Re: gconf alert

["Valent Turkovic" <valent turkovic gmail com>]

Here are the latest ones from F8.

I'll reboot to F9 beta and send those also.

Valent.

-- 
http://kernelreloaded.blog385.com/
linux, blog, anime, spirituality, windsurf, wireless
registered as user #367004 with the Linux Counter, http://counter.li.org.
ICQ: 2125241, Skype: valent.turkovic

Summary:

SELinux is preventing gconfd-2 from creating a file with a context of
unlabeled_t on a filesystem.

Detailed Description:

[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]

SELinux is preventing gconfd-2 from creating a file with a context of
unlabeled_t on a filesystem. Usually this happens when you ask the cp command to
maintain the context of a file when copying between file systems, "cp -a" for
example. Not all file contexts should be maintained between the file systems.
For example, a read-only file type like iso9660_t should not be placed on a r/w
system. "cp -P" might be a better solution, as this will adopt the default file
context for the destination.

Allowing Access:

Use a command like "cp -P" to preserve all permissions except SELinux context.

Additional Information:

Source Context                unconfined_u:object_r:unlabeled_t:s0
Target Context                system_u:object_r:fs_t:s0
Target Objects                saved_state.tmp [ filesystem ]
Source                        gconfd-2
Source Path                   /usr/libexec/gconfd-2
Port                          <Unknown>
Host                          valent.oswireless
Source RPM Packages           GConf2-2.20.1-1.fc8
Target RPM Packages           
Policy RPM                    selinux-policy-3.0.8-93.fc8
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   filesystem_associate
Host Name                     valent.oswireless
Platform                      Linux valent.oswireless 2.6.24.3-34.fc8 #1 SMP Wed
                              Mar 12 18:17:20 EDT 2008 i686 i686
Alert Count                   1
First Seen                    Sat 22 Mar 2008 08:55:28 AM CET
Last Seen                     Sat 22 Mar 2008 08:55:28 AM CET
Local ID                      a99f93ec-fbdf-4beb-a85c-fc340a1a687b
Line Numbers                  

Raw Audit Messages            

host=valent.oswireless type=AVC msg=audit(1206172528.330:148): avc:  denied  { associate } for  pid=2571 comm="gconfd-2" name="saved_state.tmp" scontext=unconfined_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem

host=valent.oswireless type=SYSCALL msg=audit(1206172528.330:148): arch=40000003 syscall=5 success=yes exit=62 a0=8ee47d0 a1=241 a2=1c0 a3=8c8e130 items=0 ppid=1 pid=2571 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) comm="gconfd-2" exe="/usr/libexec/gconfd-2" subj=unconfined_u:system_r:unconfined_t:s0-s0:c0.c1023 key=(null)


Summary:

SELinux is preventing gconfd-2 from creating a file with a context of
unlabeled_t on a filesystem.

Detailed Description:

[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]

SELinux is preventing gconfd-2 from creating a file with a context of
unlabeled_t on a filesystem. Usually this happens when you ask the cp command to
maintain the context of a file when copying between file systems, "cp -a" for
example. Not all file contexts should be maintained between the file systems.
For example, a read-only file type like iso9660_t should not be placed on a r/w
system. "cp -P" might be a better solution, as this will adopt the default file
context for the destination.

Allowing Access:

Use a command like "cp -P" to preserve all permissions except SELinux context.

Additional Information:

Source Context                unconfined_u:object_r:unlabeled_t:s0
Target Context                system_u:object_r:fs_t:s0
Target Objects                %gconf.xml.new [ filesystem ]
Source                        gconfd-2
Source Path                   /usr/libexec/gconfd-2
Port                          <Unknown>
Host                          valent.oswireless
Source RPM Packages           GConf2-2.20.1-1.fc8
Target RPM Packages           
Policy RPM                    selinux-policy-3.0.8-93.fc8
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   filesystem_associate
Host Name                     valent.oswireless
Platform                      Linux valent.oswireless 2.6.24.3-34.fc8 #1 SMP Wed
                              Mar 12 18:17:20 EDT 2008 i686 i686
Alert Count                   4
First Seen                    Fri 21 Mar 2008 09:25:05 PM CET
Last Seen                     Sat 22 Mar 2008 11:29:00 AM CET
Local ID                      59be503c-e098-4c10-9e91-d226a159ebdb
Line Numbers                  

Raw Audit Messages            

host=valent.oswireless type=AVC msg=audit(1206181740.396:176): avc:  denied  { associate } for  pid=2571 comm="gconfd-2" name="%gconf.xml.new" scontext=unconfined_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem

host=valent.oswireless type=SYSCALL msg=audit(1206181740.396:176): arch=40000003 syscall=5 success=yes exit=64 a0=8ee4c78 a1=41 a2=180 a3=8ec1d30 items=0 ppid=1 pid=2571 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) comm="gconfd-2" exe="/usr/libexec/gconfd-2" subj=unconfined_u:system_r:unconfined_t:s0-s0:c0.c1023 key=(null)