| Summary: | SELinux is preventing /usr/sbin/tzdata-update from 'read' accesses on the directory /home/avignon. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | avignon <anselme.vignon> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED CANTFIX | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | rawhide | CC: | dominick.grift, dwalsh, juraad, mgrepl |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | i386 | ||
| OS: | Linux | ||
| Whiteboard: | setroubleshoot_trace_hash:f33bcedf37b17212322098ac8c74533c774e94f1fdcbd85e42add9797e19318a | ||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-08-26 21:29:19 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Bug Depends On: | |||
| Bug Blocks: | 751853 | ||
Do you know when this happened? Were you updating system? Were you doing a yum update while sitting in your homedir? Hi All, I was actually performing an yum update from my home directory. is there a problem with doing so ? (the upgrade was the one following a switch from testing to rawhide repositories, for a new computer) No, it just that some apps have a nasty habit of searching their current directory when they start, If they are confined, you will see an AVC message like this, the app will work fine, and you can ignore this avc. If you don't want to see these just cd /; yum -y update And you should be fine. |
SELinux is preventing /usr/sbin/tzdata-update from 'read' accesses on the directory /home/avignon. ***** Plugin catchall (50.5 confidence) suggests *************************** If you believe that tzdata-update should be allowed read access on the avignon directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep tzdata-update /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp ***** Plugin leaks (50.5 confidence) suggests ****************************** If you want to ignore tzdata-update trying to read access the avignon directory, because you believe it should not need this access. Then you should report this as a bug. You can generate a local policy module to dontaudit this access. Do # grep /usr/sbin/tzdata-update /var/log/audit/audit.log | audit2allow -D -M mypol # semodule -i mypol.pp Additional Information: Source Context unconfined_u:system_r:tzdata_t:s0-s0:c0.c1023 Target Context unconfined_u:object_r:user_home_dir_t:s0 Target Objects /home/avignon [ dir ] Source tzdata-update Source Path /usr/sbin/tzdata-update Port <Unknown> Host (removed) Source RPM Packages glibc-common-2.14-5 Target RPM Packages Policy RPM selinux-policy-3.9.16-38.fc15 Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 2.6.40.3-0.fc15.i686 #1 SMP Tue Aug 16 04:24:09 UTC 2011 i686 i686 Alert Count 1 First Seen Tue 23 Aug 2011 12:58:38 PM CEST Last Seen Tue 23 Aug 2011 12:58:38 PM CEST Local ID 517cc20d-9968-4f7a-982d-9f824f28b655 Raw Audit Messages type=AVC msg=audit(1314097118.942:99): avc: denied { read } for pid=5253 comm="tzdata-update" path="/home/avignon" dev=dm-2 ino=6946817 scontext=unconfined_u:system_r:tzdata_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir type=SYSCALL msg=audit(1314097118.942:99): arch=i386 syscall=execve success=yes exit=0 a0=8050b67 a1=bf9b3718 a2=bf9b371c a3=6 items=0 ppid=3826 pid=5253 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm=tzdata-update exe=/usr/sbin/tzdata-update subj=unconfined_u:system_r:tzdata_t:s0-s0:c0.c1023 key=(null) Hash: tzdata-update,tzdata_t,user_home_dir_t,dir,read audit2allow #============= tzdata_t ============== allow tzdata_t user_home_dir_t:dir read; audit2allow -R #============= tzdata_t ============== allow tzdata_t user_home_dir_t:dir read;