Bug 187125 - Cannot mv files to /tmp when tmpfs
Summary: Cannot mv files to /tmp when tmpfs
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 5
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2006-03-28 17:12 UTC by Orion Poplawski
Modified: 2007-11-30 22:11 UTC (History)
1 user (show)

Fixed In Version: 2.2.38-2
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2006-05-25 17:57:17 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Orion Poplawski 2006-03-28 17:12:45 UTC 
Description of problem:

Locally, we mount /tmp as a tmpfs filesystem:
tmpfs                   /tmp                    tmpfs   defaults        0 0
tmpfs on /tmp type tmpfs (rw)

Tried to move some files into /tmp and got:

Mar 28 10:12:37 cynosure kernel: audit(1143565957.886:1719): avc:  denied  {
associate } for  pid=25059 comm="mv" name="qt-i386.conf"
scontext=system_u:object_r:etc_t:s0 tcontext=system_u:object_r:tmpfs_t:s0
tclass=filesystem

Moving to /var/tmp worked.


Version-Release number of selected component (if applicable):
selinux-policy-2.2.25-2.fc5
Comment 1 Daniel Walsh 2006-03-28 19:36:12 UTC 
There should be a line in /etc/rc.sysinit restoring the context to tmp_t?

restorecon /tmp should eliminate this problem, and this is supposed to happen on
boot?

Dan
Comment 2 Orion Poplawski 2006-03-28 22:30:07 UTC 
rc.sysinit:
# Clean up various /tmp bits
[ -n "$SELINUX_STATE" ] && restorecon /tmp

Currently:
# ls -ldZ /tmp
drwxrwxrwt  root     root     system_u:object_r:tmp_t          /tmp

Try:
# restorecon -v /tmp
# ls -Zd /tmp
drwxrwxrwt  root     root     system_u:object_r:tmp_t          /tmp

Still no go:
# mv install.log /tmp
mv: cannot create regular file `/tmp/install.log': Permission denied

Mar 28 15:33:44 cynosure kernel: audit(1143585224.975:1730): avc:  denied  {
associate } for  pid=7214 comm="mv" name="install.log"
scontext=system_u:object_r:file_t:s0 tcontext=system_u:object_r:tmpfs_t:s0
tclass=filesystem

Issue with underlying mount point dir?  I'll have to log out to check...
Comment 3 Daniel Walsh 2006-03-29 13:32:37 UTC 
Where diff the file install.log come from?  It is labeled file_t which means it
has no file context or is unlabeled?  So the question is how did this file
become unlabeled.  If you execute restorecon install.log and then mv it, it will
work.
Comment 4 Orion Poplawski 2006-03-29 16:45:48 UTC 
Ah, so it's the scontext that is important here:

restorecon reset /root/install.log context
system_u:object_r:file_t->root:object_r:user_home_t
[root@cynosure ~]# mv install.log /tmp
[root@cynosure ~]# 

So, getting back to the original report:

[root@cynosure ~]# mv /etc/ld.so.conf.d/* /tmp
mv: cannot create regular file `/tmp/octave-i386.conf': Permission denied
mv: cannot create regular file `/tmp/qt-i386.conf': Permission denied
for  pid=13638 comm="mv" name="octave-i386.conf"
scontext=system_u:object_r:etc_t:s0 tcontext=system_u:object_r:tmpfs_t:s0
tclass=filesystem
Mar 29 09:36:14 cynosure kernel: audit(1143650174.631:1738): avc:  denied  {
associate } for  pid=13638 comm="mv" name="qt-i386.conf"
scontext=system_u:object_r:etc_t:s0 tcontext=system_u:object_r:tmpfs_t:s0
tclass=filesystem
Mar 29 09:37:05 cynosure kernel: SELinux: initialized (dev 0:11, type nfs), uses
genfs_contexts

Now, I'm not sure why this should be prevented, though I could perhaps
understand why.  But I can do:

[root@cynosure ~]# rm -f /etc/ld.so.conf.d/*
[root@cynosure ~]#

Which is essentially the same thing as far as /etc/ld.so.conf.d/ is concerned.
Comment 6 Daniel Walsh 2006-05-09 20:38:38 UTC 
Fixed in selinux-policy-2.2.38-2 in rawhide.  Will show up next week in FC5.
Comment 7 Orion Poplawski 2006-05-25 17:57:17 UTC 
Confirmed.
Note You need to log in before you can comment on or make changes to this bug.