[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Upgrade and SELinux messages



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Les wrote:
> I upgraded from F8 to F10.  It appeared to go smoothly, but then I 
> received the following SELinux errors:
> 
> /************************************************************************/
> /************** first 
> 
> Summary:
> 
> SELinux is preventing dbus-daemon-lau (system_dbusd_t) "execute" to
> ./console-kit-daemon (consolekit_exec_t).
> 
> Detailed Description:
> 
> SELinux denied access requested by dbus-daemon-lau. It is not expected
> that this access is required by dbus-daemon-lau and this access may
> signal an intrusion attempt. It is also possible that the specific
> version or configuration of the application is causing it to require
> additional access. 
> 
> Allowing Access:
> 
> Sometimes labeling problems can cause SELinux denials. You could try to
> restore
> the default system file context for ./console-kit-daemon,
> 
> restorecon -v './console-kit-daemon'
> 
> 
> Additional Information:
> 
> Source Context
> system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
> Target Context                system_u:object_r:consolekit_exec_t:s0
> Target Objects                ./console-kit-daemon [ file ]
> Source                        dbus-daemon-lau
> Source Path                   /lib/dbus-1/dbus-daemon-launch-helper
> Port                          <Unknown>
> Host                          localhost.localdomain
> Source RPM Packages           dbus-1.2.4-1.fc10
> Target RPM Packages           
> Policy RPM                    selinux-policy-3.5.13-18.fc10
> Selinux Enabled               True
> Policy Type                   targeted
> MLS Enabled                   True
> Enforcing Mode                Enforcing
> Plugin Name                   catchall_file
> Host Name                     localhost.localdomain
> Platform                      Linux localhost.localdomain
> 2.6.27.5-117.fc10.i686
>                               #1 SMP Tue Nov 18 12:19:59 EST 2008 i686
> i686
> Alert Count                   35
> First Seen                    Thu 15 Jan 2009 03:45:37 PM PST
> Last Seen                     Thu 15 Jan 2009 03:47:19 PM PST
> Local ID                      a0430578-0415-40c9-ac4e-b9f86d3b479c
> Line Numbers                  
> 
> Raw Audit Messages            
> 
> node=localhost.localdomain type=AVC msg=audit(1232063239.982:58): avc:
> denied  { execute } for  pid=3010 comm="dbus-daemon-lau"
> name="console-kit-daemon" dev=dm-0 ino=54362144
> scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:consolekit_exec_t:s0 tclass=file
> 
> node=localhost.localdomain type=SYSCALL msg=audit(1232063239.982:58):
> arch=40000003 syscall=11 success=no exit=-13 a0=8f08e48 a1=8f08dc8
> a2=8f08008 a3=2d09bc items=0 ppid=3009 pid=3010 auid=4294967295 uid=0
> gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
> ses=4294967295 comm="dbus-daemon-lau"
> exe="/lib/dbus-1/dbus-daemon-launch-helper"
> subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 key=(null)
> 
> ###
> ### The restorecon mentioned returned an error that the file doesn't 
> ### exist.
> 
> /************************************************************************/
> /************** second
> 
> Summary:
> 
> SELinux is preventing plymouthd from creating a file with a context of
> unlabeled_t on a filesystem.
> 
> Detailed Description:
> 
> SELinux is preventing plymouthd from creating a file with a context of
> unlabeled_t on a filesystem. Usually this happens when you ask the cp
> command to
> maintain the context of a file when copying between file systems, "cp
> -a" for
> example. Not all file contexts should be maintained between the file
> systems.
> For example, a read-only file type like iso9660_t should not be placed
> on a r/w
> system. "cp -P" might be a better solution, as this will adopt the
> default file
> context for the destination.
> 
> Allowing Access:
> 
> Use a command like "cp -P" to preserve all permissions except SELinux
> context.
> 
> Additional Information:
> 
> Source Context                system_u:object_r:unlabeled_t:s0
> Target Context                system_u:object_r:fs_t:s0
> Target Objects                force-display-on-active-vt [ filesystem ]
> Source                        plymouthd
> Source Path                   <Unknown>
> Port                          <Unknown>
> Host                          localhost.localdomain
> Source RPM Packages           
> Target RPM Packages           
> Policy RPM                    selinux-policy-3.5.13-18.fc10
> Selinux Enabled               True
