Bug 1119077 - SELinux is preventing /usr/bin/pdftex from 'open' accesses on the file .
Summary: SELinux is preventing /usr/bin/pdftex from 'open' accesses on the file .
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 20
Hardware: x86_64
OS: Unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
Whiteboard: abrt_hash:723299ce4ab2681e2e100237413...
Depends On:
TreeView+ depends on / blocked
Reported: 2014-07-13 20:08 UTC by Nils
Modified: 2014-07-13 20:12 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2014-07-13 20:12:52 UTC

Attachments (Terms of Use)

Description Nils 2014-07-13 20:08:52 UTC
Description of problem:
running pdflatex from a staff_u user account

[root@base pdftex]# pwd
[root@base pdftex]# ls -lZ
-rw-r--r--. root root system_u:object_r:initrc_tmp_t:s0 etex.fmt
-rw-r--r--. root root system_u:object_r:initrc_tmp_t:s0 etex.log
-rw-r--r--. root root system_u:object_r:initrc_tmp_t:s0 latex.fmt
-rw-r--r--. root root system_u:object_r:initrc_tmp_t:s0 latex.log
-rw-r--r--. root root system_u:object_r:initrc_tmp_t:s0 mptopdf.fmt
-rw-r--r--. root root system_u:object_r:initrc_tmp_t:s0 mptopdf.log
-rw-r--r--. root root system_u:object_r:initrc_tmp_t:s0 pdfetex.fmt
-rw-r--r--. root root system_u:object_r:initrc_tmp_t:s0 pdfetex.log
-rw-r--r--. root root system_u:object_r:initrc_tmp_t:s0 pdflatex.fmt
-rw-r--r--. root root system_u:object_r:initrc_tmp_t:s0 pdflatex.log
-rw-r--r--. root root system_u:object_r:initrc_tmp_t:s0 pdftex.fmt
-rw-r--r--. root root system_u:object_r:initrc_tmp_t:s0 pdftex.log
SELinux is preventing /usr/bin/pdftex from 'open' accesses on the file .

*****  Plugin catchall (100. confidence) suggests   **************************

If sie denken, dass es pdftex standardmässig erlaubt sein sollte, open Zugriff auf  file zu erhalten.
Then sie sollten dies als Fehler melden.
Um diesen Zugriff zu erlauben, können Sie ein lokales Richtlinien-Modul erstellen.
zugriff jetzt erlauben, indem Sie die nachfolgenden Befehle ausführen:
# grep pdflatex /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                staff_u:staff_r:staff_t:s0-s0:c0.c1023
Target Context                system_u:object_r:initrc_tmp_t:s0
Target Objects                 [ file ]
Source                        pdflatex
Source Path                   /usr/bin/pdftex
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           texlive-pdftex-bin-
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-176.fc20.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.14.8-200.fc20.x86_64 #1 SMP Mon
                              Jun 16 21:57:53 UTC 2014 x86_64 x86_64
Alert Count                   1
First Seen                    2014-07-13 22:04:38 CEST
Last Seen                     2014-07-13 22:04:38 CEST
Local ID                      fc371e35-b991-4f4b-b5d8-3fa5d64276e7

Raw Audit Messages
type=AVC msg=audit(1405281878.258:41130): avc:  denied  { open } for  pid=11845 comm="pdflatex" path="/var/lib/texmf/web2c/pdftex/pdflatex.fmt" dev="sda4" ino=1330385 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=file

type=SYSCALL msg=audit(1405281878.258:41130): arch=x86_64 syscall=open success=no exit=EACCES a0=124a2a1 a1=0 a2=1b6 a3=0 items=0 ppid=21523 pid=11845 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts2 ses=1064 comm=pdflatex exe=/usr/bin/pdftex subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null)

Hash: pdflatex,staff_t,initrc_tmp_t,file,open

Additional info:
reporter:       libreport-2.2.2
hashmarkername: setroubleshoot
kernel:         3.14.8-200.fc20.x86_64
type:           libreport

Comment 1 Nils 2014-07-13 20:12:52 UTC
just ran restorecon -vR . on the directory and it fixed the type to tetex_data_t.

I thought that i tried that already a few days ago. Seems to be fixed now.

Note You need to log in before you can comment on or make changes to this bug.