Bug 567454
| Summary: | SELinux is preventing /usr/sbin/tzdata-update access to a leaked /tmp/tmpNJCaKB file descriptor. | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Michael S. <misc> | ||||||
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | ||||||
| Status: | CLOSED NEXTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||
| Severity: | medium | Docs Contact: | |||||||
| Priority: | low | ||||||||
| Version: | 13 | CC: | adam, alex, bochecha, bruce, christoph.wickert, dwalsh, ekanter, frankly3d, gholms, herrold, jlaska, lkundrak, magnus.tuominen, manuel.wolfshant, martin.nad89, mbooth, mgrepl, misek, npajkovs, sanjay.ankur, sgallagh, sjoerd, sundaram | ||||||
| Target Milestone: | --- | Keywords: | Reopened | ||||||
| Target Release: | --- | ||||||||
| Hardware: | i386 | ||||||||
| OS: | Linux | ||||||||
| Whiteboard: | setroubleshoot_trace_hash:0c310a1715cde1963764a4dfa43e4fc6b8ff0f853583faff36746a755066ce45 | ||||||||
| Fixed In Version: | selinux-policy-3.7.19-23.fc13 | Doc Type: | Bug Fix | ||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2011-06-06 13:22:20 UTC | Type: | --- | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Attachments: |
|
||||||||
|
Description
Michael S.
2010-02-23 00:42:42 UTC
It occured when building a package with mock, using fedora cvs makefile on autogen, for F-13 : cvs/autogen/F-13 $ make mockbuild the build failed, but I think that's not related to this error. Miroslav we are going to need a policy for mock. selinux-policy-3.7.14-1.fc13 has been submitted as an update for Fedora 13. http://admin.fedoraproject.org/updates/selinux-policy-3.7.14-1.fc13 selinux-policy-3.7.14-3.fc13 has been pushed to the Fedora 13 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.7.14-3.fc13 selinux-policy-3.7.14-3.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report. This still happens with selinux-policy-3.7.19-15.fc13.noarch. Note that as mentioned in the original report, SELinux doesn't actually deny anything: [tzdata-update a un type permissif (tzdata_t). Cet accès n'a pas été refusé.] This is rather annoying though. May I reopen the bug? Please attach the lates avc information, to make sure you are seeing the same problem. Here it is : Résumé: SELinux empêche /usr/sbin/tzdata-update d'accéder au descripteur de fichier compromis /tmp/tmpv5fHOU. Description détaillée: [tzdata-update a un type permissif (tzdata_t). Cet accès n'a pas été refusé.] SELinux a refusé l'accès requis par la commande tzdata-update. Il se pourrait que ce soit un descripteur «fuité» ou bien que la sortie de tzdata-update soit redirigée vers un fichier interdit d'accès. Les fuites peuvent généralement être ignorées puisque SELinux referme ces fuites et rapporte l'erreur. L'application n'utilise pas le descripteur, il fonctionnera donc correctement. Si c'est une redirection, vous n'aurez pas de sortie dans /tmp/tmpv5fHOU. Vous devriez signaler un bug à bugzilla sur selinux-policy et il sera redirigé vers le paquet approprié. Vous pouvez en toute sécurité ignorer Autoriser l'accès: Vous pouvez générer un module de politique de sécurité local afin d'autoriser cet accès - voir FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Informations complémentaires: Contexte source unconfined_u:system_r:tzdata_t:s0-s0:c0.c1023 Contexte cible unconfined_u:object_r:tmp_t:s0 Objets du contexte /tmp/tmpv5fHOU [ file ] source tzdata-update Chemin de la source /usr/sbin/tzdata-update Port <Inconnu> Hôte akroma.ephaone.org Paquetages RPM source glibc-common-2.12-1 Paquetages RPM cible Politique RPM selinux-policy-3.7.19-15.fc13 Selinux activé True Type de politique targeted Mode strict Enforcing Nom du plugin leaks Nom de l'hôte akroma.ephaone.org Plateforme Linux akroma.ephaone.org 2.6.33.2-57.fc13.i686.PAE #1 SMP Tue Apr 20 08:58:17 UTC 2010 i686 i686 Compteur d'alertes 8 Première alerte mar. 23 févr. 2010 01:38:14 CET Dernière alerte mar. 25 mai 2010 19:44:39 CEST ID local 5bfb9513-125e-499e-858e-677a3e457c1b Numéros des lignes Messages d'audit bruts node=akroma.ephaone.org type=AVC msg=audit(1274809479.889:118): avc: denied { read append } for pid=20198 comm="tzdata-update" path="/tmp/tmpv5fHOU" dev=dm-1 ino=13761 scontext=unconfined_u:system_r:tzdata_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:tmp_t:s0 tclass=file node=akroma.ephaone.org type=AVC msg=audit(1274809479.889:118): avc: denied { read append } for pid=20198 comm="tzdata-update" path="/tmp/tmpv5fHOU" dev=dm-1 ino=13761 scontext=unconfined_u:system_r:tzdata_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:tmp_t:s0 tclass=file node=akroma.ephaone.org type=SYSCALL msg=audit(1274809479.889:118): arch=40000003 syscall=11 per=8 success=yes exit=0 a0=a58e8d0 a1=a575dd0 a2=bf862160 a3=ffffffff items=0 ppid=20114 pid=20198 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="tzdata-update" exe="/usr/sbin/tzdata-update" subj=unconfined_u:system_r:tzdata_t:s0-s0:c0.c1023 key=(null) Dan, we do not audit it in F12. Fixed in selinux-policy-3.7.19-22.fc13.noarch selinux-policy-3.7.19-22.fc13 has been submitted as an update for Fedora 13. http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-22.fc13 selinux-policy-3.7.19-22.fc13 has been pushed to the Fedora 13 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-22.fc13 selinux-policy-3.7.19-23.fc13 has been pushed to the Fedora 13 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-23.fc13 selinux-policy-3.7.19-23.