Bug 355641

Summary: tmpwatch access not allowed
Product: [Fedora] Fedora Reporter: Ulrich Drepper <drepper>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: low    
Version: rawhide   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Current Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-01-30 19:19:21 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ulrich Drepper 2007-10-28 05:11:55 UTC
Description of problem:
tmpwatch watchinf /tmp which is a separate partition will come across lost+found
which is tagged lost_found_t.  These accesses should not be logged.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.0.8-33.fc8.noarch

How reproducible:
always, it seems

Steps to Reproduce:
1.create partition for /tmp
2.run tmpwatch
3.
  
Actual results:
message below

Expected results:
no message

Additional info:
The is the setroubleshoot browser

Summary
    SELinux is preventing tmpwatch (tmpreaper_t) "getattr" to /tmp/lost+found
    (lost_found_t).

Detailed Description
    SELinux denied access requested by tmpwatch. It is not expected that this
    access is required by tmpwatch and this access may signal an intrusion
    attempt. It is also possible that the specific version or configuration of
    the application is causing it to require additional access.

Allowing Access
    Sometimes labeling problems can cause SELinux denials.  You could try to
    restore the default system file context for /tmp/lost+found, restorecon -v
    /tmp/lost+found If this does not work, there is currently no automatic way
    to allow this access. Instead,  you can generate a local policy module to
    allow this access - see http://fedora.redhat.com/docs/selinux-faq-
    fc5/#id2961385 Or you can disable SELinux protection altogether. Disabling
    SELinux protection is not recommended. Please file a
    http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.

Additional Information        

Source Context                system_u:system_r:tmpreaper_t:s0
Target Context                system_u:object_r:lost_found_t:s0
Target Objects                /tmp/lost+found [ dir ]
Affected RPM Packages         
Policy RPM                    selinux-policy-3.0.8-33.fc8
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.catchall_file
Host Name                     x61.akkadia.org
Platform                      Linux x61.akkadia.org 2.6.23.1-35.fc8 #1 SMP Wed
                              Oct 24 20:20:44 EDT 2007 x86_64 x86_64
Alert Count                   4
First Seen                    Tue 16 Oct 2007 11:41:10 PM PDT
Last Seen                     Sat 27 Oct 2007 04:31:44 PM PDT
Local ID                      fd0a2937-094c-4419-92dc-0e6911e45240
Line Numbers                  

Raw Audit Messages            

avc: denied { getattr } for comm=tmpwatch dev=sda6 path=/tmp/lost+found
pid=12510 scontext=system_u:system_r:tmpreaper_t:s0 tclass=dir
tcontext=system_u:object_r:lost_found_t:s0

Comment 1 Daniel Walsh 2007-10-30 02:33:11 UTC
Fixed in selinux-policy-3.0.8-40.fc8

Comment 2 Ulrich Drepper 2007-11-01 04:17:32 UTC
Still not fixed in

selinux-policy-targeted-3.0.8-42.fc8

Are you sure you fixed it?  I saw

 - Allow tmpreaper to search logs directory

in the changelog but this is different.

Comment 3 Daniel Walsh 2007-11-01 15:56:26 UTC
fixed in selinux-policy-2.6.4-48.fc7

Put in rawhide pool but not in f8.  Sorry.

Comment 4 Daniel Walsh 2007-11-01 16:01:22 UTC
fixed in selinux-policy-3.0.8-44.fc7

Sorry cut and paste error.

Comment 5 Daniel Walsh 2008-01-30 19:19:21 UTC
Bulk closing all bugs in Fedora updates in the modified state.  If you bug is
not fixed, please reopen.