Bug 708568

Summary: SELinux is preventing /bin/systemd-tmpfiles from 'getattr' accesses on the fifo_file /tmp/.sandbox-CyrusHMH-ORZ8P7/icedteaplugin-CyrusHMH/15979-icedteanp-appletviewer-to-plugin.
Product: [Fedora] Fedora Reporter: cyrushmh <cyrusyzgtt>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 15CC: cyrusyzgtt, dominick.grift, dwalsh, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard: setroubleshoot_trace_hash:199711c42db4bca02342d4139ef762fb0e3a07b67b7b31e293a370b7372df4b4
Fixed In Version: selinux-policy-3.9.16-30.fc15 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-06-11 11:31:44 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description cyrushmh 2011-05-28 03:52:32 UTC 
SELinux is preventing /bin/systemd-tmpfiles from 'getattr' accesses on the fifo_file /tmp/.sandbox-CyrusHMH-ORZ8P7/icedteaplugin-CyrusHMH/15979-icedteanp-appletviewer-to-plugin.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that systemd-tmpfiles should be allowed getattr access on the 15979-icedteanp-appletviewer-to-plugin fifo_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep systemd-tmpfile /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:systemd_tmpfiles_t:s0
Target Context                unconfined_u:object_r:sandbox_file_t:s0:c474,c963
Target Objects                /tmp/.sandbox-CyrusHMH-ORZ8P7/icedteaplugin-
                              CyrusHMH/15979-icedteanp-appletviewer-to-plugin [
                              fifo_file ]
Source                        systemd-tmpfile
Source Path                   /bin/systemd-tmpfiles
Port                          <未知>
Host                          (removed)
Source RPM Packages           systemd-units-26-2.fc15
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.16-24.fc15
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed)
                              2.6.38.6-27.fc15.x86_64 #1 SMP Sun May 15 17:23:28
                              UTC 2011 x86_64 x86_64
Alert Count                   1
First Seen                    2011年05月28日 星期六 11时34分52秒
Last Seen                     2011年05月28日 星期六 11时34分52秒
Local ID                      86ed05d6-bd8a-43e3-8829-b4d207716a44

Raw Audit Messages
type=AVC msg=audit(1306553692.772:94): avc:  denied  { getattr } for  pid=2706 comm="systemd-tmpfile" path="/tmp/.sandbox-CyrusHMH-ORZ8P7/icedteaplugin-CyrusHMH/15979-icedteanp-appletviewer-to-plugin" dev=sda6 ino=1199065 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=unconfined_u:object_r:sandbox_file_t:s0:c474,c963 tclass=fifo_file


type=SYSCALL msg=audit(1306553692.772:94): arch=x86_64 syscall=newfstatat success=yes exit=0 a0=7 a1=9c5193 a2=7fff222b5af0 a3=100 items=0 ppid=1 pid=2706 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=systemd-tmpfile exe=/bin/systemd-tmpfiles subj=system_u:system_r:systemd_tmpfiles_t:s0 key=(null)

Hash: systemd-tmpfile,systemd_tmpfiles_t,sandbox_file_t,fifo_file,getattr

audit2allow

#============= systemd_tmpfiles_t ==============
allow systemd_tmpfiles_t sandbox_file_t:fifo_file getattr;

audit2allow -R

#============= systemd_tmpfiles_t ==============
allow systemd_tmpfiles_t sandbox_file_t:fifo_file getattr;
Comment 1 Dominick Grift 2011-05-28 18:46:55 UTC 
I guess we need mcs_read_all, mcs_write_all constraints for fifo_files (might want to do lnk_file sock_file and maybe chr_file and blk_file as well while were at it, looks like only files and dirs are currently supported, and they have getattr exempted. Or just run tmpfilesd on mcs_systemhigh. That is assuming that tempfilesd should be allowed to purge this content.
Comment 2 Dominick Grift 2011-05-28 18:51:39 UTC 
Scratch that, i guess this is a type enforcement issue.
Comment 3 Dominick Grift 2011-05-28 19:46:26 UTC 
Allow systemd_tmpfiles_t to purge sandbox_files_t pipes:

http://git.fedorahosted.org/git/?p=selinux-policy.git;a=commitdiff;h=9b40e3e9574cff1d56c9a223e25bc6a9f75d217e
Comment 4 Miroslav Grepl 2011-05-30 07:57:25 UTC 
Fixed in selinux-policy-3.9.16-27.fc15
Comment 5 Fedora Update System 2011-06-10 10:49:32 UTC 
selinux-policy-3.9.16-29.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-29.fc15
Comment 6 Fedora Update System 2011-06-11 04:28:52 UTC 
Package selinux-policy-3.9.16-29.fc15:
* should fix your issue,
* was pushed to the Fedora 15 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.16-29.fc15'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-29.fc15
then log in and leave karma (feedback).
Comment 7 Fedora Update System 2011-06-24 03:52:19 UTC 
selinux-policy-3.9.16-30.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.