Dear all,
I have installed Fedora 9 unto a new machine x86_64, it was working beautifully, I am at this time putting in updates. However I got some selinux denials from setroubleshoot deamon
Tomboy Notes shows this error in box \begin{box}
"Tomboy Notes" has quit unexpectedly
If you reload a panel object, it will automatically be added back to the panel.
\end{box}
The selinux denials follow:
Advice/Suggestions/Comments are welcome :)
Regards,
Antonio
Summary:
SELinux is preventing tomboy (unlabeled_t) "read" to socket (unlabeled_t).
Detailed Description:
SELinux denied access requested by tomboy. It is not expected that this access is required by tomboy and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.
Additional Information:
Source Context system_u:object_r:unlabeled_t:s0 Target Context system_u:object_r:unlabeled_t:s0 Target Objects socket [ unix_stream_socket ] Source tomboy Source Path /usr/bin/mono Port <Unknown> Host localhost.localdomain Source RPM Packages mono-core-1.9.1-2.fc9 Target RPM Packages Policy RPM selinux-policy-3.3.1-42.fc9 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.25-14.fc9.x86_64 #1 SMP Thu May 1 06:06:21 EDT 2008 x86_64 x86_64 Alert Count 1 First Seen Thu 22 May 2008 02:18:36 PM CDT Last Seen Thu 22 May 2008 02:18:36 PM CDT Local ID e22208e0-0d5a-43aa-a57d-ca251e71c7f0 Line Numbers
Raw Audit Messages
host=localhost.localdomain type=AVC msg=audit(1211483916.963:40): avc: denied { read } for pid=2664 comm="tomboy" path="socket:[19661]" dev=sockfs ino=19661 scontext=system_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=unix_stream_socket
host=localhost.localdomain type=SYSCALL msg=audit(1211483916.963:40): arch=c000003e syscall=0 success=no exit=-13 a0=3 a1=e69c24 a2=1000 a3=1 items=0 ppid=1 pid=2664 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="tomboy" exe="/usr/bin/mono" subj=system_u:object_r:unlabeled_t:s0 key=(null)
Summary:
SELinux is preventing tomboy (unlabeled_t) "write" to socket (unlabeled_t).
Detailed Description:
SELinux denied access requested by tomboy. It is not expected that this access is required by tomboy and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.
Additional Information:
Source Context system_u:object_r:unlabeled_t:s0 Target Context system_u:object_r:unlabeled_t:s0 Target Objects socket [ unix_stream_socket ] Source tomboy Source Path /usr/bin/mono Port <Unknown> Host localhost.localdomain Source RPM Packages mono-core-1.9.1-2.fc9 Target RPM Packages Policy RPM selinux-policy-3.3.1-42.fc9 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.25-14.fc9.x86_64 #1 SMP Thu May 1 06:06:21 EDT 2008 x86_64 x86_64 Alert Count 5 First Seen Thu 22 May 2008 02:18:37 PM CDT Last Seen Thu 22 May 2008 02:18:37 PM CDT Local ID 125d1844-fea9-4203-9bde-2f6582a25bec Line Numbers
Raw Audit Messages
host=localhost.localdomain type=AVC msg=audit(1211483917.148:46): avc: denied { write } for pid=2664 comm="tomboy" path="socket:[19778]" dev=sockfs ino=19778 scontext=system_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=unix_stream_socket
host=localhost.localdomain type=SYSCALL msg=audit(1211483917.148:46): arch=c000003e syscall=20 success=no exit=-13 a0=14 a1=ef21e0 a2=1 a3=a0 items=0 ppid=1 pid=2664 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="tomboy" exe="/usr/bin/mono" subj=system_u:object_r:unlabeled_t:s0 key=(null)
Summary:
SELinux is preventing tomboy (unlabeled_t) "search" to / (root_t).
Detailed Description:
SELinux denied access requested by tomboy. It is not expected that this access is required by tomboy and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access.
Allowing Access:
Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for /,
restorecon -v '/'
If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.
Additional Information:
Source Context system_u:object_r:unlabeled_t:s0 Target Context system_u:object_r:root_t:s0 Target Objects / [ dir ] Source tomboy Source Path /usr/bin/mono Port <Unknown> Host localhost.localdomain Source RPM Packages mono-core-1.9.1-2.fc9 Target RPM Packages filesystem-2.4.13-1.fc9 Policy RPM selinux-policy-3.3.1-42.fc9 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall_file Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.25-14.fc9.x86_64 #1 SMP Thu May 1 06:06:21 EDT 2008 x86_64 x86_64 Alert Count 1 First Seen Thu 22 May 2008 02:18:37 PM CDT Last Seen Thu 22 May 2008 02:18:37 PM CDT Local ID dc21e5d6-47fb-47f9-97de-31a1009d6922 Line Numbers
Raw Audit Messages
host=localhost.localdomain type=AVC msg=audit(1211483917.148:47): avc: denied { search } for pid=2664 comm="tomboy" name="/" dev=dm-0 ino=2 scontext=system_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir
host=localhost.localdomain type=SYSCALL msg=audit(1211483917.148:47): arch=c000003e syscall=87 success=no exit=-13 a0=ef24a0 a1=ef1cd0 a2=ef24a0 a3=7ffff6f6ede0 items=0 ppid=1 pid=2664 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="tomboy" exe="/usr/bin/mono" subj=system_u:object_r:unlabeled_t:s0 key=(null)
Summary:
SELinux is preventing tomboy (unlabeled_t) "unix_write" to <Unknown> (unlabeled_t).
