Bug 223265 - When upgrading to the latest tz data I get a warning in setroubleshoot
When upgrading to the latest tz data I get a warning in setroubleshoot
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
Depends On:
  Show dependency treegraph
Reported: 2007-01-18 14:43 EST by Tom Diehl
Modified: 2007-11-30 17:11 EST (History)
0 users

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-08-22 10:13:15 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Screen shot showing the errors from setroubleshoot (130.82 KB, image/png)
2007-01-18 14:43 EST, Tom Diehl
no flags Details

  None (edit)
Description Tom Diehl 2007-01-18 14:43:17 EST
Description of problem:

When upgrading to the latest tz data I get a warning in setroubleshoot

Version-Release number of selected component (if applicable):


How reproducible: DO not know only upgraded once.

Steps to Reproduce:
1. yum update tzdata
Actual results: setroubleshoot pops up a wasning

Expected results: No warning

Additional info: Screen shot with details attached
Comment 1 Tom Diehl 2007-01-18 14:43:18 EST
Created attachment 145937 [details]
Screen shot showing the errors from setroubleshoot
Comment 2 Tom Diehl 2007-01-18 14:52:40 EST
Since it looks like the screen shot is unreadable here are the details in the
setroubleshoot screen:

SELinux is preventing /usr/sbin/tzdata-update (tzdata_t) "search" access to
postfix (postfix_spool_t).

SELinux denied access requested by /usr/sbin/tzdata-update. It is not expected
that this access is required by /usr/sbin/tzdata-update and this access may
signal an intrusion attempt. It is also possible that the specific version or
configuration of the application is causing it to require additional access.
Please file a bug report against this package.

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for postfix, restorecon -v postfix. There is
currently no automatic way to allow this access. Instead, you can generate a
local policy module to allow this access - see FAQ - or you can disable SELinux
protection entirely for the application. Disabling SELinux protection is not
recommended. Please file a bug report against this package. Changing the
"tzdata_disable_trans" boolean to true will disable SELinux protection this
application: "setsebool -P tzdata_disable_trans=1."The following command will
allow this access:setsebool -P tzdata_disable_trans=1

Source Context:  user_u:system_r:tzdata_t
Target Context:  system_u:object_r:postfix_spool_t
Target Objects:  postfix [ dir ]
Affected RPM Packages:  glibc-common-2.5-10.fc6 [application]
Policy RPM:  selinux-policy-2.4.6-23.fc6
Selinux Enabled:  True
Policy Type:  targeted
MLS Enabled:  True
Enforcing Mode:  Enforcing
Plugin Name:  plugins.disable_trans
Platform:  Linux tigger.tntechs.com 2.6.18-1.2869.fc6 #1 SMP Wed Dec 20 14:51:19
EST 2006 i686 athlon
Alert Count:  1
avc: denied { search } for comm="tzdata-update" dev=dm-5 egid=0 euid=0
exe="/usr/sbin/tzdata-update" exit=-13 fsgid=0 fsuid=0 gid=0 items=0
name="postfix" pid=5073 scontext=user_u:system_r:tzdata_t:s0 sgid=0
subj=user_u:system_r:tzdata_t:s0 suid=0 tclass=dir
tcontext=system_u:object_r:postfix_spool_t:s0 tty=(none) uid=0 
Comment 3 Daniel Walsh 2007-01-18 17:08:29 EST
Fixed in 	selinux-policy-2.4.6-27.fc6
Comment 4 Daniel Walsh 2007-08-22 10:13:15 EDT
Fixed in current release

Note You need to log in before you can comment on or make changes to this bug.