Line Numbers
Raw Audit Messages
node=localhost.localdomain type=AVC msg=audit(1232063142.547:14): avc:
denied { associate } for pid=611 comm="plymouthd"
name="force-display-on-active-vt"
scontext=system_u:object_r:unlabeled_t:s0
tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
###
### Whatever cp was occuring was not initiated by me. I suspect that
### something in the reboot process precipiated this error.
/************************************************************************/
/************** third
Summary:
SELinux is preventing python (cupsd_config_t) "read" to <Unknown>
(sysctl_t).
Detailed Description:
SELinux denied access requested by python. It is not expected that this
access
is required by python and this access may signal an intrusion attempt.
It is
also possible that the specific version or configuration of the
application is
causing it to require additional access.
Allowing Access:
Sometimes labeling problems can cause SELinux denials. You could try to
restore
the default system file context for <Unknown>,
restorecon -v '<Unknown>'
If this does not work, there is currently no automatic way to allow this
access.
Instead, you can generate a local policy module to allow this access -
see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
disable
SELinux protection altogether. Disabling SELinux protection is not
recommended.
Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context system_u:system_r:cupsd_config_t:s0
Target Context system_u:object_r:sysctl_t:s0
Target Objects None [ file ]
Source python
Source Path /usr/bin/python
Port <Unknown>
Host localhost.localdomain
Source RPM Packages python-2.5.2-1.fc10
Target RPM Packages
Policy RPM selinux-policy-3.5.13-18.fc10
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall_file
Host Name localhost.localdomain
Platform Linux localhost.localdomain
2.6.27.5-117.fc10.i686
#1 SMP Tue Nov 18 12:19:59 EST 2008 i686
i686
Alert Count 2
First Seen Thu 15 Jan 2009 03:45:42 PM PST
Last Seen Thu 15 Jan 2009 03:45:42 PM PST
Local ID 10abdbb3-bb69-4afd-ae68-30827c2ed132
Line Numbers
Raw Audit Messages
node=localhost.localdomain type=AVC msg=audit(1232063142.898:17): avc:
denied { read } for pid=2572 comm="python"
scontext=system_u:system_r:cupsd_config_t:s0
tcontext=system_u:object_r:sysctl_t:s0 tclass=file
node=localhost.localdomain type=SYSCALL msg=audit(1232063142.898:17):
arch=40000003 syscall=5 success=no exit=-13 a0=7aef38 a1=0 a2=1b6 a3=0
items=0 ppid=2402 pid=2572 auid=4294967295 uid=0 gid=0 euid=0 suid=0
fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="python"
exe="/usr/bin/python" subj=system_u:system_r:cupsd_config_t:s0
key=(null)
###
### Again this was not initiated by me directly. I suspect that it was
### generated by the OS during preload or bootup.
/************************************************************************/
/************** fourth
Summary:
SELinux is preventing smartd (fsdaemon_t) "create" fsdaemon_t.
Detailed Description:
SELinux denied access requested by smartd. It is not expected that this
access
is required by smartd and this access may signal an intrusion attempt.
It is
also possible that the specific version or configuration of the
application is
causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
disable
SELinux protection altogether. Disabling SELinux protection is not
recommended.
Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context system_u:system_r:fsdaemon_t:s0
Target Context system_u:system_r:fsdaemon_t:s0
Target Objects None [ netlink_route_socket ]
Source smartd
Source Path /usr/sbin/smartd
Port <Unknown>
Host localhost.localdomain
Source RPM Packages smartmontools-5.38-7.fc10
Target RPM Packages
Policy RPM selinux-policy-3.5.13-18.fc10
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Host Name localhost.localdomain
Platform Linux localhost.localdomain
2.6.27.5-117.fc10.i686
#1 SMP Tue Nov 18 12:19:59 EST 2008 i686
i686
Alert Count 1
First Seen Thu 15 Jan 2009 03:45:41 PM PST
Last Seen Thu 15 Jan 2009 03:45:41 PM PST
Local ID 63da56b0-2e3a-4b9c-bce7-d507e4081b93
Line Numbers
Raw Audit Messages
node=localhost.localdomain type=AVC msg=audit(1232063141.902:13): avc:
denied { create } for pid=2562 comm="smartd"
scontext=system_u:system_r:fsdaemon_t:s0
tcontext=system_u:system_r:fsdaemon_t:s0 tclass=netlink_route_socket
node=localhost.localdomain type=SYSCALL msg=audit(1232063141.902:13):
arch=40000003 syscall=102 success=no exit=-13 a0=1 a1=bfe0e9ac a2=3e5ff4
a3=0 items=0 ppid=2561 pid=2562 auid=4294967295 uid=0 gid=0 euid=0
suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
comm="smartd" exe="/usr/sbin/smartd"
subj=system_u:system_r:fsdaemon_t:s0 key=(null)
###
### I don't think I had smartd running before the upgrade.
### but it is probably a good idea to run it.
None of these seem to be preventing me from using the system (haven't
tried printing yet).
I'll check the archives to see if anyone has solutions to these, but I
thought that they should go into the record.
Prior to the upgrade I was running F8. I just downloaded F10, made a
disk (two actually, the first didn't burn correctly), and then ran the
upgrade process. My emails were imported correctly and now I am just
starting the update process.
No worries on these, but since this is the place for advice, can anyone
offer any?
OOPS, SELinux is preventing me from opening my Windows disk in Linux.
But while it tells me it is preventing the access, no alert is being
generated. No information on how to fix it.
Ditto for the FAT32 formatted backup disk. This has disaster potential.
I'll try the trick of "touch ./relable"
I.
Regards,
Les H
More information about the fedora-list
mailing list