Detailed Description:
SELinux denied access requested by tomboy. It is not expected that this access is required by tomboy and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.
Additional Information:
Source Context system_u:object_r:unlabeled_t:s0 Target Context system_u:object_r:unlabeled_t:s0 Target Objects None [ sem ] Source tomboy Source Path /usr/bin/mono Port <Unknown> Host localhost.localdomain Source RPM Packages mono-core-1.9.1-2.fc9 Target RPM Packages Policy RPM selinux-policy-3.3.1-42.fc9 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.25-14.fc9.x86_64 #1 SMP Thu May 1 06:06:21 EDT 2008 x86_64 x86_64 Alert Count 1 First Seen Thu 22 May 2008 02:18:37 PM CDT Last Seen Thu 22 May 2008 02:18:37 PM CDT Local ID be7c4e58-a211-4d65-b643-49e9315ba3a6 Line Numbers
Raw Audit Messages
host=localhost.localdomain type=AVC msg=audit(1211483917.148:48): avc: denied { unix_write } for pid=2664 comm="tomboy" key=1291903136 scontext=system_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=sem
host=localhost.localdomain type=SYSCALL msg=audit(1211483917.148:48): arch=c000003e syscall=65 success=no exit=-13 a0=0 a1=7ffff6f6f0d0 a2=1 a3=700 items=0 ppid=1 pid=2664 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="tomboy" exe="/usr/bin/mono" subj=system_u:object_r:unlabeled_t:s0 key=(null)
Summary:
SELinux is preventing tomboy (unlabeled_t) "signal" to <Unknown> (unlabeled_t).
Detailed Description:
SELinux denied access requested by tomboy. It is not expected that this access is required by tomboy and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.
Additional Information:
Source Context system_u:object_r:unlabeled_t:s0 Target Context system_u:object_r:unlabeled_t:s0 Target Objects None [ process ] Source tomboy Source Path /usr/bin/mono Port <Unknown> Host localhost.localdomain Source RPM Packages mono-core-1.9.1-2.fc9 Target RPM Packages Policy RPM selinux-policy-3.3.1-42.fc9 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.25-14.fc9.x86_64 #1 SMP Thu May 1 06:06:21 EDT 2008 x86_64 x86_64 Alert Count 2 First Seen Thu 22 May 2008 02:18:37 PM CDT Last Seen Thu 22 May 2008 02:18:37 PM CDT Local ID 8a1b1271-3864-4af1-90f6-b050cca48dd5 Line Numbers
Raw Audit Messages
host=localhost.localdomain type=AVC msg=audit(1211483917.266:51): avc: denied { signal } for pid=2664 comm="tomboy" scontext=system_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=process
host=localhost.localdomain type=SYSCALL msg=audit(1211483917.266:51): arch=c000003e syscall=234 success=no exit=-13 a0=a68 a1=a68 a2=6 a3=8 items=0 ppid=1 pid=2664 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="tomboy" exe="/usr/bin/mono" subj=system_u:object_r:unlabeled_t:s0 key=(null)
Summary:
SELinux is preventing tomboy (unlabeled_t) "fork" to <Unknown> (unlabeled_t).
Detailed Description:
SELinux denied access requested by tomboy. It is not expected that this access is required by tomboy and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.
Additional Information:
Source Context system_u:object_r:unlabeled_t:s0 Target Context system_u:object_r:unlabeled_t:s0 Target Objects None [ process ] Source tomboy Source Path /usr/bin/mono Port <Unknown> Host localhost.localdomain Source RPM Packages mono-core-1.9.1-2.fc9 Target RPM Packages Policy RPM selinux-policy-3.3.1-42.fc9 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.25-14.fc9.x86_64 #1 SMP Thu May 1 06:06:21 EDT 2008 x86_64 x86_64 Alert Count 1 First Seen Thu 22 May 2008 02:18:37 PM CDT Last Seen Thu 22 May 2008 02:18:37 PM CDT Local ID 25c06d10-f06e-4883-a58b-65a70df67409 Line Numbers
Raw Audit Messages
host=localhost.localdomain type=AVC msg=audit(1211483917.499:84): avc: denied { fork } for pid=2664 comm="tomboy" scontext=system_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=process
host=localhost.localdomain type=SYSCALL msg=audit(1211483917.499:84): arch=c000003e syscall=56 success=no exit=-13 a0=1200011 a1=0 a2=0 a3=7f0aede2d840 items=0 ppid=1 pid=2664 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="tomboy" exe="/usr/bin/mono" subj=system_u:object_r:unlabeled_t:s0 key=(null)
Summary:
SELinux is preventing tomboy (unlabeled_t) "use" to /dev/null (unconfined_t).
Detailed Description:
SELinux denied access requested by tomboy. It is not expected that this access is required by tomboy and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.
Additional Information:
Source Context system_u:object_r:unlabeled_t:s0 Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Objects /dev/null [ fd ] Source tomboy Source Path /usr/bin/mono Port <Unknown> Host localhost.localdomain Source RPM Packages mono-core-1.9.1-2.fc9 Target RPM Packages Policy RPM selinux-policy-3.3.1-42.fc9 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.25-14.fc9.x86_64 #1 SMP Thu May 1 06:06:21 EDT 2008 x86_64 x86_64 Alert Count 35 First Seen Thu 22 May 2008 02:18:36 PM CDT Last Seen Thu 22 May 2008 02:18:37 PM CDT Local ID a83681c0-d977-4078-83ad-3ffe26691266 Line Numbers
Raw Audit Messages
host=localhost.localdomain type=AVC msg=audit(1211483917.499:85): avc: denied { use } for pid=2664 comm="tomboy" path="/dev/null" dev=tmpfs ino=1898 scontext=system_u:object_r:unlabeled_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=fd
host=localhost.localdomain type=SYSCALL msg=audit(1211483917.499:85): arch=c000003e syscall=1 success=no exit=-13 a0=2 a1=13d570 a2=124 a3=7f0aede2d7b0 items=0 ppid=1 pid=2664 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="tomboy" exe="/usr/bin/mono" subj=system_u:object_r:unlabeled_t:s0 key=(null)
On Thu, 2008-05-22 at 17:24 -0700, Antonio Olivares wrote:
Dear all,
I have installed Fedora 9 unto a new machine x86_64, it was working beautifully, I am at this time putting in updates. However I got some selinux denials from setroubleshoot deamon
Tomboy Notes shows this error in box \begin{box}
"Tomboy Notes" has quit unexpectedly
If you reload a panel object, it will automatically be added back to the panel.
\end{box}
The selinux denials follow:
Advice/Suggestions/Comments are welcome :)
The unlabeled_t indicates that whatever context tomboy was running in was made invalid by a policy update. You should have seen messages in /var/log/messages about invalidating contexts upon the policy load.
Re-starting the process should get it into a valid context again.
--- Stephen Smalley sds@tycho.nsa.gov wrote:
On Thu, 2008-05-22 at 17:24 -0700, Antonio Olivares wrote:
Dear all,
I have installed Fedora 9 unto a new machine
x86_64, it was working beautifully, I am at this time putting in updates. However I got some selinux denials from setroubleshoot deamon
Tomboy Notes shows this error in box \begin{box}
"Tomboy Notes" has quit unexpectedly
If you reload a panel object, it will
automatically be added back to the panel.
\end{box}
The selinux denials follow:
Advice/Suggestions/Comments are welcome :)
The unlabeled_t indicates that whatever context tomboy was running in was made invalid by a policy update. You should have seen messages in /var/log/messages about invalidating contexts upon the policy load.
Re-starting the process should get it into a valid context again.
-- Stephen Smalley National Security Agency
The updates fixed it :)
Thanks!
Antonio
Antonio Olivares wrote:
--- Stephen Smalley sds@tycho.nsa.gov wrote:
On Thu, 2008-05-22 at 17:24 -0700, Antonio Olivares wrote:
Dear all,
I have installed Fedora 9 unto a new machine
x86_64, it was working beautifully, I am at this time putting in updates. However I got some selinux denials from setroubleshoot deamon
Tomboy Notes shows this error in box \begin{box}
"Tomboy Notes" has quit unexpectedly
If you reload a panel object, it will
automatically be added back to the panel.
\end{box}
The selinux denials follow:
Advice/Suggestions/Comments are welcome :)
The unlabeled_t indicates that whatever context tomboy was running in was made invalid by a policy update. You should have seen messages in /var/log/messages about invalidating contexts upon the policy load.
Re-starting the process should get it into a valid context again.
-- Stephen Smalley National Security Agency
The updates fixed it :)
Thanks!
Antonio
There is a bug in policy where mono_t is changed to unconfined_mono_t, So on upgrade mono_t becomes unlabeled_t.
Tough to fix at this point. Only will happen if you upgrade while logged in. Starting tomboy again will work and run as unconfined_mono_t.
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
selinux@lists.fedoraproject.org