Bug 732014

Summary: SELinux is preventing /bin/systemd-tmpfiles from 'unlink' accesses on the file cimv2.21.0-interop.mof.
Product: [Fedora] Fedora Reporter: Adam Hough <adam.hough>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 15CC: dominick.grift, dwalsh, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard: setroubleshoot_trace_hash:e9310835c7df15650fe1a276c30163fa824ca05924ffd77d1e22ac05d050e13e
Fixed In Version: selinux-policy-3.9.16-39.fc15 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-10-06 00:02:50 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Adam Hough 2011-08-19 13:08:51 UTC 
SELinux is preventing /bin/systemd-tmpfiles from 'unlink' accesses on the file cimv2.21.0-interop.mof.

*****  Plugin catchall_labels (83.8 confidence) suggests  ********************

If you want to allow systemd-tmpfiles to have unlink access on the cimv2.21.0-interop.mof file
Then you need to change the label on cimv2.21.0-interop.mof
Do
# semanage fcontext -a -t FILE_TYPE 'cimv2.21.0-interop.mof'
where FILE_TYPE is one of the following: man_t, tmp_t, var_auth_t, file_t, lockfile, pidfile, tmpfile, sandbox_file_t, user_home_t, faillog_t, rpm_var_lib_t, etc_runtime_t. 
Then execute: 
restorecon -v 'cimv2.21.0-interop.mof'


*****  Plugin catchall (17.1 confidence) suggests  ***************************

If you believe that systemd-tmpfiles should be allowed unlink access on the cimv2.21.0-interop.mof file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep systemd-tmpfile /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:systemd_tmpfiles_t:s0
Target Context                system_u:object_r:usr_t:s0
Target Objects                cimv2.21.0-interop.mof [ file ]
Source                        systemd-tmpfile
Source Path                   /bin/systemd-tmpfiles
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           systemd-units-26-8.fc15
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.16-35.fc15
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     (removed)
Platform                      Linux (removed) 2.6.40-4.fc15.i686 #1 SMP Fri Jul 29
                              18:54:39 UTC 2011 i686 i686
Alert Count                   2
First Seen                    Mon 01 Aug 2011 10:09:22 PM CDT
Last Seen                     Fri 12 Aug 2011 09:09:49 AM CDT
Local ID                      bc1885a6-cf10-4e13-886e-ad181dfd0c23

Raw Audit Messages
type=AVC msg=audit(1313158189.670:87): avc:  denied  { unlink } for  pid=2261 comm="systemd-tmpfile" name="cimv2.21.0-interop.mof" dev=dm-2 ino=331736 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file


type=SYSCALL msg=audit(1313158189.670:87): arch=i386 syscall=unlinkat success=yes exit=0 a0=6 a1=9d6a7db a2=0 a3=bfe263b0 items=0 ppid=1 pid=2261 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=systemd-tmpfile exe=/bin/systemd-tmpfiles subj=system_u:system_r:systemd_tmpfiles_t:s0 key=(null)

Hash: systemd-tmpfile,systemd_tmpfiles_t,usr_t,file,unlink

audit2allow

#============= systemd_tmpfiles_t ==============
allow systemd_tmpfiles_t usr_t:file unlink;

audit2allow -R

#============= systemd_tmpfiles_t ==============
allow systemd_tmpfiles_t usr_t:file unlink;
Comment 1 Daniel Walsh 2011-08-20 10:45:34 UTC 
Any idea where cimv2.21.0-interop.mof was located?
Comment 2 Adam Hough 2011-08-30 13:48:27 UTC 
Sorry, I was not using this system for about a week so did not get a chance to figure out the answer to your question until now.

The full path to the file is: /usr/share/libvirt-cim/cimv2.21.0-interop_mof. This file is part of the libvirt-cim.i686 package.

I have no idea why this is happening or an opinion as to whether it should or should not have access to do what it is trying to do.
Comment 3 Daniel Walsh 2011-08-30 17:01:17 UTC 
Did you move a copy of this file to /tmp?
Comment 4 Daniel Walsh 2011-08-30 17:02:12 UTC 
Miroslav we are allowing this in F16 now.
Comment 5 Miroslav Grepl 2011-09-05 11:55:14 UTC 
Fixed in selinux-policy-3.9.16-39.fc15
Comment 6 Fedora Update System 2011-09-08 08:12:25 UTC 
selinux-policy-3.9.16-39.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-39.fc15
Comment 7 Fedora Update System 2011-09-09 05:28:32 UTC 
Package selinux-policy-3.9.16-39.fc15:
* should fix your issue,
* was pushed to the Fedora 15 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.16-39.fc15'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-39.fc15
then log in and leave karma (feedback).
Comment 8 Fedora Update System 2011-10-06 00:02:50 UTC 
selinux-policy-3.9.16-39.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.