Bug 309351 – SELinux is preventing /usr/sbin/tmpwatch (tmpreaper_t) "read" to (man_t).

Bug 309351 - SELinux is preventing /usr/sbin/tmpwatch (tmpreaper_t) "read" to (man_t).

Summary:	SELinux is preventing /usr/sbin/tmpwatch (tmpreaper_t) "read" to (man_t).

Status:	CLOSED CURRENTRELEASE

Aliases:	None

Product:	Fedora
Classification:	Fedora
Component:	selinux-policy-targeted (Show other bugs)
Sub Component:
Version:	8
Hardware:	x86_64 Linux

Priority	low Severity low
Target Milestone:	---
Target Release:	---
Assigned To:	Daniel Walsh
QA Contact:	Ben Levenson
Docs Contact:

URL:
Whiteboard:
Keywords:

Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2007-09-27 13:16 EDT by Matthew Saltzman
Modified:	2008-01-30 14:07 EST (History)
CC List:	0 users

See Also:
Fixed In Version:	Current
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2008-01-30 14:07:03 EST
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Matthew Saltzman 2007-09-27 13:16:28 EDT

Description of problem:
SELinux denied access requested by /usr/sbin/tmpwatch. It is not expected that
this access is required by /usr/sbin/tmpwatch and this access may signal an
intrusion attempt. It is also possible that the specific version or
configuration of the application is causing it to require additional access.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.0.8-13.fc8

How reproducible:
Sometimes

Steps to Reproduce:
1. /etc/crond.daily/tmpwatch
2.
3.
  
Actual results:
Access violation

Expected results:
No access violation

Additional info:
Source Context:  system_u:system_r:tmpreaper_t:s0
Target Context:  system_u:object_r:man_t:s0
Target Objects:  None [ dir ]
Affected RPM Packages:  tmpwatch-2.9.11-1 [application]
Policy RPM:  selinux-policy-3.0.8-13.fc8
Selinux Enabled:  True
Policy Type:  targeted
MLS Enabled:  True
Enforcing Mode:  Enforcing
Plugin Name:  plugins.catchall_file
Host Name:  valkyrie.localdomain
Platform:  Linux valkyrie.localdomain 2.6.23-0.202.rc8.fc8 #1 SMP Mon Sep 24
21:42:57 EDT 2007 x86_64 x86_64
Alert Count:  18
First Seen:  Thu 27 Sep 2007 11:47:39 AM EDT
Last Seen:  Thu 27 Sep 2007 11:47:39 AM EDTLocal
ID:  10a16c25-ed1e-4246-8526-496e8cf93e6b
Line Numbers:  
Raw Audit Messages :avc: denied { read } for comm=tmpwatch dev=dm-0 egid=0
euid=0 exe=/usr/sbin/tmpwatch exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name=cat1
pid=12671 scontext=system_u:system_r:tmpreaper_t:s0 sgid=0
subj=system_u:system_r:tmpreaper_t:s0 suid=0 tclass=dir
tcontext=system_u:object_r:man_t:s0 tty=(none) uid=0

Comment 1 Daniel Walsh 2007-09-27 14:27:44 EDT

Any idea why tmpreaper would be reading the man directories?

Comment 2 Matthew Saltzman 2007-09-27 15:14:39 EDT

The Daily tmpwatch script is:

#! /bin/sh
/usr/sbin/tmpwatch -x /tmp/.X11-unix -x /tmp/.XIM-unix -x /tmp/.font-unix \
        -x /tmp/.ICE-unix -x /tmp/.Test-unix 10d /tmp
/usr/sbin/tmpwatch 30d /var/tmp
for d in /var/{cache/man,catman}/{cat?,X11R6/cat?,local/cat?}; do
    if [ -d "$d" ]; then
        /usr/sbin/tmpwatch -f 30d "$d"
    fi
done

So I guess it's the /var/cache/man and/or /var/catman directories that are at issue.

Comment 3 Daniel Walsh 2007-09-27 15:36:59 EDT

Fixed in selinux-policy-3.0.8-15.fc8.src.rpm

Comment 4 Daniel Walsh 2008-01-30 14:07:03 EST

Bulk closing a old selinux policy bugs that were in the modified state.  If the
bug is still not fixed.  Please reopen.

Note You need to log in before you can comment on or make changes to this bug.