Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 118757 - SELinux FAQ tracker bug
Summary: SELinux FAQ tracker bug
Alias: None
Product: Fedora Documentation
Classification: Fedora
Component: selinux-faq
Version: devel
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Karsten Wade
QA Contact: Tammy Fox
Depends On: 119323 119417 119461 119472 119572 119573 119649 119719 119757 119787 119851 119852 120075 120204 120211 120222 120236 120424 120551 120957 121225 122794 122849 123451 123561 123562 123563 125148 129240 129917 130714 133403 136258 138465 138762 138764 138767 139433 142182 143490 144696 144697 144918 145876 147915 148030 150500 151957 152352 152370 153702 154273 155300 155302 159572 161034 161035 161678
TreeView+ depends on / blocked
Reported: 2004-03-19 20:56 UTC by Karsten Wade
Modified: 2009-06-08 19:58 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2009-06-08 19:58:43 UTC

Attachments (Terms of Use)
Why I cannot print (deleted)
2007-12-18 12:53 UTC, mike keenor
no flags Details

Description Karsten Wade 2004-03-19 20:56:36 UTC
This bug is the master tracker bug for all changes to the Fedora Docs
Project SELinux FAQ.  The purpose of this tracker is to assist in
project management when there is a high-volume of bug reports for the
FAQ, such as following a test release.  All new bugs against the FAQ
should block this bug.  This ensures the bug report does not slip
through the cracks.

Comment 1 mike keenor 2007-12-18 12:53:53 UTC
Created attachment 289887 [details]
Why I cannot print 

    SELinux is preventing access to files with the default label, default_t. 

Detailed Description 
    SELinux permission checks on files labeled default_t are being denied. 
    These files/directories have the default label on them.  This can indicate
    labeling problem, especially if the files being referred to  are not top 
    level directories. Any files/directories under standard system directories,

    /usr, /var. /dev, /tmp, ..., should not be labeled with the default label. 

    The default label is for files/directories which do not have a label on a 
    parent directory. So if you create a new directory in / you might 
    legitimately get this label. 

Allowing Access 
    If you want a confined domain to use these files you will probably need to 

    relabel the file/directory with chcon. In some cases it is just easier to 
    relabel the system, to relabel execute: "touch /.autorelabel; reboot" 

Additional Information	      

Source Context		      system_u:system_r:procmail_t 
Target Context		      system_u:object_r:default_t 
Target Objects		      root [ dir ] 
Affected RPM Packages	      procmail-3.22-19.fc7 
			      [application]filesystem-2.4.6-1.fc7 [target] 
Policy RPM		      selinux-policy-2.6.4-8.fc7 
Selinux Enabled 	      True 
Policy Type		      targeted 
MLS Enabled		      True 
Enforcing Mode		      Enforcing 
Plugin Name		      plugins.default 
Host Name 
Platform		      Linux 
			      2.6.21-1.3194.fc7 #1 SMP Wed May 23 22:35:01 EDT 

			      2007 i686 i686 
Alert Count		      1 
First Seen		      Sat 25 Aug 2007 12:03:40 AM WST 
Last Seen		      Sat 25 Aug 2007 12:03:40 AM WST 
Local ID		      eef9b303-e05b-4bdb-a401-890c586e6c33 
Line Numbers		      

Raw Audit Messages	      

avc: denied { search } for comm="procmail" dev=dm-0 egid=0 euid=0 
exe="/usr/bin/procmail" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="root" 
pid=7508 scontext=system_u:system_r:procmail_t:s0 sgid=0 
subj=system_u:system_r:procmail_t:s0 suid=0 tclass=dir 
tcontext=system_u:object_r:default_t:s0 tty=(none) uid=0

Comment 2 Penelope Fudd 2008-02-18 07:03:12 UTC
Additional FAQ:

I have an avc denial, I'm following "I have some avc denials that I would like
to allow, how do I do this?", and I've created a local.te file.

The problem is, I've done this before, and if I load my new local.te file, I'll
erase my previous changes, whatever they were (it's been a while; the local.te
file from back then is gone).

How do I merge my new changes with the existing local rules?

Two ideas come to mind:
  1. Decompiling the 'local' ruleset.
  2. Listing the existing rulesets, so I can rename my local.te to local2.te
without fear of collision (I may have generated a local2.te before).



Comment 3 2009-06-08 19:58:43 UTC
This project has been moved to  Please either make the necessary changes or use the "discussion" page for requests for changes.

Note You need to log in before you can comment on or make changes to this bug.