Bug 334641
Summary: | tmpwatch should be able to getattr anything | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Tomas Mraz <tmraz> |
Component: | selinux-policy | Assignee: | Daniel Walsh <dwalsh> |
Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | rawhide | ||
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2007-10-17 12:59:07 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Tomas Mraz
2007-10-16 15:30:24 UTC
That is not the way SELinux works. If you moved /etc/shadow to /tmp. it would need to be able to remove shadow_t Which would allow it to wipe out the shadow file. This looks like you moved something from /root to /tmp. And it is causing the avc. How would it allow to wipe shadow file if it is in /etc? /etc doesn't have tmp_t so tmpwatch cannot remove anything there. tmpwatch should be simply able to remove anything from tmp_t directory. You're trying to restrict it too much. If I put anything in /tmp being it something originally from /root or /etc or whatever I cannot expect it to stay there forewer. Of course tmpwatch shouldn't be able to read the contents of files in /tmp. Again you might be right, but that is not the way SELinux works. The kernel gets a requiest for tmpreaper_t to delete shadow_t or in this case sysadm_home_dir_t. It does not check if somewhere in the path there is a tmp_t and that is ok. So it gets denied because tmpreaper_t can not delete sysadm_home_dir_t no matter where they are found. I don't see how this can be fixed. |