Bug 1271996

Summary: No SELinux boolean to allow tmpwatch on samba_share_t or nfs_t
Product: Red Hat Enterprise Linux 6 Reporter: Eva Mrakova <emrakova>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.7CC: dwalsh, lvrabec, mgrepl, mmalik, plautrba, pvrabec, redhat-bugzilla, robert.scheck, ssekidde
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.7.19-282.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 1218330 Environment:
Last Closed: 2016-05-10 20:02:05 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Eva Mrakova 2015-10-15 09:09:03 UTC 
Also present on RHEL6 for
selinux-policy-3.7.19-279.el6_7.6.noarch

+++ This bug was initially created as a clone of Bug #1218330 +++

Description of problem:
Right now running tmpwatch on directories being labelled as samba_share_t
or nfs_t leads to AVC denied messages, which might be right in the first
case but it should be possible to allow it via SELinux booleans through -
because we have backups on NFS that are cleaned up with tmpwatch or also
a samba share for temporary files being watched by tmpwatch. Both fails as
of writing due to the too strict SELinux policy.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.13.1-23.el7.noarch
tmpwatch-2.11-5.el7.x86_64

How reproducible:
Everytime, label a directory with samba_share_t or nfs_t and run tmpwatch.

Actual results:
No SELinux boolean to allow tmpwatch on samba_share_t or nfs_t.

Expected results:
SELinux boolean to allow tmpwatch on samba_share_t or nfs_t.

Additional info:
type=AVC msg=audit(1430425770.447:23279): avc:  denied  { setattr } for  pid=19622 comm="tmpwatch" name="our-nfs-directory" dev="0:35" ino=40965 scontext=system_u:system_r:tmpreaper_t:s0-s0:c0.c1023 tcontext=system_u:object_r:nfs_t:s0 tclass=dir
type=SYSCALL msg=audit(1430425770.447:23279): arch=x86_64 syscall=utime success=no exit=EACCES a0=4042b7 a1=7fff4ea61d70 a2=7fb7d1c377b8 a3=7fff4ea61ac0 items=0 ppid=101823 pid=19622 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=493 comm=tmpwatch exe=/usr/sbin/tmpwatch subj=system_u:system_r:tmpreaper_t:s0-s0:c0.c1023 key=(null)
Comment 4 errata-xmlrpc 2016-05-10 20:02:05 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-0763.html