| Summary: | SELinux is preventing /usr/sbin/tmpwatch from 'unlink' accesses on default_t /tmp files | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Jeff Bastian <jbastian> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 16 | CC: | dominick.grift, dwalsh, mgrepl |
| Target Milestone: | --- | Keywords: | Reopened |
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Unspecified | ||
| Whiteboard: | abrt_hash:8f228cf65e15de03efb6f81a30ae4fcefbe9caed21eed9c305d9449048dad82b | ||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2012-03-15 15:46:02 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
Here's the problematic file: $ ls -lZ /tmp/updates-6.1-ksdevice.img -rw-rw-r--. jbastian jbastian system_u:object_r:default_t:s0 /tmp/updates-6.1-ksdevice.img Restoring the context doesn't change anything: $ sudo restorecon -v -v -v /tmp/updates-6.1-ksdevice.img $ ls -lZ /tmp/updates-6.1-ksdevice.img -rw-rw-r--. jbastian jbastian system_u:object_r:default_t:s0 /tmp/updates-6.1-ksdevice.img Yes, this is correct because of /tmp directory. We don't want to allow restorecon in this directory. You need to use chcon for this situation. Why is this image located in the /tmp directory? I built the anaconda updates image file on a remote system and then I scp'ed it to my local host and today setroubleshoot popped up saying it blocked tmpwatch. setroubleshoot told me to report it as a bug, so here it is. If this is intentional, that's fine. I can manually remove the file or fix the context with chcon. Thanks! Ok, then setroubleshoot did good work. Or you can move this image to the libvirt image directory and run restorecon. Jeff did you copy it to a random directory in /? Oh, I was wrong about my scp in comment 3. That was for another image. For this image, I just mv'ed it into /tmp. I guess I should have copied it instead. $ cd dev-test/git/anaconda $ git checkout anaconda-13.21.117-1-ksdevicelinkSwitched to branch 'anaconda-13.21.117-1-ksdevicelink' $ scripts/makeupdates Using tag: anaconda-13.21.117-1 Including network.py 58 blocks 74.5% updates.img ready $ mv updates.img /tmp/updates-test.img $ ls -lZ /tmp/updates-test.img -rw-rw-r--. jbastian jbastian unconfined_u:object_r:default_t:s0 /tmp/updates-test.img No It is fine that you moved it, the question is whether or not we should allow tmpreaper to delete files that SELinux has no idea what content is in them. I have no problem allowing this. I'm ok with it too. I think it's generally well understood that files in /tmp are indeed temporary. Many Linux distros use a cron job like tmpwatch to clean up old files. Other systems like Solaris have /tmp as a tmpfs type of filesystem with swap space backing it, so it starts fresh with every reboot. Yes I prefer Sun's method, Temporary should be temporary. Lots of problems caused by garbage in /tmp. I just changed Rawhide to allow it to unlink all non-security file types. |
libreport version: 2.0.8 executable: /usr/bin/python hashmarkername: setroubleshoot kernel: 3.2.2-1.fc16.x86_64 reason: SELinux is preventing /usr/sbin/tmpwatch from 'unlink' accesses on the None updates-6.1-ksdevice.img. time: Thu 02 Feb 2012 09:27:35 AM CST description: :SELinux is preventing /usr/sbin/tmpwatch from 'unlink' accesses on the None updates-6.1-ksdevice.img. : :***** Plugin catchall (100. confidence) suggests *************************** : :If you believe that tmpwatch should be allowed unlink access on the updates-6.1-ksdevice.img <Unknown> by default. :Then you should report this as a bug. :You can generate a local policy module to allow this access. :Do :allow this access for now by executing: :# grep tmpwatch /var/log/audit/audit.log | audit2allow -M mypol :# semodule -i mypol.pp : :Additional Information: :Source Context system_u:system_r:tmpreaper_t:s0-s0:c0.c1023 :Target Context system_u:object_r:default_t:s0 :Target Objects updates-6.1-ksdevice.img [ None ] :Source tmpwatch :Source Path /usr/sbin/tmpwatch :Port <Unknown> :Host (removed) :Source RPM Packages :Target RPM Packages :Policy RPM <Unknown> :Selinux Enabled True :Policy Type targeted :Enforcing Mode Enforcing :Host Name (removed) :Platform Linux (removed) 3.2.2-1.fc16.x86_64 #1 : SMP Thu Jan 26 03:21:58 UTC 2012 x86_64 x86_64 :Alert Count 1 :First Seen Thu 02 Feb 2012 08:52:03 AM CST :Last Seen Thu 02 Feb 2012 08:52:03 AM CST :Local ID dc7119ab-0bac-4e54-9399-8713d05f7bda : :Raw Audit Messages :type=AVC msg=audit(1328194323.744:300): avc: denied { unlink } for pid=4435 comm="tmpwatch" name="updates-6.1-ksdevice.img" dev=dm-1 ino=25042953 scontext=system_u:system_r:tmpreaper_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=filenode=(removed) type=SYSCALL msg=audit(1328194323.744:300): arch=c000003e syscall=87 success=no exit=-13 a0=24b7fc3 a1=40470b a2=24b7170 a3=7fff526cc208 items=0 ppid=4433 pid=4435 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=12 comm="tmpwatch" exe="/usr/sbin/tmpwatch" subj=system_u:system_r:tmpreaper_t:s0-s0:c0.c1023 key=(null) : : :Hash: tmpwatch,tmpreaper_t,default_t,None,unlink : :audit2allow : : :audit2allow -R : :