Upgrade and SELinux messages
Daniel J Walsh
dwalsh at redhat.com
Fri Jan 16 13:09:39 UTC 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Les wrote:
> I upgraded from F8 to F10. It appeared to go smoothly, but then I
> received the following SELinux errors:
>
> /************************************************************************/
> /************** first
>
> Summary:
>
> SELinux is preventing dbus-daemon-lau (system_dbusd_t) "execute" to
> ./console-kit-daemon (consolekit_exec_t).
>
> Detailed Description:
>
> SELinux denied access requested by dbus-daemon-lau. It is not expected
> that this access is required by dbus-daemon-lau and this access may
> signal an intrusion attempt. It is also possible that the specific
> version or configuration of the application is causing it to require
> additional access.
>
> Allowing Access:
>
> Sometimes labeling problems can cause SELinux denials. You could try to
> restore
> the default system file context for ./console-kit-daemon,
>
> restorecon -v './console-kit-daemon'
>
>
> Additional Information:
>
> Source Context
> system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
> Target Context system_u:object_r:consolekit_exec_t:s0
> Target Objects ./console-kit-daemon [ file ]
> Source dbus-daemon-lau
> Source Path /lib/dbus-1/dbus-daemon-launch-helper
> Port <Unknown>
> Host localhost.localdomain
> Source RPM Packages dbus-1.2.4-1.fc10
> Target RPM Packages
> Policy RPM selinux-policy-3.5.13-18.fc10
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Enforcing
> Plugin Name catchall_file
> Host Name localhost.localdomain
> Platform Linux localhost.localdomain
> 2.6.27.5-117.fc10.i686
> #1 SMP Tue Nov 18 12:19:59 EST 2008 i686
> i686
> Alert Count 35
> First Seen Thu 15 Jan 2009 03:45:37 PM PST
> Last Seen Thu 15 Jan 2009 03:47:19 PM PST
> Local ID a0430578-0415-40c9-ac4e-b9f86d3b479c
> Line Numbers
>
> Raw Audit Messages
>
> node=localhost.localdomain type=AVC msg=audit(1232063239.982:58): avc:
> denied { execute } for pid=3010 comm="dbus-daemon-lau"
> name="console-kit-daemon" dev=dm-0 ino=54362144
> scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:consolekit_exec_t:s0 tclass=file
>
> node=localhost.localdomain type=SYSCALL msg=audit(1232063239.982:58):
> arch=40000003 syscall=11 success=no exit=-13 a0=8f08e48 a1=8f08dc8
> a2=8f08008 a3=2d09bc items=0 ppid=3009 pid=3010 auid=4294967295 uid=0
> gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
> ses=4294967295 comm="dbus-daemon-lau"
> exe="/lib/dbus-1/dbus-daemon-launch-helper"
> subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 key=(null)
>
> ###
> ### The restorecon mentioned returned an error that the file doesn't
> ### exist.
>
> /************************************************************************/
> /************** second
>
> Summary:
>
> SELinux is preventing plymouthd from creating a file with a context of
> unlabeled_t on a filesystem.
>
> Detailed Description:
>
> SELinux is preventing plymouthd from creating a file with a context of
> unlabeled_t on a filesystem. Usually this happens when you ask the cp
> command to
> maintain the context of a file when copying between file systems, "cp
> -a" for
> example. Not all file contexts should be maintained between the file
> systems.
> For example, a read-only file type like iso9660_t should not be placed
> on a r/w
> system. "cp -P" might be a better solution, as this will adopt the
> default file
> context for the destination.
>
> Allowing Access:
>
> Use a command like "cp -P" to preserve all permissions except SELinux
> context.
