Bug 442161

Summary: SELinux is preventing tmpwatch (tmpreaper_t) "setattr" to ./pdftex (var_lib_t).
Product: [Fedora] Fedora Reporter: petrosyan
Component: texliveAssignee: Jindrich Novy <jnovy>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: low    
Version: rawhideCC: covex, dwalsh, jkubin, jnovy, ma, mitr, pertusus, pknirsch, wwoods
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-04-29 00:43:26 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On:    
Bug Blocks: 235706    

Description petrosyan 2008-04-12 04:15:57 EDT

SELinux is preventing tmpwatch (tmpreaper_t) "setattr" to ./pdftex (var_lib_t).

Detailed Description:

SELinux denied access requested by tmpwatch. It is not expected that this access
is required by tmpwatch and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for ./pdftex,

restorecon -v './pdftex'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:tmpreaper_t:s0-s0:c0.c1023
Target Context                system_u:object_r:var_lib_t:s0
Target Objects                ./pdftex [ dir ]
Source                        tmpwatch
Source Path                   /usr/sbin/tmpwatch
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           tmpwatch-2.9.13-2
Target RPM Packages           
Policy RPM                    selinux-policy-3.3.1-34.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall_file
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain
                              2.6.25-0.218.rc8.git7.fc9.x86_64 #1 SMP Wed Apr 9
                              19:55:19 EDT 2008 x86_64 x86_64
Alert Count                   1
First Seen                    Sat 12 Apr 2008 04:11:27 AM EDT
Last Seen                     Sat 12 Apr 2008 04:11:27 AM EDT
Local ID                      52a7f95b-449c-4c84-8d3c-c2c857053189
Line Numbers                  

Raw Audit Messages            

host=localhost.localdomain type=AVC msg=audit(1207987887.636:39): avc:  denied 
{ setattr } for  pid=18085 comm="tmpwatch" name="pdftex" dev=sda3 ino=123203
tcontext=system_u:object_r:var_lib_t:s0 tclass=dir

host=localhost.localdomain type=SYSCALL msg=audit(1207987887.636:39):
arch=c000003e syscall=132 success=no exit=-13 a0=4030ba a1=7fff89353230
a2=3383967a60 a3=3383967a58 items=0 ppid=18084 pid=18085 auid=0 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4 comm="tmpwatch"
exe="/usr/sbin/tmpwatch" subj=system_u:system_r:tmpreaper_t:s0-s0:c0.c1023

Comment 1 Daniel Walsh 2008-04-14 09:21:57 EDT
Is tetex mv'ing files from /var/lib to /tmp which tmpwatch is then trying to
manipulate?  Or is it somehow telling tmpwatch to look at these files.  I have
not been able to figure out what is going on here.
Comment 2 Adam Pribyl 2008-04-18 04:41:19 EDT
I do not understand that either, but it seems tmpwatch is for some reason
scanning /var/lib/texmf. This is maybe a question for tmpwatch maintainer, then
Comment 3 Jindrich Novy 2008-04-18 05:58:26 EDT
Yup, tetex puts mostly %ghosted stuff to /var/lib/texmf what is mostly fmt files
for things like dvips/pdftex, etc.

Hmmm, I'm not aware af any moves between /var/lib -> /tmp or vice versa. Maybe
tmpwatch mistakenly looks for tmp files in the whole /var instead of /var/tmp ?
Comment 4 Miloslav Trma─Ź 2008-04-18 06:08:46 EDT
This has nothing to do with /tmp, the TeX package explicitly asks tmpwatch to
work on /var/lib/texmf:

  $ cat /etc/cron.daily/texlive.cron 
  # Remove TeX fonts not used in 180 days
  /usr/sbin/tmpwatch 4320 /var/lib/texmf
  exit 0

The access should probably just be allowed, perhaps adding a new type for TeX fonts.
Comment 5 Daniel Walsh 2008-04-19 06:00:27 EDT
The problem here is the postinstall of the tetex file.  It is creating these
files and directories in the post install, but never fixing the labeling.

At the end of the postinstall you need to add a 

restorecon -R /var/lib/texmf

Which will fix the labeling.

Then tmpwatch will be able to manipulate the files.

Another option would be to put this call into install-info
Comment 6 Will Woods 2008-04-28 18:42:08 EDT
* Tue Apr 01 2008 Jindrich Novy <jnovy@redhat.com> - 2007-18
- run restorecon in fonts subpackage to fix bad SELinux contexts

Sure enough, %post in the -fonts package has:
  /sbin/restorecon -R %{_texmf_var}/

And /var/lib/texmf has tetex_data_t on all my rawhide systems. So.. is this bug
Comment 7 Jindrich Novy 2008-04-29 00:43:26 EDT
Sure, just forgot to close it :)