Bug 802126

Summary: SELinux is preventing /usr/sbin/tmpwatch from 'setattr' accesses on the directory pulse-aBChLGEEZCk6.
Product: [Fedora] Fedora Reporter: Peque <msdeleonpeque>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 16CC: dominick.grift, dwalsh, jpokorny, llugo1013, mgrepl, mmolinac14, steve, tmarak
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard: abrt_hash:41db766a8c0ad01eed004eb67e3b4d39f60b01b9571118137759ce2868d65969
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-08-10 05:54:51 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Peque 2012-03-11 14:09:52 UTC 
libreport version: 2.0.8
executable:     /usr/bin/python
hashmarkername: setroubleshoot
kernel:         3.2.9-1.fc16.x86_64
reason:         SELinux is preventing /usr/sbin/tmpwatch from 'setattr' accesses on the directory pulse-aBChLGEEZCk6.
time:           Sun 11 Mar 2012 03:09:35 PM CET

description:
:SELinux is preventing /usr/sbin/tmpwatch from 'setattr' accesses on the directory pulse-aBChLGEEZCk6.
:
:*****  Plugin catchall (100. confidence) suggests  ***************************
:
:If you believe that tmpwatch should be allowed setattr access on the pulse-aBChLGEEZCk6 directory by default.
:Then you should report this as a bug.
:You can generate a local policy module to allow this access.
:Do
:allow this access for now by executing:
:# grep tmpwatch /var/log/audit/audit.log | audit2allow -M mypol
:# semodule -i mypol.pp
:
:Additional Information:
:Source Context                system_u:system_r:tmpreaper_t:s0-s0:c0.c1023
:Target Context                unconfined_u:object_r:user_home_dir_t:s0
:Target Objects                pulse-aBChLGEEZCk6 [ dir ]
:Source                        tmpwatch
:Source Path                   /usr/sbin/tmpwatch
:Port                          <Unknown>
:Host                          (removed)
:Source RPM Packages           tmpwatch-2.10.3-1.fc16.x86_64
:Target RPM Packages           
:Policy RPM                    selinux-policy-3.10.0-75.fc16.noarch
:Selinux Enabled               True
:Policy Type                   targeted
:Enforcing Mode                Permissive
:Host Name                     (removed)
:Platform                      Linux (removed) 3.2.9-1.fc16.x86_64 #1 SMP Thu
:                              Mar 1 01:41:10 UTC 2012 x86_64 x86_64
:Alert Count                   1
:First Seen                    Sun 11 Mar 2012 03:09:19 PM CET
:Last Seen                     Sun 11 Mar 2012 03:09:19 PM CET
:Local ID                      f6e1906a-00b1-4422-a141-b366a4e9ba9d
:
:Raw Audit Messages
:type=AVC msg=audit(1331474959.998:116): avc:  denied  { setattr } for  pid=3137 comm="tmpwatch" name="pulse-aBChLGEEZCk6" dev=sda1 ino=389468 scontext=system_u:system_r:tmpreaper_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
:
:
:type=SYSCALL msg=audit(1331474959.998:116): arch=x86_64 syscall=utime success=yes exit=0 a0=4045eb a1=7fffd7d9a190 a2=1a1 a3=0 items=0 ppid=3135 pid=3137 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=6 comm=tmpwatch exe=/usr/sbin/tmpwatch subj=system_u:system_r:tmpreaper_t:s0-s0:c0.c1023 key=(null)
:
:Hash: tmpwatch,tmpreaper_t,user_home_dir_t,dir,setattr
:
:audit2allow
:
:#============= tmpreaper_t ==============
:allow tmpreaper_t user_home_dir_t:dir setattr;
:
:audit2allow -R
:
:#============= tmpreaper_t ==============
:allow tmpreaper_t user_home_dir_t:dir setattr;
:
Comment 1 Miroslav Grepl 2012-03-12 09:25:54 UTC 
Where is  pulse-aBChLGEEZCk6 located?

What does 

ls -lZ /tmp/pulse-*
Comment 2 Peque 2012-03-12 11:35:14 UTC 
That file is in /tmp:

$ ls -lZ /tmp/pulse-*
/tmp/pulse-aBChLGEEZCk6:
srwxrwxrwx. peque peque unconfined_u:object_r:user_home_t:s0 native
-rw-------. peque peque unconfined_u:object_r:user_home_t:s0 pid
ls: cannot open directory /tmp/pulse-PKdhtXMmr18n: Permission denied
ls: cannot open directory /tmp/pulse-zahEcaYatja7: Permission denied
Comment 3 Jan Pokorný [poki] 2012-08-03 18:48:17 UTC 
I am seeing it also in F17:

