SELinux is preventing access to files with the label, file_t.

Daniel J Walsh dwalsh at redhat.com
Tue Mar 4 14:24:36 UTC 2008


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Antonio Olivares wrote:
> Dear all, 
> 
> I have done this before :
> 
> "touch /.autorelabel; reboot"
> 
> several days pass and I see this file_t again and I
> have to do "in quote" this again .  What is file_t
> anyway?  
> I do not know of any in my system.  
> 
> Thanks,
> 
> Antonio 
> 
> Summary:
> 
> SELinux is preventing access to files with the label,
> file_t.
> 
> Detailed Description:
> 
> SELinux permission checks on files labeled file_t are
> being denied. file_t is
> the context the SELinux kernel gives to files that do
> not have a label. This
> indicates a serious labeling problem. No files on an
> SELinux box should ever be
> labeled file_t. If you have just added a new disk
> drive to the system you can
> relabel it using the restorecon command. Otherwise you
> should relabel the entire
> files system.
> 
> Allowing Access:
> 
> You can execute the following command as root to
> relabel your computer system:
> "touch /.autorelabel; reboot"
> 
> Additional Information:
> 
> Source Context               
> system_u:system_r:tmpreaper_t
> Target Context                system_u:object_r:file_t
> Target Objects               
> ./virtual-olivares.1dNZIJ [ dir ]
> Source                        tmpwatch
> Source Path                   /usr/sbin/tmpwatch
> Port                          <Unknown>
> Host                          localhost
> Source RPM Packages           tmpwatch-2.9.13-2
> Target RPM Packages           
> Policy RPM                   
> selinux-policy-3.3.1-9.fc9
> Selinux Enabled               True
> Policy Type                   targeted
> MLS Enabled                   True
> Enforcing Mode                Enforcing
> Plugin Name                   file
> Host Name                     localhost
> Platform                      Linux localhost
> 2.6.25-0.80.rc3.git2.fc9 #1 SMP
>                               Fri Feb 29 18:17:34 EST
> 2008 i686 athlon
> Alert Count                   1
> First Seen                    Mon 03 Mar 2008 10:01:18
> AM CST
> Last Seen                     Mon 03 Mar 2008 10:01:18
> AM CST
> Local ID                     
> 08676827-232c-4027-aa44-9431e45d6d53
> Line Numbers                  
> 
> Raw Audit Messages            
> 
> host=localhost type=AVC msg=audit(1204560078.2:50):
> avc:  denied  { rmdir } for  pid=32386 comm="tmpwatch"
> name="virtual-olivares.1dNZIJ" dev=dm-0 ino=31391789
> scontext=system_u:system_r:tmpreaper_t:s0
> tcontext=system_u:object_r:file_t:s0 tclass=dir
> 
> host=localhost type=SYSCALL
> msg=audit(1204560078.2:50): arch=40000003 syscall=40
> success=no exit=-13 a0=960ec33 a1=28 a2=960f1a0
> a3=960ec33 items=0 ppid=32384 pid=32386
> auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
> egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
> comm="tmpwatch" exe="/usr/sbin/tmpwatch"
> subj=system_u:system_r:tmpreaper_t:s0 key=(null)
> 
> 
> 
> 
> 
>       ____________________________________________________________________________________
> Never miss a thing.  Make Yahoo your home page. 
> http://www.yahoo.com/r/hs
> 
File_t is an unlabeled file.  The kernel looks at the extended
attributes of a file for its file context, if none are found it reports
it as file_t.  The only way you should be able to get a file_t is if you
put in an unlabeled file system and moved the file over.  This should
not happen ordinarily.  Also you can fix the file labels with a
restorecon/chcon call rather then a full relabel, or you can just delete
the file.


Is this file being created from a virtual machine?  How is this file
getting there?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkfNW6QACgkQrlYvE4MpobPzUACfT2F2yntWpqzYgHfWZY2CDAwB
piIAnihXDsWWR9lHmsQ0zkgJMVCCYq/y
=D9f5
-----END PGP SIGNATURE-----




More information about the fedora-selinux-list mailing list