Bug 187125 - Cannot mv files to /tmp when tmpfs
Cannot mv files to /tmp when tmpfs
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
5
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-03-28 12:12 EST by Orion Poplawski
Modified: 2007-11-30 17:11 EST (History)
1 user (show)

See Also:
Fixed In Version: 2.2.38-2
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-05-25 13:57:17 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Orion Poplawski 2006-03-28 12:12:45 EST
Description of problem:

Locally, we mount /tmp as a tmpfs filesystem:
tmpfs                   /tmp                    tmpfs   defaults        0 0
tmpfs on /tmp type tmpfs (rw)

Tried to move some files into /tmp and got:

Mar 28 10:12:37 cynosure kernel: audit(1143565957.886:1719): avc:  denied  {
associate } for  pid=25059 comm="mv" name="qt-i386.conf"
scontext=system_u:object_r:etc_t:s0 tcontext=system_u:object_r:tmpfs_t:s0
tclass=filesystem

Moving to /var/tmp worked.


Version-Release number of selected component (if applicable):
selinux-policy-2.2.25-2.fc5
Comment 1 Daniel Walsh 2006-03-28 14:36:12 EST
There should be a line in /etc/rc.sysinit restoring the context to tmp_t?

restorecon /tmp should eliminate this problem, and this is supposed to happen on
boot?

Dan
Comment 2 Orion Poplawski 2006-03-28 17:30:07 EST
rc.sysinit:
# Clean up various /tmp bits
[ -n "$SELINUX_STATE" ] && restorecon /tmp

Currently:
# ls -ldZ /tmp
drwxrwxrwt  root     root     system_u:object_r:tmp_t          /tmp

Try:
# restorecon -v /tmp
# ls -Zd /tmp
drwxrwxrwt  root     root     system_u:object_r:tmp_t          /tmp

Still no go:
# mv install.log /tmp
mv: cannot create regular file `/tmp/install.log': Permission denied

Mar 28 15:33:44 cynosure kernel: audit(1143585224.975:1730): avc:  denied  {
associate } for  pid=7214 comm="mv" name="install.log"
scontext=system_u:object_r:file_t:s0 tcontext=system_u:object_r:tmpfs_t:s0
tclass=filesystem

Issue with underlying mount point dir?  I'll have to log out to check...

Comment 3 Daniel Walsh 2006-03-29 08:32:37 EST
Where diff the file install.log come from?  It is labeled file_t which means it
has no file context or is unlabeled?  So the question is how did this file
become unlabeled.  If you execute restorecon install.log and then mv it, it will
work.
Comment 4 Orion Poplawski 2006-03-29 11:45:48 EST
Ah, so it's the scontext that is important here:

restorecon reset /root/install.log context
system_u:object_r:file_t->root:object_r:user_home_t
[root@cynosure ~]# mv install.log /tmp
[root@cynosure ~]# 

So, getting back to the original report:

[root@cynosure ~]# mv /etc/ld.so.conf.d/* /tmp
mv: cannot create regular file `/tmp/octave-i386.conf': Permission denied
mv: cannot create regular file `/tmp/qt-i386.conf': Permission denied
for  pid=13638 comm="mv" name="octave-i386.conf"
scontext=system_u:object_r:etc_t:s0 tcontext=system_u:object_r:tmpfs_t:s0
tclass=filesystem
Mar 29 09:36:14 cynosure kernel: audit(1143650174.631:1738): avc:  denied  {
associate } for  pid=13638 comm="mv" name="qt-i386.conf"
scontext=system_u:object_r:etc_t:s0 tcontext=system_u:object_r:tmpfs_t:s0
tclass=filesystem
Mar 29 09:37:05 cynosure kernel: SELinux: initialized (dev 0:11, type nfs), uses
genfs_contexts

Now, I'm not sure why this should be prevented, though I could perhaps
understand why.  But I can do:

[root@cynosure ~]# rm -f /etc/ld.so.conf.d/*
[root@cynosure ~]#

Which is essentially the same thing as far as /etc/ld.so.conf.d/ is concerned.
Comment 6 Daniel Walsh 2006-05-09 16:38:38 EDT
Fixed in selinux-policy-2.2.38-2 in rawhide.  Will show up next week in FC5.
Comment 7 Orion Poplawski 2006-05-25 13:57:17 EDT
Confirmed.

Note You need to log in before you can comment on or make changes to this bug.