> Policy Type                   targeted
> MLS Enabled                   True
> Enforcing Mode                Enforcing
> Plugin Name                   filesystem_associate
> Host Name                     localhost.localdomain
> Platform                      Linux localhost.localdomain
> 2.6.27.5-117.fc10.i686
>                               #1 SMP Tue Nov 18 12:19:59 EST 2008 i686
> i686
> Alert Count                   1
> First Seen                    Thu 15 Jan 2009 03:45:42 PM PST
> Last Seen                     Thu 15 Jan 2009 03:45:42 PM PST
> Local ID                      261d767c-245b-4bde-9110-8436b63fab76
> Line Numbers                  
> 
> Raw Audit Messages            
> 
> node=localhost.localdomain type=AVC msg=audit(1232063142.547:14): avc:
> denied  { associate } for  pid=611 comm="plymouthd"
> name="force-display-on-active-vt"
> scontext=system_u:object_r:unlabeled_t:s0
> tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
> 
> ###
> ### Whatever cp was occuring was not initiated by me.  I suspect that 
> ### something in the reboot process precipiated this error.
> 
> /************************************************************************/
> /************** third
> 
> Summary:
> 
> SELinux is preventing python (cupsd_config_t) "read" to <Unknown>
> (sysctl_t).
> 
> Detailed Description:
> 
> SELinux denied access requested by python. It is not expected that this
> access
> is required by python and this access may signal an intrusion attempt.
> It is
> also possible that the specific version or configuration of the
> application is
> causing it to require additional access.
> 
> Allowing Access:
> 
> Sometimes labeling problems can cause SELinux denials. You could try to
> restore
> the default system file context for <Unknown>,
> 
> restorecon -v '<Unknown>'
> 
> If this does not work, there is currently no automatic way to allow this
> access.
> Instead, you can generate a local policy module to allow this access -
> see FAQ
> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
> disable
> SELinux protection altogether. Disabling SELinux protection is not
> recommended.
> Please file a bug report
> (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
> against this package.
> 
> Additional Information:
> 
> Source Context                system_u:system_r:cupsd_config_t:s0
> Target Context                system_u:object_r:sysctl_t:s0
> Target Objects                None [ file ]
> Source                        python
> Source Path                   /usr/bin/python
> Port                          <Unknown>
> Host                          localhost.localdomain
> Source RPM Packages           python-2.5.2-1.fc10
> Target RPM Packages           
> Policy RPM                    selinux-policy-3.5.13-18.fc10
> Selinux Enabled               True
> Policy Type                   targeted
> MLS Enabled                   True
> Enforcing Mode                Enforcing
> Plugin Name                   catchall_file
> Host Name                     localhost.localdomain
> Platform                      Linux localhost.localdomain
> 2.6.27.5-117.fc10.i686
>                               #1 SMP Tue Nov 18 12:19:59 EST 2008 i686
> i686
> Alert Count                   2
> First Seen                    Thu 15 Jan 2009 03:45:42 PM PST
> Last Seen                     Thu 15 Jan 2009 03:45:42 PM PST
> Local ID                      10abdbb3-bb69-4afd-ae68-30827c2ed132
> Line Numbers                  
> 
> Raw Audit Messages            
> 
> node=localhost.localdomain type=AVC msg=audit(1232063142.898:17): avc:
> denied  { read } for  pid=2572 comm="python"
> scontext=system_u:system_r:cupsd_config_t:s0
> tcontext=system_u:object_r:sysctl_t:s0 tclass=file
> 
> node=localhost.localdomain type=SYSCALL msg=audit(1232063142.898:17):
> arch=40000003 syscall=5 success=no exit=-13 a0=7aef38 a1=0 a2=1b6 a3=0
> items=0 ppid=2402 pid=2572 auid=4294967295 uid=0 gid=0 euid=0 suid=0
> fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="python"
> exe="/usr/bin/python" subj=system_u:system_r:cupsd_config_t:s0
> key=(null)
> 
> ###
> ### Again this was not initiated by me directly.  I suspect that it was
> ### generated by the OS during preload or bootup.
> 
> /************************************************************************/
> /************** fourth
> 
> 
> Summary:
> 
> SELinux is preventing smartd (fsdaemon_t) "create" fsdaemon_t.
> 
> Detailed Description:
> 
> SELinux denied access requested by smartd. It is not expected that this
> access
> is required by smartd and this access may signal an intrusion attempt.
