Why can not user_t link var_lib_t files?
Daniel J Walsh
dwalsh at redhat.com
Tue May 19 18:10:56 UTC 2009
On 05/19/2009 12:16 PM, Göran Uddeborg wrote:
> Göran Uddeborg writes:
>> I retriggered it, and attach the mail setroubleshoot sent me.
>
> It looked wierd in my mail client when I got it back. I'm not sure
> why, and if its buggy when reading or when writing. Just in case, I
> reran sealert and include the output below.
>
>
> Summary:
>
> SELinux is preventing ln (user_t) "link" to
> ./30392D30342D3132202D20535654312056C3A473746E797474202D204D65726C696E202D20427269747469736B742066616E746173796472616D615F2044656C2031332061762031335F2056C3A46E736B61705F206C6F6A616C69746574206F6368206B2E7473
> (var_lib_t).
>
> Detailed Description:
>
> SELinux denied access requested by ln. It is not expected that this access is
> required by ln and this access may signal an intrusion attempt. It is also
> possible that the specific version or configuration of the application is
> causing it to require additional access.
>
> Allowing Access:
>
> Sometimes labeling problems can cause SELinux denials. You could try to restore
> the default system file context for
> ./30392D30342D3132202D20535654312056C3A473746E797474202D204D65726C696E202D20427269747469736B742066616E746173796472616D615F2044656C2031332061762031335F2056C3A46E736B61705F206C6F6A616C69746574206F6368206B2E7473,
>
> restorecon -v
> './30392D30342D3132202D20535654312056C3A473746E797474202D204D65726C696E202D20427269747469736B742066616E746173796472616D615F2044656C2031332061762031335F2056C3A46E736B61705F206C6F6A616C69746574206F6368206B2E7473'
>
> If this does not work, there is currently no automatic way to allow this access.
> Instead, you can generate a local policy module to allow this access - see FAQ
> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
> SELinux protection altogether. Disabling SELinux protection is not recommended.
> Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
> against this package.
>
> Additional Information:
>
> Source Context user_u:user_r:user_t
> Target Context system_u:object_r:var_lib_t
> Target Objects ./30392D30342D3132202D20535654312056C3A473746E7974
> 74202D204D65726C696E202D20427269747469736B74206661
> 6E746173796472616D615F2044656C2031332061762031335F
> 2056C3A46E736B61705F206C6F6A616C69746574206F636820
> 6B2E7473 [ file ]
> Source ln
> Source Path /bin/ln
> Port<Unknown>
> Host mimmi
> Source RPM Packages coreutils-6.12-18.fc10
> Target RPM Packages
> Policy RPM selinux-policy-3.5.13-58.fc10
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Enforcing
> Plugin Name catchall_file
> Host Name mimmi
> Platform Linux mimmi 2.6.27.12-170.2.5.fc10.x86_64 #1 SMP
> Wed Jan 21 01:33:24 EST 2009 x86_64 x86_64
> Alert Count 1
> First Seen Mon May 18 20:00:13 2009
> Last Seen Mon May 18 20:00:13 2009
> Local ID d6ad3700-432a-4dd7-b574-46275e4d1e24
> Line Numbers
>
> Raw Audit Messages
>
> node=mimmi type=AVC msg=audit(1242669613.397:1336): avc: denied { link } for pid=26061 comm="ln" name=30392D30342D3132202D20535654312056C3A473746E797474202D204D65726C696E202D20427269747469736B742066616E746173796472616D615F2044656C2031332061762031335F2056C3A46E736B61705F206C6F6A616C69746574206F6368206B2E7473 dev=dm-0 ino=3276854 scontext=user_u:user_r:user_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
>
> node=mimmi type=SYSCALL msg=audit(1242669613.397:1336): arch=c000003e syscall=86 success=no exit=-13 a0=7fff3f37982a a1=7fff3f3798a4 a2=0 a3=7fff3f378380 items=0 ppid=25807 pid=26061 auid=920 uid=920 gid=924 euid=920 suid=920 fsuid=920 egid=924 sgid=924 fsgid=924 tty=tty2 ses=10 comm="ln" exe="/bin/ln" subj=user_u:user_r:user_t:s0 key=(null)
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
What directory is this file in?
More information about the fedora-selinux-list
mailing list