Bug 680682

Summary: SELinux is preventing /sbin/setfiles from read, append access on the plik /tmp/tmpWX1ItE.
Product: [Fedora] Fedora Reporter: mand0s
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 13CC: bugs2rl, dwalsh, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard: setroubleshoot_trace_hash:11e0b2adbf930806779856fd7c4ec93cbaf8d1c3b44e7bba7b64efafd3d1ee8d
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-02-27 22:44:11 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description mand0s 2011-02-26 23:17:46 UTC
SELinux is preventing /sbin/setfiles from read, append access on the plik /tmp/tmpWX1ItE.

*****  Plugin catchall (50.5 confidence) suggests  ***************************

If aby setfiles powinno mieć domyślnie read append dostęp do tmpWX1ItE file.
Then proszę to zgłosić jako błąd.
Można utworzyć lokalny moduł polityki, aby umożliwić ten dostęp.
Do
można tymczasowo zezwolić na ten dostęp wykonując polecenia:
# grep restorecon /var/log/audit/audit.log | audit2allow -M moja_polityka
# semodule -i moja_polityka.pp

*****  Plugin leaks (50.5 confidence) suggests  ******************************

If należy zignorować próbę dostępu setfiles read append do tmpWX1ItE file, ponieważ nie powinno to wymagać tego dostępu.
Then należy zgłosić to jako błąd. 
Można utworzyć lokalny moduł polityki, aby zabronić ten dostęp.
Do
# grep /sbin/setfiles /var/log/audit/audit.log | audit2allow -D -M moja_polityka
# semodule -i moja_polityka.pp

Additional Information:
Source Context                system_u:system_r:setfiles_t:s0-s0:c0.c1023
Target Context                system_u:object_r:initrc_tmp_t:s0
Target Objects                /tmp/tmpWX1ItE [ file ]
Source                        restorecon
Source Path                   /sbin/setfiles
Port                          <Nieznane>
Host                          (removed)
Source RPM Packages           policycoreutils-2.0.83-33.1.fc13
Target RPM Packages           
Policy RPM                    selinux-policy-3.7.19-76.fc13
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed)
                              2.6.34.7-66.fc13.i686.PAE #1 SMP Wed Dec 15
                              07:21:49 UTC 2010 i686 i686
Alert Count                   2
First Seen                    nie, 27 lut 2011, 00:05:53
Last Seen                     nie, 27 lut 2011, 00:05:53
Local ID                      3c0c260d-2e5e-4b3d-bd4e-3bf68e545567

Raw Audit Messages
type=AVC msg=audit(1298761553.907:85): avc:  denied  { read append } for  pid=11820 comm="restorecon" path="/tmp/tmpWX1ItE" dev=sda4 ino=1105993 scontext=system_u:system_r:setfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=file


type=SYSCALL msg=audit(1298761553.907:85): arch=i386 syscall=execve success=yes exit=0 a0=8198cc0 a1=81956e0 a2=8195468 a3=81956e0 items=0 ppid=11735 pid=11820 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=restorecon exe=/sbin/setfiles subj=system_u:system_r:setfiles_t:s0-s0:c0.c1023 key=(null)

Hash: restorecon,setfiles_t,initrc_tmp_t,file,read,append

audit2allow

#============= setfiles_t ==============
allow setfiles_t initrc_tmp_t:file { read append };

audit2allow -R

#============= setfiles_t ==============
allow setfiles_t initrc_tmp_t:file { read append };

Comment 1 Miroslav Grepl 2011-02-27 22:44:11 UTC

*** This bug has been marked as a duplicate of bug 680681 ***