Also present on RHEL6 for selinux-policy-3.7.19-279.el6_7.6.noarch +++ This bug was initially created as a clone of Bug #1218330 +++ Description of problem: Right now running tmpwatch on directories being labelled as samba_share_t or nfs_t leads to AVC denied messages, which might be right in the first case but it should be possible to allow it via SELinux booleans through - because we have backups on NFS that are cleaned up with tmpwatch or also a samba share for temporary files being watched by tmpwatch. Both fails as of writing due to the too strict SELinux policy. Version-Release number of selected component (if applicable): selinux-policy-targeted-3.13.1-23.el7.noarch tmpwatch-2.11-5.el7.x86_64 How reproducible: Everytime, label a directory with samba_share_t or nfs_t and run tmpwatch. Actual results: No SELinux boolean to allow tmpwatch on samba_share_t or nfs_t. Expected results: SELinux boolean to allow tmpwatch on samba_share_t or nfs_t. Additional info: type=AVC msg=audit(1430425770.447:23279): avc: denied { setattr } for pid=19622 comm="tmpwatch" name="our-nfs-directory" dev="0:35" ino=40965 scontext=system_u:system_r:tmpreaper_t:s0-s0:c0.c1023 tcontext=system_u:object_r:nfs_t:s0 tclass=dir type=SYSCALL msg=audit(1430425770.447:23279): arch=x86_64 syscall=utime success=no exit=EACCES a0=4042b7 a1=7fff4ea61d70 a2=7fb7d1c377b8 a3=7fff4ea61ac0 items=0 ppid=101823 pid=19622 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=493 comm=tmpwatch exe=/usr/sbin/tmpwatch subj=system_u:system_r:tmpreaper_t:s0-s0:c0.c1023 key=(null)
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-0763.html