Bug 309351

Summary: SELinux is preventing /usr/sbin/tmpwatch (tmpreaper_t) "read" to (man_t).
Product: [Fedora] Fedora Reporter: Matthew Saltzman <mjs>
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CURRENTRELEASE QA Contact: Ben Levenson <benl>
Severity: low Docs Contact:
Priority: low    
Version: 8   
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Current Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-01-30 19:07:03 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Matthew Saltzman 2007-09-27 17:16:28 UTC
Description of problem:
SELinux denied access requested by /usr/sbin/tmpwatch. It is not expected that
this access is required by /usr/sbin/tmpwatch and this access may signal an
intrusion attempt. It is also possible that the specific version or
configuration of the application is causing it to require additional access.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.0.8-13.fc8

How reproducible:
Sometimes

Steps to Reproduce:
1. /etc/crond.daily/tmpwatch
2.
3.
  
Actual results:
Access violation

Expected results:
No access violation

Additional info:
Source Context:  system_u:system_r:tmpreaper_t:s0
Target Context:  system_u:object_r:man_t:s0
Target Objects:  None [ dir ]
Affected RPM Packages:  tmpwatch-2.9.11-1 [application]
Policy RPM:  selinux-policy-3.0.8-13.fc8
Selinux Enabled:  True
Policy Type:  targeted
MLS Enabled:  True
Enforcing Mode:  Enforcing
Plugin Name:  plugins.catchall_file
Host Name:  valkyrie.localdomain
Platform:  Linux valkyrie.localdomain 2.6.23-0.202.rc8.fc8 #1 SMP Mon Sep 24
21:42:57 EDT 2007 x86_64 x86_64
Alert Count:  18
First Seen:  Thu 27 Sep 2007 11:47:39 AM EDT
Last Seen:  Thu 27 Sep 2007 11:47:39 AM EDTLocal
ID:  10a16c25-ed1e-4246-8526-496e8cf93e6b
Line Numbers:  
Raw Audit Messages :avc: denied { read } for comm=tmpwatch dev=dm-0 egid=0
euid=0 exe=/usr/sbin/tmpwatch exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name=cat1
pid=12671 scontext=system_u:system_r:tmpreaper_t:s0 sgid=0
subj=system_u:system_r:tmpreaper_t:s0 suid=0 tclass=dir
tcontext=system_u:object_r:man_t:s0 tty=(none) uid=0

Comment 1 Daniel Walsh 2007-09-27 18:27:44 UTC
Any idea why tmpreaper would be reading the man directories?

Comment 2 Matthew Saltzman 2007-09-27 19:14:39 UTC
The Daily tmpwatch script is:

#! /bin/sh
/usr/sbin/tmpwatch -x /tmp/.X11-unix -x /tmp/.XIM-unix -x /tmp/.font-unix \
        -x /tmp/.ICE-unix -x /tmp/.Test-unix 10d /tmp
/usr/sbin/tmpwatch 30d /var/tmp
for d in /var/{cache/man,catman}/{cat?,X11R6/cat?,local/cat?}; do
    if [ -d "$d" ]; then
        /usr/sbin/tmpwatch -f 30d "$d"
    fi
done

So I guess it's the /var/cache/man and/or /var/catman directories that are at issue.

Comment 3 Daniel Walsh 2007-09-27 19:36:59 UTC
Fixed in selinux-policy-3.0.8-15.fc8.src.rpm


Comment 4 Daniel Walsh 2008-01-30 19:07:03 UTC
Bulk closing a old selinux policy bugs that were in the modified state.  If the
bug is still not fixed.  Please reopen.