Re: SELinux is preventing access to files with the label, file_t.

[Andrew Farris <lordmorgul gmail com>]

Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Andrew Farris wrote:
> > Andrew Farris wrote:
> > > I have hundreds of denials that happened with gconfd-2 a few days ago
> > > (socket files in tmp mostly).  Now I see many of these accesses
> > > prevented to file_t.
> > >
> > > Files such as:
> > > ./keyring-vaxTjg
> > > /tmp/fahcore-iolock.txt  <- I'm running folding at home, it is doing that
> > > ./kdecache-lordmorgul
> > > /tmp/pulse-lordmorgul/pid
> > > /tmp/banshee-NDesk.DBus.Bus.txt
> > > /tmp/gnome-system-monitor.lordmorgul.777456431
> > > ./virtual-lordmorgul.4FvBXq
> > > ./.esd-500
> > > ./fah
> > > ./virtual-lordmorgul.xxxxx/
> > >
> > > And more.  These are all accesses denied to /usr/sbin/tmpwatch, files
> > > (normal and sockets) and directories all labeled file_t.
> > Most of these are older files and directories as well.  Is autorelabel
> > *not* clearing out tmp when it labels?  I wonder if it is failing to
> > apply any label to these at that time?
> Yes autorelabel does not touch /tmp, you have to remove them manually.
>
> I am wondering if I should allow tmpwatch to handle file_t.

I'll look into whether they are getting created fresh with file_t or are just 
old.  If they are only from prior logins perhaps tmpwatch does not need access 
to them, but should just be dontaudited for that case and keep restricting 
access to them.

--
Andrew Farris <lordmorgul gmail com> www.lordmorgul.net
 gpg 0xC99B1DF3 fingerprint CDEC 6FAD BA27 40DF 707E A2E0 F0F6 E622 C99B 1DF3
No one now has, and no one will ever again get, the big picture. - Daniel Geer
----                                                                       ----