Bug 444922

Summary: three AVC messages after default install
Product: [Fedora] Fedora Reporter: John Poelstra <poelstra>
Component: texlive-texmfAssignee: Jindrich Novy <jnovy>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: low    
Version: rawhideCC: katzj, olenb, pertusus, pknirsch, wwoods
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-05-06 02:39:41 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 235706    

Description John Poelstra 2008-05-01 22:46:44 UTC 
Description of problem:
three AVC messages after default install of 20080501 rawhide

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.3.1-42.fc9.noarch.rpm


Summary:

SELinux is preventing tmpwatch (tmpreaper_t) "setattr" to ./tex (var_lib_t).

Detailed Description:

SELinux denied access requested by tmpwatch. It is not expected that this access
is required by tmpwatch and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for ./tex,

restorecon -v './tex'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:tmpreaper_t:s0
Target Context                system_u:object_r:var_lib_t:s0
Target Objects                ./tex [ dir ]
Source                        tmpwatch
Source Path                   /usr/sbin/tmpwatch
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           tmpwatch-2.9.13-2
Target RPM Packages           
Policy RPM                    selinux-policy-3.3.1-42.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall_file
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 2.6.25-8.fc9.i686 #1
                              SMP Wed Apr 23 03:56:19 EDT 2008 i686 i686
Alert Count                   1
First Seen                    Thu 01 May 2008 03:11:55 PM EDT
Last Seen                     Thu 01 May 2008 03:11:55 PM EDT
Local ID                      6ecba3f8-9f60-4c3e-bc2d-78c151ba7096
Line Numbers                  

Raw Audit Messages            

host=localhost.localdomain type=AVC msg=audit(1209669115.721:28): avc:  denied 
{ setattr } for  pid=7708 comm="tmpwatch" name="tex" dev=dm-0 ino=529421
scontext=system_u:system_r:tmpreaper_t:s0
tcontext=system_u:object_r:var_lib_t:s0 tclass=dir

host=localhost.localdomain type=SYSCALL msg=audit(1209669115.721:28):
arch=40000003 syscall=30 success=no exit=-13 a0=804ac62 a1=bfb3b634 a2=0
a3=94df6b8 items=0 ppid=7706 pid=7708 auid=4294967295 uid=0 gid=0 euid=0 suid=0
fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="tmpwatch"
exe="/usr/sbin/tmpwatch" subj=system_u:system_r:tmpreaper_t:s0 key=(null)


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Summary:

SELinux is preventing tmpwatch (tmpreaper_t) "setattr" to ./dvips (var_lib_t).

Detailed Description:

SELinux denied access requested by tmpwatch. It is not expected that this access
is required by tmpwatch and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for ./dvips,

restorecon -v './dvips'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:tmpreaper_t:s0
Target Context                system_u:object_r:var_lib_t:s0
Target Objects                ./dvips [ dir ]
Source                        tmpwatch
Source Path                   /usr/sbin/tmpwatch
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           tmpwatch-2.9.13-2
Target RPM Packages           
Policy RPM                    selinux-policy-3.3.1-42.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall_file
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 2.6.25-8.fc9.i686 #1
                              SMP Wed Apr 23 03:56:19 EDT 2008 i686 i686
Alert Count                   1
First Seen                    Thu 01 May 2008 03:11:55 PM EDT
Last Seen                     Thu 01 May 2008 03:11:55 PM EDT
Local ID                      70971920-3ed1-44b8-857f-d3953d94bd68
Line Numbers                  

Raw Audit Messages            

host=localhost.localdomain type=AVC msg=audit(1209669115.422:27): avc:  denied 
{ setattr } for  pid=7708 comm="tmpwatch" name="dvips" dev=dm-0 ino=529419
scontext=system_u:system_r:tmpreaper_t:s0
tcontext=system_u:object_r:var_lib_t:s0 tclass=dir

host=localhost.localdomain type=SYSCALL msg=audit(1209669115.422:27):
arch=40000003 syscall=30 success=no exit=-13 a0=804ac62 a1=bfb3b3d4 a2=0
a3=94e16f8 items=0 ppid=7706 pid=7708 auid=4294967295 uid=0 gid=0 euid=0 suid=0
fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="tmpwatch"
exe="/usr/sbin/tmpwatch" subj=system_u:system_r:tmpreaper_t:s0 key=(null)


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Summary:

SELinux is preventing tmpwatch (tmpreaper_t) "setattr" to ./pdftex (var_lib_t).

Detailed Description:

SELinux denied access requested by tmpwatch. It is not expected that this access
is required by tmpwatch and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for ./pdftex,

restorecon -v './pdftex'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:tmpreaper_t:s0
Target Context                system_u:object_r:var_lib_t:s0
Target Objects                ./pdftex [ dir ]
Source                        tmpwatch
Source Path                   /usr/sbin/tmpwatch
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           tmpwatch-2.9.13-2
Target RPM Packages           
Policy RPM                    selinux-policy-3.3.1-42.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall_file
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 2.6.25-8.fc9.i686 #1
                              SMP Wed Apr 23 03:56:19 EDT 2008 i686 i686
Alert Count                   1
First Seen                    Thu 01 May 2008 03:11:55 PM EDT
Last Seen                     Thu 01 May 2008 03:11:55 PM EDT
Local ID                      e5885fb5-22fa-4f56-bbfa-e20fffa5848c
Line Numbers                  

