Bug 334641
| Summary: | tmpwatch should be able to getattr anything | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Tomas Mraz <tmraz> |
| Component: | selinux-policy | Assignee: | Daniel Walsh <dwalsh> |
| Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | rawhide | ||
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2007-10-17 12:59:07 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
That is not the way SELinux works. If you moved /etc/shadow to /tmp. it would need to be able to remove shadow_t Which would allow it to wipe out the shadow file. This looks like you moved something from /root to /tmp. And it is causing the avc. How would it allow to wipe shadow file if it is in /etc? /etc doesn't have tmp_t so tmpwatch cannot remove anything there. tmpwatch should be simply able to remove anything from tmp_t directory. You're trying to restrict it too much. If I put anything in /tmp being it something originally from /root or /etc or whatever I cannot expect it to stay there forewer. Of course tmpwatch shouldn't be able to read the contents of files in /tmp. Again you might be right, but that is not the way SELinux works. The kernel gets a requiest for tmpreaper_t to delete shadow_t or in this case sysadm_home_dir_t. It does not check if somewhere in the path there is a tmp_t and that is ok. So it gets denied because tmpreaper_t can not delete sysadm_home_dir_t no matter where they are found. I don't see how this can be fixed. |
Here is what setroubleshoot reports on my rawhide machine: Summary SELinux is preventing /usr/sbin/tmpwatch (tmpreaper_t) "getattr" to /tmp/gdb.txt (sysadm_home_dir_t). Detailed Description SELinux denied access requested by /usr/sbin/tmpwatch. It is not expected that this access is required by /usr/sbin/tmpwatch and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for /tmp/gdb.txt, restorecon -v /tmp/gdb.txt If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Additional Information Source Context system_u:system_r:tmpreaper_t Target Context system_u:object_r:sysadm_home_dir_t Target Objects /tmp/gdb.txt [ file ] Affected RPM Packages tmpwatch-2.9.11-1 [application] Policy RPM selinux-policy-3.0.8-22.fc8 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.catchall_file Host Name vespa.kabelta.loc Platform Linux vespa.kabelta.loc 2.6.23-0.187.rc6.git7.fc8 #1 SMP Tue Sep 18 17:29:48 EDT 2007 x86_64 x86_64 Alert Count 1 First Seen Tue 16 Oct 2007 03:39:42 PM CEST Last Seen Tue 16 Oct 2007 03:39:42 PM CEST Local ID d08de7a1-cf28-49b0-886b-bf4a1d0da047 Line Numbers Raw Audit Messages avc: denied { getattr } for comm=tmpwatch dev=dm-0 egid=0 euid=0 exe=/usr/sbin/tmpwatch exit=-13 fsgid=0 fsuid=0 gid=0 items=0 path=/tmp/gdb.txt pid=8841 scontext=system_u:system_r:tmpreaper_t:s0 sgid=0 subj=system_u:system_r:tmpreaper_t:s0 suid=0 tclass=file tcontext=system_u:object_r:sysadm_home_dir_t:s0 tty=(none) uid=0 I think that tmpwatch should be able to getattr file with any context and remove anything in tmp_t directories.