Bug 334641 - tmpwatch should be able to getattr anything
tmpwatch should be able to getattr anything
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
rawhide
All Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-10-16 11:30 EDT by Tomas Mraz
Modified: 2007-11-30 17:12 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-10-17 08:59:07 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Tomas Mraz 2007-10-16 11:30:24 EDT
Here is what setroubleshoot reports on my rawhide machine:

Summary
    SELinux is preventing /usr/sbin/tmpwatch (tmpreaper_t) "getattr" to
    /tmp/gdb.txt (sysadm_home_dir_t).

Detailed Description
    SELinux denied access requested by /usr/sbin/tmpwatch. It is not expected
    that this access is required by /usr/sbin/tmpwatch and this access may
    signal an intrusion attempt. It is also possible that the specific version
    or configuration of the application is causing it to require additional
    access.

Allowing Access
    Sometimes labeling problems can cause SELinux denials.  You could try to
    restore the default system file context for /tmp/gdb.txt, restorecon -v
    /tmp/gdb.txt If this does not work, there is currently no automatic way to
    allow this access. Instead,  you can generate a local policy module to allow
    this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385
    Or you can disable SELinux protection altogether. Disabling SELinux
    protection is not recommended. Please file a
    http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.

Additional Information        

Source Context                system_u:system_r:tmpreaper_t
Target Context                system_u:object_r:sysadm_home_dir_t
Target Objects                /tmp/gdb.txt [ file ]
Affected RPM Packages         tmpwatch-2.9.11-1 [application]
Policy RPM                    selinux-policy-3.0.8-22.fc8
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.catchall_file
Host Name                     vespa.kabelta.loc
Platform                      Linux vespa.kabelta.loc 2.6.23-0.187.rc6.git7.fc8
                              #1 SMP Tue Sep 18 17:29:48 EDT 2007 x86_64 x86_64
Alert Count                   1
First Seen                    Tue 16 Oct 2007 03:39:42 PM CEST
Last Seen                     Tue 16 Oct 2007 03:39:42 PM CEST
Local ID                      d08de7a1-cf28-49b0-886b-bf4a1d0da047
Line Numbers                  

Raw Audit Messages            

avc: denied { getattr } for comm=tmpwatch dev=dm-0 egid=0 euid=0
exe=/usr/sbin/tmpwatch exit=-13 fsgid=0 fsuid=0 gid=0 items=0 path=/tmp/gdb.txt
pid=8841 scontext=system_u:system_r:tmpreaper_t:s0 sgid=0
subj=system_u:system_r:tmpreaper_t:s0 suid=0 tclass=file
tcontext=system_u:object_r:sysadm_home_dir_t:s0 tty=(none) uid=0

I think that tmpwatch should be able to getattr file with any context and remove
anything in tmp_t directories.
Comment 1 Daniel Walsh 2007-10-16 22:41:48 EDT
That is not the way SELinux works.  If you moved /etc/shadow to /tmp.  it would
need to be able to remove shadow_t  Which would allow it to wipe out the shadow
file.

This looks like you moved something from /root to /tmp.  And it is causing the avc.
Comment 2 Tomas Mraz 2007-10-17 03:21:36 EDT
How would it allow to wipe shadow file if it is in /etc? /etc doesn't have tmp_t
so tmpwatch cannot remove anything there. tmpwatch should be simply able to
remove anything from tmp_t directory. You're trying to restrict it too much.

If I put anything in /tmp being it something originally from /root or /etc or
whatever I cannot expect it to stay there forewer. Of course tmpwatch shouldn't
be able to read the contents of files in /tmp.
Comment 3 Daniel Walsh 2007-10-17 08:59:07 EDT
Again you might be right, but that is not the way SELinux works.  The kernel
gets a requiest for tmpreaper_t to delete shadow_t or in this case
sysadm_home_dir_t.  It does not check if somewhere in the path there is a tmp_t
and that is ok.

So it gets denied because tmpreaper_t can not delete sysadm_home_dir_t no matter
where they are found.

I don't see how this can be fixed.

Note You need to log in before you can comment on or make changes to this bug.