Bug 786861

Summary: SELinux is preventing /usr/sbin/tmpwatch from 'unlink' accesses on default_t /tmp files
Product: [Fedora] Fedora Reporter: Jeff Bastian <jbastian>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 16CC: dominick.grift, dwalsh, mgrepl
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard: abrt_hash:8f228cf65e15de03efb6f81a30ae4fcefbe9caed21eed9c305d9449048dad82b
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-03-15 15:46:02 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Jeff Bastian 2012-02-02 15:29:08 UTC
libreport version: 2.0.8
executable:     /usr/bin/python
hashmarkername: setroubleshoot
kernel:         3.2.2-1.fc16.x86_64
reason:         SELinux is preventing /usr/sbin/tmpwatch from 'unlink' accesses on the None updates-6.1-ksdevice.img.
time:           Thu 02 Feb 2012 09:27:35 AM CST

description:
:SELinux is preventing /usr/sbin/tmpwatch from 'unlink' accesses on the None updates-6.1-ksdevice.img.
:
:*****  Plugin catchall (100. confidence) suggests  ***************************
:
:If you believe that tmpwatch should be allowed unlink access on the updates-6.1-ksdevice.img <Unknown> by default.
:Then you should report this as a bug.
:You can generate a local policy module to allow this access.
:Do
:allow this access for now by executing:
:# grep tmpwatch /var/log/audit/audit.log | audit2allow -M mypol
:# semodule -i mypol.pp
:
:Additional Information:
:Source Context                system_u:system_r:tmpreaper_t:s0-s0:c0.c1023
:Target Context                system_u:object_r:default_t:s0
:Target Objects                updates-6.1-ksdevice.img [ None ]
:Source                        tmpwatch
:Source Path                   /usr/sbin/tmpwatch
:Port                          <Unknown>
:Host                          (removed)
:Source RPM Packages           
:Target RPM Packages           
:Policy RPM                    <Unknown>
:Selinux Enabled               True
:Policy Type                   targeted
:Enforcing Mode                Enforcing
:Host Name                     (removed)
:Platform                      Linux (removed) 3.2.2-1.fc16.x86_64 #1
:                              SMP Thu Jan 26 03:21:58 UTC 2012 x86_64 x86_64
:Alert Count                   1
:First Seen                    Thu 02 Feb 2012 08:52:03 AM CST
:Last Seen                     Thu 02 Feb 2012 08:52:03 AM CST
:Local ID                      dc7119ab-0bac-4e54-9399-8713d05f7bda
:
:Raw Audit Messages
:type=AVC msg=audit(1328194323.744:300): avc:  denied  { unlink } for  pid=4435 comm="tmpwatch" name="updates-6.1-ksdevice.img" dev=dm-1 ino=25042953 scontext=system_u:system_r:tmpreaper_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=filenode=(removed) type=SYSCALL msg=audit(1328194323.744:300): arch=c000003e syscall=87 success=no exit=-13 a0=24b7fc3 a1=40470b a2=24b7170 a3=7fff526cc208 items=0 ppid=4433 pid=4435 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=12 comm="tmpwatch" exe="/usr/sbin/tmpwatch" subj=system_u:system_r:tmpreaper_t:s0-s0:c0.c1023 key=(null)
:
:
:Hash: tmpwatch,tmpreaper_t,default_t,None,unlink
:
:audit2allow
:
:
:audit2allow -R
:
:

Comment 1 Jeff Bastian 2012-02-02 15:31:01 UTC
Here's the problematic file:

$ ls -lZ /tmp/updates-6.1-ksdevice.img 
-rw-rw-r--. jbastian jbastian system_u:object_r:default_t:s0   /tmp/updates-6.1-ksdevice.img


Restoring the context doesn't change anything:

$ sudo restorecon -v -v -v /tmp/updates-6.1-ksdevice.img 

$ ls -lZ /tmp/updates-6.1-ksdevice.img 
-rw-rw-r--. jbastian jbastian system_u:object_r:default_t:s0   /tmp/updates-6.1-ksdevice.img

Comment 2 Miroslav Grepl 2012-02-02 15:47:00 UTC
Yes, this is correct because of /tmp directory. We don't want to allow restorecon in this directory.

You need to use chcon for this situation. Why is this image located in the /tmp directory?

Comment 3 Jeff Bastian 2012-02-02 16:29:15 UTC
I built the anaconda updates image file on a remote system and then I scp'ed it to my local host and today setroubleshoot popped up saying it blocked tmpwatch.

setroubleshoot told me to report it as a bug, so here it is.

If this is intentional, that's fine.  I can manually remove the file or fix the context with chcon.

Thanks!

Comment 4 Miroslav Grepl 2012-02-02 16:35:41 UTC
Ok, then setroubleshoot did good work. Or you can move this image to the libvirt image directory and run restorecon.

Comment 5 Daniel Walsh 2012-02-02 18:17:08 UTC
Jeff did you copy it to a random directory in /?

Comment 6 Jeff Bastian 2012-02-02 18:33:11 UTC
Oh, I was wrong about my scp in comment 3.  That was for another image.

For this image, I just mv'ed it into /tmp.  I guess I should have copied it instead.

$ cd dev-test/git/anaconda
$ git checkout anaconda-13.21.117-1-ksdevicelinkSwitched to branch 'anaconda-13.21.117-1-ksdevicelink'
$ scripts/makeupdates 
Using tag: anaconda-13.21.117-1
Including network.py
58 blocks
 74.5%
updates.img ready
$ mv updates.img /tmp/updates-test.img
$ ls -lZ /tmp/updates-test.img 
-rw-rw-r--. jbastian jbastian unconfined_u:object_r:default_t:s0 /tmp/updates-test.img

Comment 7 Daniel Walsh 2012-02-02 20:41:37 UTC
No It is fine that you moved it, the question is whether or not we should allow tmpreaper to delete files that SELinux has no idea what content is in them.

I have no problem allowing this.

Comment 8 Jeff Bastian 2012-02-02 22:08:10 UTC
I'm ok with it too.  I think it's generally well understood that files in /tmp are indeed temporary.

Many Linux distros use a cron job like tmpwatch to clean up old files.  Other systems like Solaris have /tmp as a tmpfs type of filesystem with swap space backing it, so it starts fresh with every reboot.

Comment 9 Daniel Walsh 2012-02-03 16:28:04 UTC
Yes I prefer Sun's method, Temporary should be temporary.  Lots of problems caused by garbage in /tmp.

I just changed Rawhide to allow it to unlink all non-security file types.