Bug 470844
| Summary: | SELinux is preventing tmpwatch (tmpreaper_t) "rmdir" to ./kdecache-jim (samba_share_t). | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Samster <jbfmail> |
| Component: | selinux-policy-targeted | Assignee: | Daniel Walsh <dwalsh> |
| Status: | CLOSED CANTFIX | QA Contact: | Ben Levenson <benl> |
| Severity: | low | Docs Contact: | |
| Priority: | medium | ||
| Version: | 8 | ||
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2008-11-10 21:35:38 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
What directory do you have labeled samba_share_t? /tmp/kde-jim/ksycoca -> /var/tmp/kdecache-jim/ksycoca ksycoca: symbolic link to `/var/tmp/kdecache-jim/ksycoca' kdecache-jim within /var/tmp is labeled samba_share_t ----------------------------------------------------- Within the kdecache-jim directory are two other files labeled samba_share_t: drwx------ jim jim unconfined_u:object_r:samba_share_t:s0 help -rw-rw-r-- jim jim unconfined_u:object_r:samba_share_t:s0 ksycoca The 'help' directory is empty. Well then the question is do you want to allow tmpreaper to delete these files, if yes, you can update policy to allow it. # grep samba_share_t /var/log/audit/audit.log | audit2allow -M mytmpreaper # semodule -i mytmpreaper.pp Or just delete the files/directory yourself. |
Description of problem: SELinux denied access requested by tmpwatch. It is not expected that this access is required by tmpwatch and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing AccessSometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for ./kdecache-jim, restorecon -v './kdecache-jim' If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report against this package. Version-Release number of selected component (if applicable): libselinux-python-2.0.43-1.fc8 libselinux-2.0.43-1.fc8 selinux-policy-targeted-3.0.8-121.fc8 libselinux-2.0.43-1.fc8 selinux-policy-3.0.8-121.fc8 selinux-policy-devel-3.0.8-121.fc8 How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info: Source Context: system_u:system_r:tmpreaper_t:s0 Target Context: unconfined_u:object_r:samba_share_t:s0 Target Objects: ./kdecache-jim [ dir ] Source: tmpwatch Source Path: /usr/sbin/tmpwatch Port: <Unknown> Host: meteor Source RPM Packages: tmpwatch-2.9.11-2 Target RPM Packages: Policy RPM: selinux-policy-3.0.8-121.fc8 Selinux Enabled: True Policy Type: targeted MLS Enabled: True Enforcing Mode: Enforcing Plugin Name: catchall_file Host Name: meteor Platform: Linux meteor 2.6.26.6-49.fc8 #1 SMP Fri Oct 17 15:33:32 EDT 2008 x86_64 x86_64 Alert Count: 5 First Seen: Wed 05 Nov 2008 08:32:35 AM EST Last Seen: Mon 10 Nov 2008 09:00:02 AM EST Local ID: b27c6f61-f715-4f69-8f98-72e207cfc7cc Line Numbers: Raw Audit Messages: host=meteor type=AVC msg=audit(1226325602.93:22): avc: denied { rmdir } for pid=3861 comm="tmpwatch" name="kdecache-jim" dev=dm-0 ino=31260718 scontext=system_u:system_r:tmpreaper_t:s0 tcontext=unconfined_u:object_r:samba_share_t:s0 tclass=dir host=meteor type=SYSCALL msg=audit(1226325602.93:22): arch=c000003e syscall=84 success=no exit=-13 a0=212e06b a1=402d48 a2=401431 a3=402f62 items=0 ppid=3858 pid=3861 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="tmpwatch" exe="/usr/sbin/tmpwatch" subj=system_u:system_r:tmpreaper_t:s0 key=(null)