>
> Additional Information:
>
> Source Context system_u:object_r:unlabeled_t:s0
> Target Context system_u:object_r:fs_t:s0
> Target Objects force-display-on-active-vt [ filesystem ]
> Source plymouthd
> Source Path <Unknown>
> Port <Unknown>
> Host localhost.localdomain
> Source RPM Packages
> Target RPM Packages
> Policy RPM selinux-policy-3.5.13-18.fc10
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Enforcing
> Plugin Name filesystem_associate
> Host Name localhost.localdomain
> Platform Linux localhost.localdomain
> 2.6.27.5-117.fc10.i686
> #1 SMP Tue Nov 18 12:19:59 EST 2008 i686
> i686
> Alert Count 1
> First Seen Thu 15 Jan 2009 03:45:42 PM PST
> Last Seen Thu 15 Jan 2009 03:45:42 PM PST
> Local ID 261d767c-245b-4bde-9110-8436b63fab76
> Line Numbers
>
> Raw Audit Messages
>
> node=localhost.localdomain type=AVC msg=audit(1232063142.547:14): avc:
> denied { associate } for pid=611 comm="plymouthd"
> name="force-display-on-active-vt"
> scontext=system_u:object_r:unlabeled_t:s0
> tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
>
> ###
> ### Whatever cp was occuring was not initiated by me. I suspect that
> ### something in the reboot process precipiated this error.
>
> /************************************************************************/
> /************** third
>
> Summary:
>
> SELinux is preventing python (cupsd_config_t) "read" to <Unknown>
> (sysctl_t).
>
> Detailed Description:
>
> SELinux denied access requested by python. It is not expected that this
> access
> is required by python and this access may signal an intrusion attempt.
> It is
> also possible that the specific version or configuration of the
> application is
> causing it to require additional access.
>
> Allowing Access:
>
> Sometimes labeling problems can cause SELinux denials. You could try to
> restore
> the default system file context for <Unknown>,
>
> restorecon -v '<Unknown>'
>
> If this does not work, there is currently no automatic way to allow this
> access.
> Instead, you can generate a local policy module to allow this access -
> see FAQ
> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
> disable
> SELinux protection altogether. Disabling SELinux protection is not
> recommended.
> Please file a bug report
> (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
> against this package.
>
> Additional Information:
>
> Source Context system_u:system_r:cupsd_config_t:s0
> Target Context system_u:object_r:sysctl_t:s0
> Target Objects None [ file ]
> Source python
> Source Path /usr/bin/python
> Port <Unknown>
> Host localhost.localdomain
> Source RPM Packages python-2.5.2-1.fc10
> Target RPM Packages
> Policy RPM selinux-policy-3.5.13-18.fc10
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Enforcing
> Plugin Name catchall_file
> Host Name localhost.localdomain
> Platform Linux localhost.localdomain
> 2.6.27.5-117.fc10.i686
> #1 SMP Tue Nov 18 12:19:59 EST 2008 i686
> i686
> Alert Count 2
> First Seen Thu 15 Jan 2009 03:45:42 PM PST
> Last Seen Thu 15 Jan 2009 03:45:42 PM PST
> Local ID 10abdbb3-bb69-4afd-ae68-30827c2ed132
> Line Numbers
>
> Raw Audit Messages
>
> node=localhost.localdomain type=AVC msg=audit(1232063142.898:17): avc:
> denied { read } for pid=2572 comm="python"
> scontext=system_u:system_r:cupsd_config_t:s0
> tcontext=system_u:object_r:sysctl_t:s0 tclass=file
>
> node=localhost.localdomain type=SYSCALL msg=audit(1232063142.898:17):
> arch=40000003 syscall=5 success=no exit=-13 a0=7aef38 a1=0 a2=1b6 a3=0
> items=0 ppid=2402 pid=2572 auid=4294967295 uid=0 gid=0 euid=0 suid=0
> fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="python"
> exe="/usr/bin/python" subj=system_u:system_r:cupsd_config_t:s0
> key=(null)
>
> ###
> ### Again this was not initiated by me directly. I suspect that it was
> ### generated by the OS during preload or bootup.
>
> /************************************************************************/
> /************** fourth
>
>
> Summary:
>
> SELinux is preventing smartd (fsdaemon_t) "create" fsdaemon_t.
>
> Detailed Description:
>
> SELinux denied access requested by smartd. It is not expected that this
> access
> is required by smartd and this access may signal an intrusion attempt.
> It is
> also possible that the specific version or configuration of the
> application is
> causing it to require additional access.
