223265 – When upgrading to the latest tz data I get a warning in setroubleshoot

Bug 223265 - When upgrading to the latest tz data I get a warning in setroubleshoot

Summary: When upgrading to the latest tz data I get a warning in setroubleshoot

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy-targeted
Sub Component:
Version:	6
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Daniel Walsh
QA Contact:	Ben Levenson
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2007-01-18 19:43 UTC by Tom Diehl
Modified:	2007-11-30 22:11 UTC (History)
CC List:	0 users
Fixed In Version:	Current
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2007-08-22 14:13:15 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
Screen shot showing the errors from setroubleshoot (130.82 KB, image/png) 2007-01-18 19:43 UTC, Tom Diehl	no flags	Details
View All

Description Tom Diehl 2007-01-18 19:43:17 UTC

Description of problem:

When upgrading to the latest tz data I get a warning in setroubleshoot


Version-Release number of selected component (if applicable):

selinux-policy-2.4.6-23.fc6
glibc-common-2.5-10.fc6
tzdata-2006p-1.fc6

How reproducible: DO not know only upgraded once.


Steps to Reproduce:
1. yum update tzdata
2.
3.
  
Actual results: setroubleshoot pops up a wasning


Expected results: No warning


Additional info: Screen shot with details attached

Comment 1 Tom Diehl 2007-01-18 19:43:18 UTC

Created attachment 145937 [details]
Screen shot showing the errors from setroubleshoot

Comment 2 Tom Diehl 2007-01-18 19:52:40 UTC

Since it looks like the screen shot is unreadable here are the details in the
setroubleshoot screen:

SELinux is preventing /usr/sbin/tzdata-update (tzdata_t) "search" access to
postfix (postfix_spool_t).

SELinux denied access requested by /usr/sbin/tzdata-update. It is not expected
that this access is required by /usr/sbin/tzdata-update and this access may
signal an intrusion attempt. It is also possible that the specific version or
configuration of the application is causing it to require additional access.
Please file a bug report against this package.

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for postfix, restorecon -v postfix. There is
currently no automatic way to allow this access. Instead, you can generate a
local policy module to allow this access - see FAQ - or you can disable SELinux
protection entirely for the application. Disabling SELinux protection is not
recommended. Please file a bug report against this package. Changing the
"tzdata_disable_trans" boolean to true will disable SELinux protection this
application: "setsebool -P tzdata_disable_trans=1."The following command will
allow this access:setsebool -P tzdata_disable_trans=1

Source Context:  user_u:system_r:tzdata_t
Target Context:  system_u:object_r:postfix_spool_t
Target Objects:  postfix [ dir ]
Affected RPM Packages:  glibc-common-2.5-10.fc6 [application]
Policy RPM:  selinux-policy-2.4.6-23.fc6
Selinux Enabled:  True
Policy Type:  targeted
MLS Enabled:  True
Enforcing Mode:  Enforcing
Plugin Name:  plugins.disable_trans
Platform:  Linux tigger.tntechs.com 2.6.18-1.2869.fc6 #1 SMP Wed Dec 20 14:51:19
EST 2006 i686 athlon
Alert Count:  1
avc: denied { search } for comm="tzdata-update" dev=dm-5 egid=0 euid=0
exe="/usr/sbin/tzdata-update" exit=-13 fsgid=0 fsuid=0 gid=0 items=0
name="postfix" pid=5073 scontext=user_u:system_r:tzdata_t:s0 sgid=0
subj=user_u:system_r:tzdata_t:s0 suid=0 tclass=dir
tcontext=system_u:object_r:postfix_spool_t:s0 tty=(none) uid=0

Comment 3 Daniel Walsh 2007-01-18 22:08:29 UTC

Fixed in 	selinux-policy-2.4.6-27.fc6

Comment 4 Daniel Walsh 2007-08-22 14:13:15 UTC

Fixed in current release

Note You need to log in before you can comment on or make changes to this bug.