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report. I still am hitting this bug when using selinux-policy-3.7.19-28.fc13.noarch Are other changes required to resolve the reported issue? Could you attach the latest "ausearch -m avc -ts recent" output. (In reply to comment #16) > Could you attach the latest "ausearch -m avc -ts recent" output. Odd, I'm not seeing it anymore. I've had selinux-policy-3.7.19-28.fc13 installed since Tue 15 Jun 2010. Of course, I accidentally deleted the AVC so 'ausearch' shows nothing. I'll update the bug if this AVC returns. Created attachment 427396 [details] ausearch -m avc -ts recent (In reply to comment #16) > Could you attach the latest "ausearch -m avc -ts recent" output. See attached output from ... $ ausearch -m avc -ts recent The strange part is the tmp file is labeled tmp_t? If a user process created it, it would be user_tmp_t, rpm creates rpm_tmp_t, init scripts create initrc_tmp_t. Any idea what is triggering this? Created attachment 429581 [details]
tz ausearch
(In reply to comment #20) > Created an attachment (id=429581) [details] > tz ausearch x86_64 box selinux-policy-3.7.19-33.fc13.noarch mock-1.1.1-1.fc13.noarch Were you using func or puppet to do an update? I don't have either installed. I just update with yum host & guests. Ok you are using mock though? (In reply to comment #24) > Ok you are using mock though? Using mock on the host. This is being triggered by the mislabeled packagekitd. chcon -t rpm_exec_t /usr/libexec/packagekitd Should fix the problem until the new selinux-policy package gets released. selinux-policy-3.7.19-37.fc13 has been pushed to the Fedora 13 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-37.fc13 Summary: SELinux is preventing /usr/sbin/tzdata-update access to a leaked /tmp/tmpmgFivi file descriptor. Detailed Description: [tzdata-update has a permissive type (tzdata_t). This access was not denied.] SELinux denied access requested by the tzdata-update command. It looks like this is either a leaked descriptor or tzdata-update output was redirected to a file it is not allowed to access. Leaks usually can be ignored since SELinux is just closing the leak and reporting the error. The application does not use the descriptor, so it will run properly. If this is a redirection, you will not get output in the /tmp/tmpmgFivi. You should generate a bugzilla on selinux-policy, and it will get routed to the appropriate package. You can safely ignore this avc. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Additional Information: Source Context unconfined_u:system_r:tzdata_t:s0-s0:c0.c1023 Target Context unconfined_u:object_r:tmp_t:s0 Target Objects /tmp/tmpmgFivi [ file ] Source tzdata-update Source Path /usr/sbin/tzdata-update Port <Unknown> Host (removed) Source RPM Packages glibc-common-2.12-3 Target RPM Packages Policy RPM selinux-policy-3.7.19-37.fc13 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name leaks Host Name (removed) Platform Linux megatron 2.6.33.6-147.fc13.x86_64 #1 SMP Tue Jul 6 22:32:17 UTC 2010 x86_64 x86_64 Alert Count 8 First Seen Thu 22 Jul 2010 05:23:05 PM EEST Last Seen Thu 22 Jul 2010 05:46:30 PM EEST Local ID 05b013fa-f302-4165-bee4-887d4de3101d Line Numbers Raw Audit Messages node=megatron type=AVC msg=audit(1279809990.89:25247): avc: denied { read append } for pid=2937 comm="tzdata-update" path="/tmp/tmpmgFivi" dev=sda2 ino=67183 scontext=unconfined_u:system_r:tzdata_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:tmp_t:s0 tclass=file node=megatron type=AVC msg=audit(1279809990.89:25247): avc: denied { read append } for pid=2937 comm="tzdata-update" path="/tmp/tmpmgFivi" dev=sda2 ino=67183 scontext=unconfined_u:system_r:tzdata_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:tmp_t:s0 tclass=file node=megatron type=SYSCALL msg=audit(1279809990.89:25247): arch=c000003e syscall=59 per=8 success=yes exit=0 a0=4de42b0 a1=6423720 a2=7fff8f1296c0 a3=fffffff8 items=0 ppid=2925 pid=2937 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="tzdata-update" exe="/usr/sbin/tzdata-update" subj=unconfined_u:system_r:tzdata_t:s0-s0:c0.c1023 key=(null) using mock-1.1.1-1.fc13.noarch I am still getting this selinux warning with: rpm -q selinux-policy selinux-policy-3.7.19-39.fc13.noarch This fix will not fix the mock issue. We are working fixed for mock/yum/rpm/selinux-policy to allow mock to run without generating AVCs and putting down labels. I am not sure if this has made its way into Rawhide yet. You can add a local policy to dontaudit this AVC. This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component. This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component. This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component. This message is a reminder that Fedora 13 is nearing its end of life. Approximately 30 (thirty) days from now Fedora will stop maintaining and issuing updates for Fedora 13. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '13'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 13's end of life. Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 13 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora please change the 'version' of this bug to the applicable version. If you are unable to change the version, please add a comment here and someone will do it for you. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping |