Error on relable for SELinux
Daniel J Walsh
dwalsh at redhat.com
Fri Sep 28 13:35:57 UTC 2007
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Les wrote:
> I need a SELinux person to explain this error for me. It seems to occur
> when I try to print from the web.
>
> The suggested command "restorecon -v Par0 doesn't work because for one
> thing Par0 doesn't exist I think. The error seems to be that something
> wants to relable sbin/udevd to par0, and since that didn't occur I
> suspect that the problem is not with Par0, but rather the /sbin/udevd.
> And since I think this is a system file, I am not sure it should be
> relabled anyway, without causing other problems. At least that is my
> take. Any ideas?
>
> Please help with detailed information. I do not want to mess up my
> system, which seems to be working well except for this.
>
> Regards,
> Les H
>
> Here is the output from the SETroubleshoot window:
>
> Summary
> SELinux is preventing /sbin/udevd (udev_t) "relabelto" to par0
> (device_t).
>
> Detailed Description
> SELinux denied access requested by /sbin/udevd. It is not expected
> that this
> access is required by /sbin/udevd and this access may signal an
> intrusion
> attempt. It is also possible that the specific version or
> configuration of
> the application is causing it to require additional access.
>
> Allowing Access
> Sometimes labeling problems can cause SELinux denials. You could
> try to
> restore the default system file context for par0, restorecon -v par0
> If this
> does not work, there is currently no automatic way to allow this
> access.
> Instead, you can generate a local policy module to allow this
> access - see
> http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can
> disable
> SELinux protection altogether. Disabling SELinux protection is not
> recommended. Please file a
> http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
> against this package.
>
> Additional Information
>
> Source Context
> system_u:system_r:udev_t:SystemLow-SystemHigh
> Target Context system_u:object_r:device_t
> Target Objects par0 [ lnk_file ]
> Affected RPM Packages udev-113-12.fc7 [application]
> Policy RPM selinux-policy-2.6.4-42.fc7
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Permissive
> Plugin Name plugins.catchall_file
> Host Name localhost.localdomain
> Platform Linux localhost.localdomain
> 2.6.22.7-85.fc7 #1 SMP
> Fri Sep 21 19:53:05 EDT 2007 i686 i686
> Alert Count 5
> First Seen Sat 15 Sep 2007 12:20:19 PM PDT
> Last Seen Thu 27 Sep 2007 10:10:01 AM PDT
> Local ID 3b8dfa9b-fb5a-489d-9750-ea5776718542
> Line Numbers
>
> Raw Audit Messages
>
> avc: denied { relabelto } for comm="udevd" dev=tmpfs egid=0 euid=0
> exe="/sbin/udevd" exit=0 fsgid=0 fsuid=0 gid=0 items=0 name="par0"
> pid=3273
> scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 sgid=0
> subj=system_u:system_r:udev_t:s0-s0:c0.c1023 suid=0 tclass=lnk_file
> tcontext=system_u:object_r:device_t:s0 tty=(none) uid=0
>
>
>
This seems to be a bug. It is indicating the udev is trying to relabel
a symbolic link /dev/par0 to device_t. It does not need to relabel the
link since it will default to device_t.
You can eliminate this avc by executing
# grep udev_t /var/log/audit/audit.log | audit2allow -M myudev
# semodule -M myudev.pp
Please report this as a bug on udev and you can attach my comments.
I don't believe this bug would have caused a failure. But you should
run in enforcing mode.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iD8DBQFG/QM8rlYvE4MpobMRArn+AKDCjMpVMnnhj2ImVAGgi16KVZJZxACeK2q3
aBMw9Bim5czzgYwyBp1+wA0=
=/fRR
-----END PGP SIGNATURE-----
More information about the fedora-list
mailing list