> SELinux is preventing /usr/sbin/tmpwatch from setattr access on
> the directory pulse-PKdhtXMmr18n

Source Context       system_u:system_r:tmpreaper_t:s0-s0:c0.c1023
Target Context       system_u:object_r:unlabeled_t:s0
Target Objects       pulse-PKdhtXMmr18n [ dir ]
Source               tmpwatch
Source Path          /usr/sbin/tmpwatch
Source RPM Packages  tmpwatch-2.10.3-2.fc17.x86_64
Policy RPM           selinux-policy-3.10.0-140.fc17.noarch
Selinux Enabled      True
Policy Type          targeted
Enforcing Mode       Permissive
Alert Count          9
First Seen           Thu 26 Jul 2012 03:19:07 AM CEST
Last Seen            Fri 03 Aug 2012 03:40:26 AM CEST

type=AVC msg=audit(1343958026.903:18406):
avc: denied  { setattr } for pid=20503 comm="tmpwatch"
name="pulse-PKdhtXMmr18n" dev="sda4" ino=262168
scontext=system_u:system_r:tmpreaper_t:s0-s0:c0.c1023
tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir

type=SYSCALL msg=audit(1343958026.903:18406):
arch=x86_64 syscall=utime success=yes exit=0 a0=404a07
a1=7fff944308d0 a2=37125b0f98 a3=8028 items=0 ppid=20501 pid=20503
auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) ses=2568
comm=tmpwatch exe=/usr/sbin/tmpwatch
subj=system_u:system_r:tmpreaper_t:s0-s0:c0.c1023 key=(null)


Note the late night--early morning times, looks like the system
is busy to do some cleanup intentionally at this time.  Or if it
is only accidental, the triggering action seems to be planned for
around the same time, at least.
Comment 4 Jan Pokorný [poki] 2012-08-03 18:59:01 UTC 
re [comment 3]:
Also hand-in-hand with:

> SELinux is preventing /usr/sbin/tmpwatch from read access on
> the directory pulse-PKdhtXMmr18n.

Source RPM Packages  tmpwatch-2.10.3-2.fc17.x86_64
Alert Count          9
First Seen           Thu 26 Jul 2012 03:19:07 AM CEST
Last Seen            Fri 03 Aug 2012 03:40:26 AM CEST

> SELinux is preventing /usr/sbin/tmpwatch from search access on
> the directory pulse-PKdhtXMmr18n.

Alert Count          9
First Seen           Thu 26 Jul 2012 03:19:07 AM CEST
Last Seen            Fri 03 Aug 2012 03:40:26 AM CEST

> SELinux is preventing /usr/sbin/tmpwatch from getattr access on
> the directory /tmp/pulse-PKdhtXMmr18n.

Alert Count          23
First Seen           Thu 12 Jul 2012 03:43:51 AM CEST
Last Seen            Fri 03 Aug 2012 03:40:26 AM CEST

> SELinux is preventing /usr/bin/systemd-tmpfiles from read access on
> the directory pulse-PKdhtXMmr18n.

Alert Count          9
First Seen           Wed 25 Jul 2012 03:07:12 PM CEST
Last Seen            Thu 02 Aug 2012 03:07:12 PM CEST

> SELinux is preventing /usr/bin/systemd-tmpfiles from getattr access on
> the directory /tmp/pulse-PKdhtXMmr18n.

Alert Count          24
First Seen           Thu 12 Jul 2012 02:04:34 PM CEST
Last Seen            Fri 03 Aug 2012 05:04:38 PM CEST


Note that getattr gets the path stated in full (perhaps a feature).
I can provide additional info, now I've just picked some interesting
bits.
Comment 5 Miroslav Grepl 2012-08-06 09:38:33 UTC 
Jan,
could you try to install the latest F17 build and see if you can re-create it?
Comment 6 Jan Pokorný [poki] 2012-08-06 16:48:10 UTC 
Mirek,

sure.  selinux-policy-3.10.0-142 seems not to solve it so I did:

> rpm -U http://kojipkgs.fedoraproject.org//packages/selinux-policy/3.10.0/144.fc17/noarch/selinux-policy-3.10.0-144.fc17.noarch.rpm \
> http://kojipkgs.fedoraproject.org//packages/selinux-policy/3.10.0/144.fc17/noarch/selinux-policy-targeted-3.10.0-144.fc17.noarch.rpm

For some reason I didn't see any update using updates-testing.
Will see if this changes anything.
Comment 7 Jan Pokorný [poki] 2012-08-08 13:26:10 UTC 
Mirek,

update here: after almost two days, it looks -144 release helped here.
Thanks!