gconf-2 creating > unlabelled_t files

Frank Murphy frankly3d at gmail.com
Wed Jul 2 12:40:14 UTC 2008 

Do I run "cp -P  /usr/libexec/gconfd-2"
-----------------------------------------------------
Summary:

SELinux is preventing gconfd-2 from creating a file with a context of
unlabeled_t on a filesystem.

Detailed Description:

SELinux is preventing gconfd-2 from creating a file with a context of
unlabeled_t on a filesystem. Usually this happens when you ask the cp command to
maintain the context of a file when copying between file systems, "cp -a" for
example. Not all file contexts should be maintained between the file systems.
For example, a read-only file type like iso9660_t should not be placed on a r/w
system. "cp -P" might be a better solution, as this will adopt the default file
context for the destination.

Allowing Access:

Use a command like "cp -P" to preserve all permissions except SELinux context.

Additional Information:

Source Context                unconfined_u:object_r:unlabeled_t:s0
Target Context                system_u:object_r:fs_t:s0
Target Objects                .testing.writeability [ filesystem ]
Source                        gconfd-2
Source Path                   /usr/libexec/gconfd-2
Port                          <Unknown>
Host                          frank-03
Source RPM Packages           GConf2-2.22.0-1.fc9
Target RPM Packages
Policy RPM                    selinux-policy-3.3.1-72.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   filesystem_associate
Host Name                     frank-03
Platform                      Linux frank-03 2.6.25.6-55.fc9.i686 #1 SMP Tue Jun
                              10 16:27:49 EDT 2008 i686 i686
Alert Count                   1
First Seen                    Wed 02 Jul 2008 12:06:53 IST
Last Seen                     Wed 02 Jul 2008 12:06:53 IST
Local ID                      9af5a524-6e39-40da-a8f0-146b28ebee10
Line Numbers

Raw Audit Messages

host=frank-03 type=AVC msg=audit(1214996813.541:52): avc:  denied  {
associate } for  pid=9827 comm="gconfd-2" name=".testing.writeability"
scontext=unconfined_u:object_r:unlabeled_t:s0
tcontext=system_u:object_r:fs_t:s0 tclass=filesystem

host=frank-03 type=SYSCALL msg=audit(1214996813.541:52): arch=40000003
syscall=5 success=no exit=-13 a0=8652d18 a1=41 a2=1c0 a3=8652d18
items=0 ppid=1 pid=9827 auid=500 uid=500 gid=500 euid=500 suid=500
fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="gconfd-2"
exe="/usr/libexec/gconfd-2"
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)

More information about the fedora-selinux-list mailing list