Chinaunix首页 | 论坛 | 博客
  • 博客访问: 14055
  • 博文数量: 2
  • 博客积分: 165
  • 博客等级: 入伍新兵
  • 技术积分: 31
  • 用 户 组: 普通用户
  • 注册时间: 2008-10-25 22:37







2008-10-25 22:37:49

按照Redhat的文档,用chcat -- +Marketing filename 把filename文件添加到Marketing这个categories。但是无论使用在Marketing这个categories的hesidu用户还是root都不能添加。提示:
chcon: failed to change context of financerecords.txt to user_u:object_r:user_home_t:s0:c0: 权限不够


SELinux is preventing /usr/bin/chcon (unconfined_t) "relabelto" to financerecord.txt (bin_t).

Detailed Description

SELinux denied access requested by /usr/bin/chcon. It is not expected that this access is required by /usr/bin/chcon and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access.

Allowing Access

Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for financerecord.txt, restorecon -v financerecord.txt If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report against this package.

Additional Information

Source Context:  user_u:system_r:unconfined_t
Target Context:  user_u:object_r:bin_t:Marketing
Target Objects:  financerecord.txt [ file ]
Affected RPM Packages:  coreutils-5.97-12.1.el5 [application]
Policy RPM:  selinux-policy-2.4.6-30.el5
Selinux Enabled:  True
Policy Type:  targeted
MLS Enabled:  True
Enforcing Mode:  Enforcing
Plugin Name:  plugins.catchall_fileHost Name:  localhost.localdomain
Platform:  Linux localhost.localdomain 2.6.18-8.el5 #1 SMP Fri Jan 26 14:15:21 EST 2007 i686 i686
Alert Count:  3
Line Numbers:  

Raw Audit Messages :avc: denied { relabelto } for comm="chcon" dev=dm-0 egid=0 euid=0 exe="/usr/bin/chcon" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="financerecord.txt" pid=23994 scontext=user_u:system_r:unconfined_t:s0 sgid=0 subj=user_u:system_r:unconfined_t:s0 suid=0 tclass=file tcontext=user_u:object_r:bin_t:s0:c0 tty=pts0 uid=0
阅读(1721) | 评论(2) | 转发(0) |




chinaunix网友2009-09-18 23:47:55

您好!我是一名程序员,现在正在做一个监控hp-us服务器的监控系统,现在又很多不明白的地方想向您请教。希望能和您联系!我的QQ:25914476 很想和您沟通!等待您的联系!

chinaunix网友2008-10-25 22:48:35

object_r In SELinux, roles are not utilized for objects when RBAC is being used. Roles are strictly for subjects. This is because roles are task-oriented and they group together entities which perform actions (for example, processes). All such entities are collectively referred to as subjects. For this reason, all objects have the role object_r, and the role is only used as a placeholder in the label.