Bug 837478
| Summary: | SELinux is preventing /usr/sbin/tmpwatch from 'getattr' accesses on the sock_file /tmp/ksocket-root/klauncherhX2421.slave-socket. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Michiduta07 |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 17 | CC: | bugtracker, caleb, dominick.grift, dwalsh, mgrepl, perepluts, rtvd |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Unspecified | ||
| Whiteboard: | abrt_hash:a09d9350bc3296e3028c485aefbd1cd1088d9293c34f55ff1efc8851b17498e5 | ||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2012-07-11 02:51:09 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Did you update form F16? No. Did a fresh install. (In reply to comment #1) > Did you update form F16? *** Bug 837700 has been marked as a duplicate of this bug. *** Is this a kernel issue? Could you try to remove /tmp/ksocket-root and then use KDE and execute # ls -lZ /tmp/ksocket-root I removed that folder and ran that command. I ran the command multiple times. The first time it reported: ls: cannot access /tmp/ksocket-root: No such file or directory After that I ran it 2 more times and it didn't report anything. (In reply to comment #5) > Could you try to remove > > /tmp/ksocket-root > > and then use KDE and execute > > # ls -lZ /tmp/ksocket-root I am still doubt that its an issue. Just found this issue as I was interested. Fresh installation with F17 here and having this issue as well. Looks like the permission for this file is not set initially correct. Did you try steps from the comment #5? (In reply to comment #3) > *** Bug 837700 has been marked as a duplicate of this bug. *** Bug 837700 is related, but it is not identical (refers to access to /var/tmp/kdecache-root/icon-cache.kcache). I have both of these bugs on my Fedora Core F17. It was a fresh install of 64bit KDE version a few days ago. SELinux alerts are appearing many times a day. Removing kde's directories in /tmp and /var/tmp does not make a difference (obviously, I tried that when KDE was not launched). rm -rf /var/tmp/kdecache-root And then reboot, and show me the AVC you are getting. *** Bug 848280 has been marked as a duplicate of this bug. *** |
libreport version: 2.0.10 executable: /usr/bin/python2.7 hashmarkername: setroubleshoot kernel: 3.4.4-3.fc17.x86_64 time: Wed 04 Jul 2012 07:27:14 AM EEST description: :SELinux is preventing /usr/sbin/tmpwatch from 'getattr' accesses on the sock_file /tmp/ksocket-root/klauncherhX2421.slave-socket. : :***** Plugin catchall_labels (83.8 confidence) suggests ******************** : :If you want to allow tmpwatch to have getattr access on the klauncherhX2421.slave-socket sock_file :Then you need to change the label on /tmp/ksocket-root/klauncherhX2421.slave-socket :Do :# semanage fcontext -a -t FILE_TYPE '/tmp/ksocket-root/klauncherhX2421.slave-socket' :where FILE_TYPE is one of the following: devlog_t, file_t, winbind_var_run_t, tmpfile, lsassd_var_socket_t, sandbox_file_t, abrt_var_run_t, user_home_type, setrans_var_run_t, httpd_sys_rw_content_t, avahi_var_run_t, nscd_var_run_t, nslcd_var_run_t, sssd_var_lib_t, nscd_var_run_t, pcscd_var_run_t. :Then execute: :restorecon -v '/tmp/ksocket-root/klauncherhX2421.slave-socket' : : :***** Plugin catchall (17.1 confidence) suggests *************************** : :If you believe that tmpwatch should be allowed getattr access on the klauncherhX2421.slave-socket sock_file by default. :Then you should report this as a bug. :You can generate a local policy module to allow this access. :Do :allow this access for now by executing: :# grep tmpwatch /var/log/audit/audit.log | audit2allow -M mypol :# semodule -i mypol.pp : :Additional Information: :Source Context system_u:system_r:tmpreaper_t:s0-s0:c0.c1023 :Target Context system_u:object_r:unlabeled_t:s0 :Target Objects /tmp/ksocket-root/klauncherhX2421.slave-socket [ : sock_file ] :Source tmpwatch :Source Path /usr/sbin/tmpwatch :Port <Unknown> :Host (removed) :Source RPM Packages tmpwatch-2.10.3-2.fc17.x86_64 :Target RPM Packages :Policy RPM selinux-policy-3.10.0-134.fc17.noarch :Selinux Enabled True :Policy Type targeted :Enforcing Mode Enforcing :Host Name (removed) :Platform Linux (removed) 3.4.4-3.fc17.x86_64 #1 SMP Tue Jun : 26 20:54:56 UTC 2012 x86_64 x86_64 :Alert Count 1 :First Seen Wed 04 Jul 2012 03:07:34 AM EEST :Last Seen Wed 04 Jul 2012 03:07:34 AM EEST :Local ID 12e69102-1b1d-4005-a4f5-cc8d9f06dae4 : :Raw Audit Messages :type=AVC msg=audit(1341360454.991:142): avc: denied { getattr } for pid=8205 comm="tmpwatch" path="/tmp/ksocket-root/klauncherhX2421.slave-socket" dev="sda2" ino=265640 scontext=system_u:system_r:tmpreaper_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=sock_file : : :type=SYSCALL msg=audit(1341360454.991:142): arch=x86_64 syscall=lstat success=no exit=EACCES a0=65fa4b a1=7fff32c1ccd0 a2=7fff32c1ccd0 a3=32 items=0 ppid=8203 pid=8205 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=10 comm=tmpwatch exe=/usr/sbin/tmpwatch subj=system_u:system_r:tmpreaper_t:s0-s0:c0.c1023 key=(null) : :Hash: tmpwatch,tmpreaper_t,unlabeled_t,sock_file,getattr : :audit2allowunable to open /sys/fs/selinux/policy: Permission denied : : :audit2allow -Runable to open /sys/fs/selinux/policy: Permission denied : :