> It is
> also possible that the specific version or configuration of the
> application is
> causing it to require additional access.
> 
> Allowing Access:
> 
> You can generate a local policy module to allow this access - see FAQ
> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
> disable
> SELinux protection altogether. Disabling SELinux protection is not
> recommended.
> Please file a bug report
> (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
> against this package.
> 
> Additional Information:
> 
> Source Context                system_u:system_r:fsdaemon_t:s0
> Target Context                system_u:system_r:fsdaemon_t:s0
> Target Objects                None [ netlink_route_socket ]
> Source                        smartd
> Source Path                   /usr/sbin/smartd
> Port                          <Unknown>
> Host                          localhost.localdomain
> Source RPM Packages           smartmontools-5.38-7.fc10
> Target RPM Packages           
> Policy RPM                    selinux-policy-3.5.13-18.fc10
> Selinux Enabled               True
> Policy Type                   targeted
> MLS Enabled                   True
> Enforcing Mode                Enforcing
> Plugin Name                   catchall
> Host Name                     localhost.localdomain
> Platform                      Linux localhost.localdomain
> 2.6.27.5-117.fc10.i686
>                               #1 SMP Tue Nov 18 12:19:59 EST 2008 i686
> i686
> Alert Count                   1
> First Seen                    Thu 15 Jan 2009 03:45:41 PM PST
> Last Seen                     Thu 15 Jan 2009 03:45:41 PM PST
> Local ID                      63da56b0-2e3a-4b9c-bce7-d507e4081b93
> Line Numbers                  
> 
> Raw Audit Messages            
> 
> node=localhost.localdomain type=AVC msg=audit(1232063141.902:13): avc:
> denied  { create } for  pid=2562 comm="smartd"
> scontext=system_u:system_r:fsdaemon_t:s0
> tcontext=system_u:system_r:fsdaemon_t:s0 tclass=netlink_route_socket
> 
> node=localhost.localdomain type=SYSCALL msg=audit(1232063141.902:13):
> arch=40000003 syscall=102 success=no exit=-13 a0=1 a1=bfe0e9ac a2=3e5ff4
> a3=0 items=0 ppid=2561 pid=2562 auid=4294967295 uid=0 gid=0 euid=0
> suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
> comm="smartd" exe="/usr/sbin/smartd"
> subj=system_u:system_r:fsdaemon_t:s0 key=(null)
> 
> ###
> ### I don't think I had smartd running before the upgrade.  
> ### but it is probably a good idea to run it.
> 
> None of these seem to be preventing me from using the system (haven't
> tried printing yet).
> 
> I'll check the archives to see if anyone has solutions to these, but I
> thought that they should go into the record.  
> 
> Prior to the upgrade I was running F8.  I just downloaded F10, made a
> disk (two actually, the first didn't burn correctly), and then ran the
> upgrade process.  My emails were imported correctly and now I am just
> starting the update process.
> 
> No worries on these, but since this is the place for advice, can anyone
> offer any?
> 
> OOPS, SELinux is preventing me from opening my Windows disk in Linux.
> But while it tells me it is preventing the access, no alert is being
> generated.  No information on how to fix it.
> 
> Ditto for the FAT32 formatted backup disk.  This has disaster potential.
> 
> I'll try the trick of "touch ./relable"
>      I. 
> 
> Regards,
> Les H
> 
> 
> 
> 
> 
Upgrade to the latest selinux policy.

yum upgrade selinux-policy-targeted

and the autorelabel will help.

Going from F8 to F10 has been troublesome, because a couple of the types
were changed and there was no alias, which is causing unlabeled_t.

The later F10 policy packages have alias.

If you have a file or process labeled something like
unconfined_gnome_home_t in F8 and in F10 this was renamed to
gnome_home_t, the policy should have a line like

typealias gnome_home_t alias unconfined_gnome_home_t;

Which would allow your files labeled unconfined_gnome_home_t to be
treated as gnome_home_t, unfortunately the initial F10 policy was
missing some aliases and the kernel treats any file with a label it does
not understand as unlabeled_t, and any confined domain that tries to
look at an unlabeled_t file is denied and generates an AVC.

Relabeling should remove these files and upgrading to the latest policy
from fedora-updates should add the aliases.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAklwhxMACgkQrlYvE4MpobMbbwCgh988OK9QakilFYlOEuA9D/2T
a2QAn33MnpDe+Es95dSGZp/jUm/b3FWy
=yi4T
-----END PGP SIGNATURE-----


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]