Why can not user_t link var_lib_t files?
Göran Uddeborg
goeran at uddeborg.se
Tue May 19 16:16:41 UTC 2009
Göran Uddeborg writes:
> I retriggered it, and attach the mail setroubleshoot sent me.
It looked wierd in my mail client when I got it back. I'm not sure
why, and if its buggy when reading or when writing. Just in case, I
reran sealert and include the output below.
Summary:
SELinux is preventing ln (user_t) "link" to
./30392D30342D3132202D20535654312056C3A473746E797474202D204D65726C696E202D20427269747469736B742066616E746173796472616D615F2044656C2031332061762031335F2056C3A46E736B61705F206C6F6A616C69746574206F6368206B2E7473
(var_lib_t).
Detailed Description:
SELinux denied access requested by ln. It is not expected that this access is
required by ln and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.
Allowing Access:
Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for
./30392D30342D3132202D20535654312056C3A473746E797474202D204D65726C696E202D20427269747469736B742066616E746173796472616D615F2044656C2031332061762031335F2056C3A46E736B61705F206C6F6A616C69746574206F6368206B2E7473,
restorecon -v
'./30392D30342D3132202D20535654312056C3A473746E797474202D204D65726C696E202D20427269747469736B742066616E746173796472616D615F2044656C2031332061762031335F2056C3A46E736B61705F206C6F6A616C69746574206F6368206B2E7473'
If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context user_u:user_r:user_t
Target Context system_u:object_r:var_lib_t
Target Objects ./30392D30342D3132202D20535654312056C3A473746E7974
74202D204D65726C696E202D20427269747469736B74206661
6E746173796472616D615F2044656C2031332061762031335F
2056C3A46E736B61705F206C6F6A616C69746574206F636820
6B2E7473 [ file ]
Source ln
Source Path /bin/ln
Port <Unknown>
Host mimmi
Source RPM Packages coreutils-6.12-18.fc10
Target RPM Packages
Policy RPM selinux-policy-3.5.13-58.fc10
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall_file
Host Name mimmi
Platform Linux mimmi 2.6.27.12-170.2.5.fc10.x86_64 #1 SMP
Wed Jan 21 01:33:24 EST 2009 x86_64 x86_64
Alert Count 1
First Seen Mon May 18 20:00:13 2009
Last Seen Mon May 18 20:00:13 2009
Local ID d6ad3700-432a-4dd7-b574-46275e4d1e24
Line Numbers
Raw Audit Messages
node=mimmi type=AVC msg=audit(1242669613.397:1336): avc: denied { link } for pid=26061 comm="ln" name=30392D30342D3132202D20535654312056C3A473746E797474202D204D65726C696E202D20427269747469736B742066616E746173796472616D615F2044656C2031332061762031335F2056C3A46E736B61705F206C6F6A616C69746574206F6368206B2E7473 dev=dm-0 ino=3276854 scontext=user_u:user_r:user_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
node=mimmi type=SYSCALL msg=audit(1242669613.397:1336): arch=c000003e syscall=86 success=no exit=-13 a0=7fff3f37982a a1=7fff3f3798a4 a2=0 a3=7fff3f378380 items=0 ppid=25807 pid=26061 auid=920 uid=920 gid=924 euid=920 suid=920 fsuid=920 egid=924 sgid=924 fsgid=924 tty=tty2 ses=10 comm="ln" exe="/bin/ln" subj=user_u:user_r:user_t:s0 key=(null)
More information about the fedora-selinux-list
mailing list