Bug 802631

Summary: SELinux is preventing /usr/sbin/tmpwatch from 'read' accesses on the directory /var/cache/php-eaccelerator.
Product: [Fedora] Fedora Reporter: hellboydvd
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 16CC: dominick.grift, dwalsh, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard: abrt_hash:56897be474fe271f5ce7c3eff5c96b6161609720e7f171380eaa70c64044abdf
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-03-13 08:59:32 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description hellboydvd 2012-03-13 06:16:50 UTC 
libreport version: 2.0.8
executable:     /usr/bin/python
hashmarkername: setroubleshoot
kernel:         3.2.9-1.fc16.x86_64
reason:         SELinux is preventing /usr/sbin/tmpwatch from 'read' accesses on the directory /var/cache/php-eaccelerator.
time:           Tue 13 Mar 2012 11:45:44 AM IST

description:
:SELinux is preventing /usr/sbin/tmpwatch from 'read' accesses on the directory /var/cache/php-eaccelerator.
:
:*****  Plugin restorecon (94.8 confidence) suggests  *************************
:
:If you want to fix the label. 
:/var/cache/php-eaccelerator default label should be httpd_cache_t.
:Then you can run restorecon.
:Do
:# /sbin/restorecon -v /var/cache/php-eaccelerator
:
:*****  Plugin catchall_labels (5.21 confidence) suggests  ********************
:
:If you want to allow tmpwatch to have read access on the php-eaccelerator directory
:Then you need to change the label on /var/cache/php-eaccelerator
:Do
:# semanage fcontext -a -t FILE_TYPE '/var/cache/php-eaccelerator'
:where FILE_TYPE is one of the following: httpd_cache_t, kismet_log_t, textrel_shlib_t, rpm_var_cache_t, var_lib_t, user_home_type, var_run_t, home_root_t, tmpreaper_t, print_spool_t, amavis_spool_t, sysctl_crypto_t, user_home_dir_t, man_t, device_t, locale_t, etc_t, file_t, proc_t, tmpfile, abrt_t, lib_t, device_t, root_t, usr_t, etc_t, sysfs_t, sandbox_file_t. 
:Then execute: 
:restorecon -v '/var/cache/php-eaccelerator'
:
:
:*****  Plugin catchall (1.44 confidence) suggests  ***************************
:
:If you believe that tmpwatch should be allowed read access on the php-eaccelerator directory by default.
:Then you should report this as a bug.
:You can generate a local policy module to allow this access.
:Do
:allow this access for now by executing:
:# grep tmpwatch /var/log/audit/audit.log | audit2allow -M mypol
:# semodule -i mypol.pp
:
:Additional Information:
:Source Context                system_u:system_r:tmpreaper_t:s0-s0:c0.c1023
:Target Context                unconfined_u:object_r:var_t:s0
:Target Objects                /var/cache/php-eaccelerator [ dir ]
:Source                        tmpwatch
:Source Path                   /usr/sbin/tmpwatch
:Port                          <Unknown>
:Host                          (removed)
:Source RPM Packages           tmpwatch-2.10.3-1.fc16.x86_64
:Target RPM Packages           php-eaccelerator-0.9.6.1-9.fc16.2.x86_64
:Policy RPM                    selinux-policy-3.10.0-75.fc16.noarch
:Selinux Enabled               True
:Policy Type                   targeted
:Enforcing Mode                Enforcing
:Host Name                     (removed)
:Platform                      Linux (removed) 3.2.9-1.fc16.x86_64 #1 SMP Thu Mar
:                              1 01:41:10 UTC 2012 x86_64 x86_64
:Alert Count                   1
:First Seen                    Tue 13 Mar 2012 03:28:19 AM IST
:Last Seen                     Tue 13 Mar 2012 03:28:19 AM IST
:Local ID                      15fa757c-b850-4494-946f-4bc06ef2dae5
:
:Raw Audit Messages
:type=AVC msg=audit(1331589499.204:785): avc:  denied  { read } for  pid=6846 comm="tmpwatch" name="php-eaccelerator" dev=sda4 ino=1448308 scontext=system_u:system_r:tmpreaper_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_t:s0 tclass=dir
:
:
:type=SYSCALL msg=audit(1331589499.204:785): arch=x86_64 syscall=openat success=no exit=EACCES a0=ffffffffffffff9c a1=4045eb a2=90800 a3=0 items=0 ppid=6844 pid=6846 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=82 comm=tmpwatch exe=/usr/sbin/tmpwatch subj=system_u:system_r:tmpreaper_t:s0-s0:c0.c1023 key=(null)
:
:Hash: tmpwatch,tmpreaper_t,var_t,dir,read
:
:audit2allow
:
:#============= tmpreaper_t ==============
:allow tmpreaper_t var_t:dir read;
:
:audit2allow -R
:
:#============= tmpreaper_t ==============
:allow tmpreaper_t var_t:dir read;
:
Comment 1 Miroslav Grepl 2012-03-13 08:59:32 UTC 
Just execute

$ restorecon -R -v /var/cache/php-eaccelerator

Did you create this directory?
Comment 2 hellboydvd 2012-03-13 13:55:41 UTC 
(In reply to comment #1)
> Just execute
> 
> $ restorecon -R -v /var/cache/php-eaccelerator
> 
> Did you create this directory?

No.
Comment 3 Daniel Walsh 2012-03-13 14:00:53 UTC 
Was /var/cache/php-eaccelerator created by some kind of install.  Is this something we ship with Fedora?
Comment 4 Miroslav Grepl 2012-03-13 20:59:18 UTC 
What does

$ rpm -qf /var/cache/php-eaccelerator
Comment 5 hellboydvd 2012-03-14 11:28:56 UTC 
(In reply to comment #4)
> What does
> 
> $ rpm -qf /var/cache/php-eaccelerator

php-eaccelerator-0.9.6.1-9.fc16.2.x86_64
Comment 6 Daniel Walsh 2012-03-14 12:55:33 UTC 
Does it include the /var/cache/php-eacclerator in the payload.
 
rpm -ql php-eaccelerator-0.9.6.1-9.fc16.2.x86_64 | grep cache

And where did you download this from?
Comment 7 hellboydvd 2012-03-14 14:50:05 UTC 
Yes.

i dont recall.