Bug 353591 - SELinux is preventing /usr/sbin/smartd (fsdaemon_t) "getattr" to /usr/share/zoneinfo/GMT (unlabeled_t).
SELinux is preventing /usr/sbin/smartd (fsdaemon_t) "getattr" to /usr/share/z...
Status: CLOSED DUPLICATE of bug 391281
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
7
i686 Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-10-26 01:09 EDT by Tim McConnell
Modified: 2007-11-30 17:12 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-11-19 10:51:50 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Tim McConnell 2007-10-26 01:09:53 EDT
Description of problem:
This is appearing 65 times in SE Troubleshooter, I tried to run the command
restorecon -v /usr/share/zoneinfo/GMT
lstat(/usr/share/zoneinfo/GMT)and received : failed: Input/output error
SELinux denied access requested by /usr/sbin/smartd. It is not expected that
this access is required by /usr/sbin/smartd and this access may signal an
intrusion attempt. It is also possible that the specific version or
configuration of the application is causing it to require additional access.
Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for /usr/share/zoneinfo/GMT, restorecon -v
/usr/share/zoneinfo/GMT If this does not work, there is currently no automatic
way to allow this access. Instead, you can generate a local policy module to
allow this access
Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:

Expected results:
Not to see this in SE Troubleshooter anymore.

Additional info:

Source Context:  system_u:system_r:fsdaemon_tTarget Context: 
system_u:object_r:unlabeled_tTarget Objects:  /usr/share/zoneinfo/GMT [ file
]Affected RPM Packages:  smartmontools-5.37-3.2.fc7
[application]tzdata-2007h-1.fc7 [target]Policy RPM: 
selinux-policy-2.6.4-48.fc7Selinux Enabled:  TruePolicy Type:  targetedMLS
Enabled:  TrueEnforcing Mode:  EnforcingPlugin Name:  plugins.catchall_fileHost
Name:  timmieland.privatePlatform:  Linux timmieland.private 2.6.22.9-91.fc7 #1
SMP Thu Sep 27 23:10:59 EDT 2007 i686 athlonAlert Count:  65First Seen:  Sat 13
Oct 2007 07:15:10 PM MDTLast Seen:  Thu 25 Oct 2007 10:51:23 PM MDTLocal ID: 
241bb63e-542c-47f9-a4d8-caa51a165315Line Numbers:  Raw Audit Messages :avc:
denied { getattr } for comm="smartd" dev=dm-0 egid=0 euid=0
exe="/usr/sbin/smartd" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="GMT"
path="/usr/share/zoneinfo/GMT" pid=2894 scontext=system_u:system_r:fsdaemon_t:s0
sgid=0 subj=system_u:system_r:fsdaemon_t:s0 suid=0 tclass=file
tcontext=system_u:object_r:unlabeled_t:s0 tty=(none) uid=0
Comment 1 Daniel Walsh 2007-10-26 08:50:22 EDT
Is this file on a different file system?

Try 
#setenforce 0
restorecon -R -v /usr/share/zoneinfo/GMT
#setenforce 1


Comment 2 Tim McConnell 2007-10-26 20:45:15 EDT
(In reply to comment #1)
> Is this file on a different file system?
Not that I know of, if I run:
locate /usr/share/zoneinfo/GMT
/usr/share/zoneinfo/GMT
/usr/share/zoneinfo/GMT+0
/usr/share/zoneinfo/GMT-0
/usr/share/zoneinfo/GMT0
 
> Try 
> #setenforce 0
> restorecon -R -v /usr/share/zoneinfo/GMT
> #setenforce 1
> 
> 
> 
Tried it and got
setenforce 0
restorecon -R -v /usr/share/zoneinfo/GMT
restorecon: /usr/share/zoneinfo/GMT: Input/output error
restorecon -R -v /usr/share/zoneinfo/GMT
restorecon: /usr/share/zoneinfo/GMT: Input/output error
setenforce 1

I also ran ./autorelabel; reboot and no change. 
Comment 3 Daniel Walsh 2007-10-29 23:03:52 EDT
Any ideas?
Comment 4 Tim McConnell 2007-10-30 23:22:13 EDT
(In reply to comment #3)
> Any ideas?

