Bug 438384

Summary: tmpwatch cannot access alloc when running compiz-fusion with firefox
Product: [Fedora] Fedora Reporter: Taylor Boatright <brightboy89>
Component: firefoxAssignee: Gecko Maintainer <gecko-bugs-nobody>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: low    
Version: 8CC: jkubin, mitr
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Fedora 9 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-05-31 01:46:21 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
SElinux alert for this problem. none

Description Taylor Boatright 2008-03-20 17:58:02 UTC 
Description of problem: SElinux is preventing tmpwatch (tmpreaper_t) "setattr"
to ./alloc (usr_t)

Version-Release number of selected component (if applicable):


How reproducible: Run compiz-fusion icon with FireFox running with multiple tabs
 or windows.


Steps to Reproduce:
1. Launch Compiz-fusion
2. Launch FireFox
3. Browse to sites with multimedia and/or have multiple windows/tabs open.
  
Actual results:  FireFox freezes and requires a force quit, SElinux opens giving
the warning.


Expected results:


Additional info:  When SElinux opens it says to allow access to invoke the
command "restorecon -v './alloc'; however, when I do this,
Comment 1 Taylor Boatright 2008-03-20 17:58:02 UTC 
Created attachment 298723 [details]
SElinux alert for this problem.
Comment 2 Miloslav Trmač 2008-03-21 14:00:54 UTC 
Is the Firefox behavior reproducible?

As far as I know, firefox doesn't start tmpwatch nor does it depend on tmpwatch
- so either something is mislabeled (and run as tmpreaper_t when it shouldn't),
or the tmpwatch report is unrelated to firefox hanging.

As for the AVC itself, tmpwatch will touch anything in /tmp - so either it
should be allowed to change the inode times, or dontaudited (perhaps deny - with
dontaudit - even stat()ing the file).
Comment 3 Taylor Boatright 2008-03-21 15:58:41 UTC 
I believe the FireFox issue is with compiz-fusion and having FireFox open in
more than one workspace.  As for the tmpwatch, I believe it may actually have to
do with Force Quitting but I am still unsure, I will post more information when
it happens again.
Comment 4 Daniel Walsh 2008-03-21 23:14:54 UTC 
Yes this has nothing to do with SELinux.  You or some app has mv'd a file
"alloc" to /tmp from /usr which ended up with the wrong context.  Either delete
the file/direcory or

chcon -Rt tmp_t /tmp/alloc

This AVC happening at the same time is a coincidence.


The other problem is a firefox issue, reassigning.
Comment 5 Taylor Boatright 2008-03-22 16:20:41 UTC 
I actually believe the FireFox issue comes from having two FireFox windows open
in two different workspaces.  Thank you for the help with the tmp issue though.