Bug 355641
| Summary: | tmpwatch access not allowed | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Ulrich Drepper <drepper> |
| Component: | selinux-policy | Assignee: | Daniel Walsh <dwalsh> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | rawhide | ||
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Current | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2008-01-30 19:19:21 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Fixed in selinux-policy-3.0.8-40.fc8 Still not fixed in selinux-policy-targeted-3.0.8-42.fc8 Are you sure you fixed it? I saw - Allow tmpreaper to search logs directory in the changelog but this is different. fixed in selinux-policy-2.6.4-48.fc7 Put in rawhide pool but not in f8. Sorry. fixed in selinux-policy-3.0.8-44.fc7 Sorry cut and paste error. Bulk closing all bugs in Fedora updates in the modified state. If you bug is not fixed, please reopen. |
Description of problem: tmpwatch watchinf /tmp which is a separate partition will come across lost+found which is tagged lost_found_t. These accesses should not be logged. Version-Release number of selected component (if applicable): selinux-policy-targeted-3.0.8-33.fc8.noarch How reproducible: always, it seems Steps to Reproduce: 1.create partition for /tmp 2.run tmpwatch 3. Actual results: message below Expected results: no message Additional info: The is the setroubleshoot browser Summary SELinux is preventing tmpwatch (tmpreaper_t) "getattr" to /tmp/lost+found (lost_found_t). Detailed Description SELinux denied access requested by tmpwatch. It is not expected that this access is required by tmpwatch and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for /tmp/lost+found, restorecon -v /tmp/lost+found If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see http://fedora.redhat.com/docs/selinux-faq- fc5/#id2961385 Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Additional Information Source Context system_u:system_r:tmpreaper_t:s0 Target Context system_u:object_r:lost_found_t:s0 Target Objects /tmp/lost+found [ dir ] Affected RPM Packages Policy RPM selinux-policy-3.0.8-33.fc8 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.catchall_file Host Name x61.akkadia.org Platform Linux x61.akkadia.org 2.6.23.1-35.fc8 #1 SMP Wed Oct 24 20:20:44 EDT 2007 x86_64 x86_64 Alert Count 4 First Seen Tue 16 Oct 2007 11:41:10 PM PDT Last Seen Sat 27 Oct 2007 04:31:44 PM PDT Local ID fd0a2937-094c-4419-92dc-0e6911e45240 Line Numbers Raw Audit Messages avc: denied { getattr } for comm=tmpwatch dev=sda6 path=/tmp/lost+found pid=12510 scontext=system_u:system_r:tmpreaper_t:s0 tclass=dir tcontext=system_u:object_r:lost_found_t:s0