I've tried installing the debug package for smartmontools, maybe that will show
something. 
Comment 5 Daniel Walsh 2007-10-31 07:47:04 EDT
I think the problem is you have either something bad on the disk os something
wrong with your system.  The system is not allowing you to set the extended
attributes on a file.

What does 
chcon system_u:object_r:locale_t /usr/share/zoneinfo/GMT
Get you?

What does 
# lsattr /usr/share/zoneinfo/GMT
-------------- /usr/share/zoneinfo/GMT

Show?
Comment 6 Daniel Walsh 2007-11-19 10:51:50 EST
I take it this bug has been fixed?
Comment 7 Tim McConnell 2007-11-19 19:38:41 EST
(In reply to comment #6)
> I take it this bug has been fixed?

No it hasn't been fixed. Sorry about the delay in the reply. 
In answer to your earlier questions: 
[root@timmieland ~]# chcon system_u:object_r:locale_t /usr/share/zoneinfo/GMT
chcon: /usr/share/zoneinfo/GMT: No such file or directory
[root@timmieland ~]# lsattr /usr/share/zoneinfo/GMT
lsattr: No such file or directory while trying to stat /usr/share/zoneinfo/GMT


SE trouble shooter still shows:
Summary
    SELinux is preventing /usr/sbin/smartd (fsdaemon_t) "getattr" to
    /usr/share/zoneinfo/GMT (unlabeled_t).

Detailed Description
    SELinux denied access requested by /usr/sbin/smartd. It is not expected that
    this access is required by /usr/sbin/smartd and this access may signal an
    intrusion attempt. It is also possible that the specific version or
    configuration of the application is causing it to require additional access.

Allowing Access
    Sometimes labeling problems can cause SELinux denials.  You could try to
    restore the default system file context for /usr/share/zoneinfo/GMT,
    restorecon -v /usr/share/zoneinfo/GMT If this does not work, there is
    currently no automatic way to allow this access. Instead,  you can generate
    a local policy module to allow this access - see
    http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable
    SELinux protection altogether. Disabling SELinux protection is not
    recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
    against this package.

Additional Information        

Source Context                system_u:system_r:fsdaemon_t
Target Context                system_u:object_r:unlabeled_t
Target Objects                /usr/share/zoneinfo/GMT [ file ]
Affected RPM Packages         smartmontools-5.37-3.2.fc7 [application]tzdata-
                              2007h-1.fc7 [target]
Policy RPM                    selinux-policy-2.6.4-48.fc7
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.catchall_file
Host Name                     timmieland.private
Platform                      Linux timmieland.private 2.6.22.9-91.fc7 #1 SMP
                              Thu Sep 27 23:10:59 EDT 2007 i686 athlon
Alert Count                   10
First Seen                    Sun 28 Oct 2007 09:11:42 PM MDT
Last Seen                     Tue 30 Oct 2007 09:45:06 PM MDT
Local ID                      4856488f-40de-4594-9119-fdc35bac88be
Line Numbers                  

Raw Audit Messages            

avc: denied { getattr } for comm="smartd" dev=dm-0 egid=0 euid=0
exe="/usr/sbin/smartd" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="GMT"
path="/usr/share/zoneinfo/GMT" pid=2934 scontext=system_u:system_r:fsdaemon_t:s0
sgid=0 subj=system_u:system_r:fsdaemon_t:s0 suid=0 tclass=file
tcontext=system_u:object_r:unlabeled_t:s0 tty=(none) uid=0

Maybe I should file a bug against Audit or tzdata, as it appears to be an issue
with those programs? 
Comment 8 Daniel Walsh 2007-11-20 08:19:26 EST
Could you try to reinstall

tzdata package.  Seems that something went wrong with this package.  
Comment 9 Tim McConnell 2007-11-20 23:22:50 EST
Tried to remove it for re-installing and I received a list of dependencies a
hundred miles long followed by "This transaction would cause yum to be removed.
This package is vital for the basic operation of your system. If you really want
to remove it, edit the list of protected packages in the file
/etc/sysconfig/protected-packages or in the directory
/etc/sysconfig/protected-packages.d or use the --override-protection
command-line option." So short of doing a OS re-install I don't think that's
going to happen .    
Comment 10 Daniel Walsh 2007-11-21 08:59:00 EST

*** This bug has been marked as a duplicate of 391281 ***

Note You need to log in before you can comment on or make changes to this bug.