>
> Allowing Access:
>
> You can generate a local policy module to allow this access - see FAQ
> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
> disable
> SELinux protection altogether. Disabling SELinux protection is not
> recommended.
> Please file a bug report
> (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
> against this package.
>
> Additional Information:
>
> Source Context system_u:system_r:fsdaemon_t:s0
> Target Context system_u:system_r:fsdaemon_t:s0
> Target Objects None [ netlink_route_socket ]
> Source smartd
> Source Path /usr/sbin/smartd
> Port <Unknown>
> Host localhost.localdomain
> Source RPM Packages smartmontools-5.38-7.fc10
> Target RPM Packages
> Policy RPM selinux-policy-3.5.13-18.fc10
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Enforcing
> Plugin Name catchall
> Host Name localhost.localdomain
> Platform Linux localhost.localdomain
> 2.6.27.5-117.fc10.i686
> #1 SMP Tue Nov 18 12:19:59 EST 2008 i686
> i686
> Alert Count 1
> First Seen Thu 15 Jan 2009 03:45:41 PM PST
> Last Seen Thu 15 Jan 2009 03:45:41 PM PST
> Local ID 63da56b0-2e3a-4b9c-bce7-d507e4081b93
> Line Numbers
>
> Raw Audit Messages
>
> node=localhost.localdomain type=AVC msg=audit(1232063141.902:13): avc:
> denied { create } for pid=2562 comm="smartd"
> scontext=system_u:system_r:fsdaemon_t:s0
> tcontext=system_u:system_r:fsdaemon_t:s0 tclass=netlink_route_socket
>
> node=localhost.localdomain type=SYSCALL msg=audit(1232063141.902:13):
> arch=40000003 syscall=102 success=no exit=-13 a0=1 a1=bfe0e9ac a2=3e5ff4
> a3=0 items=0 ppid=2561 pid=2562 auid=4294967295 uid=0 gid=0 euid=0
> suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
> comm="smartd" exe="/usr/sbin/smartd"
> subj=system_u:system_r:fsdaemon_t:s0 key=(null)
>
> ###
> ### I don't think I had smartd running before the upgrade.
> ### but it is probably a good idea to run it.
>
> None of these seem to be preventing me from using the system (haven't
> tried printing yet).
>
> I'll check the archives to see if anyone has solutions to these, but I
> thought that they should go into the record.
>
> Prior to the upgrade I was running F8. I just downloaded F10, made a
> disk (two actually, the first didn't burn correctly), and then ran the
> upgrade process. My emails were imported correctly and now I am just
> starting the update process.
>
> No worries on these, but since this is the place for advice, can anyone
> offer any?
>
> OOPS, SELinux is preventing me from opening my Windows disk in Linux.
> But while it tells me it is preventing the access, no alert is being
> generated. No information on how to fix it.
>
> Ditto for the FAT32 formatted backup disk. This has disaster potential.
>
> I'll try the trick of "touch ./relable"
> I.
>
> Regards,
> Les H
>
>
>
>
>
Upgrade to the latest selinux policy.
yum upgrade selinux-policy-targeted
and the autorelabel will help.
Going from F8 to F10 has been troublesome, because a couple of the types
were changed and there was no alias, which is causing unlabeled_t.
The later F10 policy packages have alias.
If you have a file or process labeled something like
unconfined_gnome_home_t in F8 and in F10 this was renamed to
gnome_home_t, the policy should have a line like
typealias gnome_home_t alias unconfined_gnome_home_t;
Which would allow your files labeled unconfined_gnome_home_t to be
treated as gnome_home_t, unfortunately the initial F10 policy was
missing some aliases and the kernel treats any file with a label it does
not understand as unlabeled_t, and any confined domain that tries to
look at an unlabeled_t file is denied and generates an AVC.
Relabeling should remove these files and upgrading to the latest policy
from fedora-updates should add the aliases.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAklwhxMACgkQrlYvE4MpobMbbwCgh988OK9QakilFYlOEuA9D/2T
a2QAn33MnpDe+Es95dSGZp/jUm/b3FWy
=yi4T
-----END PGP SIGNATURE-----
More information about the fedora-list
mailing list