Raw Audit Messages            

host=localhost.localdomain type=AVC msg=audit(1209669115.375:26): avc:  denied 
{ setattr } for  pid=7708 comm="tmpwatch" name="pdftex" dev=dm-0 ino=529420
scontext=system_u:system_r:tmpreaper_t:s0
tcontext=system_u:object_r:var_lib_t:s0 tclass=dir

host=localhost.localdomain type=SYSCALL msg=audit(1209669115.375:26):
arch=40000003 syscall=30 success=no exit=-13 a0=804ac62 a1=bfb3b3d4 a2=0
a3=94e16f8 items=0 ppid=7706 pid=7708 auid=4294967295 uid=0 gid=0 euid=0 suid=0
fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="tmpwatch"
exe="/usr/sbin/tmpwatch" subj=system_u:system_r:tmpreaper_t:s0 key=(null)
Comment 1 Daniel Walsh 2008-05-02 12:16:03 UTC 
This is a te
Comment 2 Daniel Walsh 2008-05-02 12:16:43 UTC 
*** Bug 444846 has been marked as a duplicate of this bug. ***
Comment 3 Jindrich Novy 2008-05-02 12:46:10 UTC 
John, just to be sure, do you have texlive-2007-29 and texlive-2007-20 installed
what shows the described problem? I assumed I fixed that in texlive-2007-29.
Comment 4 John Poelstra 2008-05-02 15:33:03 UTC 
It will take me a bit to get to the virtual host and check on the packages
there.  I did a very simple anaconda install of 20080501 selecting the "Desktop"
group w/ NO customization.
Comment 5 Jeremy Katz 2008-05-02 16:37:40 UTC 
The version of texlive tagged for f9-final is currently texlive-2007-28.fc9.   
If you'd like newer tagged, please send rationale to rel-eng

http://fedoraproject.org/wiki/ReleaseEngineering/FinalFreezePolicy
Comment 6 John Poelstra 2008-05-02 19:53:53 UTC 
Just did a fresh install of 20080502 rawhide.  I completed a default install
(selecting the desktop group only) and ran gnome-terminal and firefox and then
the host sat there for a while.  When I came back I saw the three AVCs above. 
I'm guessing cron kicked off tmpwatch which then triggered the AVCs?

Here is what is installed:
[root@localhost ~]# rpm -qa |grep -i tex | sort
gettext-0.17-4.fc9.i386
libtextcat-2.2-5.fc9.i386
openoffice.org-writer2latex-0.5-2.fc9.i386
texinfo-4.11-5.fc9.i386
texinfo-tex-4.11-5.fc9.i386
texlive-2007-28.fc9.i386
texlive-dvips-2007-28.fc9.i386
texlive-latex-2007-28.fc9.i386
texlive-texmf-2007-20.fc9.noarch
texlive-texmf-dvips-2007-20.fc9.noarch
texlive-texmf-errata-2007-4.fc9.noarch
texlive-texmf-errata-dvips-2007-4.fc9.noarch
texlive-texmf-errata-fonts-2007-4.fc9.noarch
texlive-texmf-errata-latex-2007-4.fc9.noarch
texlive-texmf-fonts-2007-20.fc9.noarch
texlive-texmf-latex-2007-20.fc9.noarch
texlive-utils-2007-28.fc9.i386
tex-preview-11.85-7.fc9.noarch
Comment 7 Jeremy Katz 2008-05-04 17:02:33 UTC 
After doing an install with -29 in my package set, it looks like I'm still going
to hit this as the contents of /var/lib/texmf/web2c are still labeled
rpm_script_t.  Also, there's now an error in the install.log from the %post of
texlive-texmf-fonts
  Installing texlive-texmf-fonts
  No such file or directory
  error: %post scriptlet failed, exit status 1
Comment 8 Will Woods 2008-05-05 19:17:23 UTC 
The three directories involved are not owned by any package; I assume they're
created by the %post script of one of the texlive packages but I have no idea which.

Since texlive-texmf-fonts does the restorecon in its %post, those directories
must be getting created after that happens. Checking my install.log that leaves
the following texlive packages:

texlive
texlive-dvips
texlive-latex
texlive-texmf-latex
Comment 9 Jindrich Novy 2008-05-05 19:41:33 UTC 
Please try it again with the new packages:

1) texlive-2007-30.fc9
http://koji.fedoraproject.org/koji/taskinfo?taskID=596593

2) texlive-texmf-2007-22.fc9
http://koji.fedoraproject.org/koji/taskinfo?taskID=596580
Comment 10 Bill Nottingham 2008-05-05 20:37:14 UTC 
With those packages, the data in /var/lib/texmf/web2c is labelled tetex_data_t.
Moreover, manually invoking the tmpwatch and texlive cron jobs show no errors.

Submitting as non-scratch builds.
Comment 11 Will Woods 2008-05-05 20:58:06 UTC 
Confirmed - an install with the scratch builds added as an extra repo had no
scriptlet errors and none of the SELinux problems mentioned here.
Comment 12 Jindrich Novy 2008-05-06 02:39:41 UTC 
Thanks for testing. Closing RAWHIDE as everything seems to be done now.