SELinux is preventing access to files with the label, file_t.
Daniel J Walsh
dwalsh at redhat.com
Tue Mar 4 14:24:36 UTC 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Antonio Olivares wrote:
> Dear all,
>
> I have done this before :
>
> "touch /.autorelabel; reboot"
>
> several days pass and I see this file_t again and I
> have to do "in quote" this again . What is file_t
> anyway?
> I do not know of any in my system.
>
> Thanks,
>
> Antonio
>
> Summary:
>
> SELinux is preventing access to files with the label,
> file_t.
>
> Detailed Description:
>
> SELinux permission checks on files labeled file_t are
> being denied. file_t is
> the context the SELinux kernel gives to files that do
> not have a label. This
> indicates a serious labeling problem. No files on an
> SELinux box should ever be
> labeled file_t. If you have just added a new disk
> drive to the system you can
> relabel it using the restorecon command. Otherwise you
> should relabel the entire
> files system.
>
> Allowing Access:
>
> You can execute the following command as root to
> relabel your computer system:
> "touch /.autorelabel; reboot"
>
> Additional Information:
>
> Source Context
> system_u:system_r:tmpreaper_t
> Target Context system_u:object_r:file_t
> Target Objects
> ./virtual-olivares.1dNZIJ [ dir ]
> Source tmpwatch
> Source Path /usr/sbin/tmpwatch
> Port <Unknown>
> Host localhost
> Source RPM Packages tmpwatch-2.9.13-2
> Target RPM Packages
> Policy RPM
> selinux-policy-3.3.1-9.fc9
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Enforcing
> Plugin Name file
> Host Name localhost
> Platform Linux localhost
> 2.6.25-0.80.rc3.git2.fc9 #1 SMP
> Fri Feb 29 18:17:34 EST
> 2008 i686 athlon
> Alert Count 1
> First Seen Mon 03 Mar 2008 10:01:18
> AM CST
> Last Seen Mon 03 Mar 2008 10:01:18
> AM CST
> Local ID
> 08676827-232c-4027-aa44-9431e45d6d53
> Line Numbers
>
> Raw Audit Messages
>
> host=localhost type=AVC msg=audit(1204560078.2:50):
> avc: denied { rmdir } for pid=32386 comm="tmpwatch"
> name="virtual-olivares.1dNZIJ" dev=dm-0 ino=31391789
> scontext=system_u:system_r:tmpreaper_t:s0
> tcontext=system_u:object_r:file_t:s0 tclass=dir
>
> host=localhost type=SYSCALL
> msg=audit(1204560078.2:50): arch=40000003 syscall=40
> success=no exit=-13 a0=960ec33 a1=28 a2=960f1a0
> a3=960ec33 items=0 ppid=32384 pid=32386
> auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
> egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
> comm="tmpwatch" exe="/usr/sbin/tmpwatch"
> subj=system_u:system_r:tmpreaper_t:s0 key=(null)
>
>
>
>
>
> ____________________________________________________________________________________
> Never miss a thing. Make Yahoo your home page.
> http://www.yahoo.com/r/hs
>
File_t is an unlabeled file. The kernel looks at the extended
attributes of a file for its file context, if none are found it reports
it as file_t. The only way you should be able to get a file_t is if you
put in an unlabeled file system and moved the file over. This should
not happen ordinarily. Also you can fix the file labels with a
restorecon/chcon call rather then a full relabel, or you can just delete
the file.
Is this file being created from a virtual machine? How is this file
getting there?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkfNW6QACgkQrlYvE4MpobPzUACfT2F2yntWpqzYgHfWZY2CDAwB
piIAnihXDsWWR9lHmsQ0zkgJMVCCYq/y
=D9f5
-----END PGP SIGNATURE-----
More information about the fedora-selinux-list
mailing list